Radius agent uses old shared secret even after new shared secret is updated in Authentication Manager database

3 years ago

Article Number

000068178

Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x

Issue

After changing shared secret of radius agents, authentication requests would still succeed using old shared secret.

Explanation:

When changing radius shared secret, it will be updated in Authentication Manager database. To verify this point, access database following article https://community.rsa.com/t5/securid-knowledge-base/how-to-run-a-sql-query-for-authentication-manager-8-0-or-8-1-and/ta-p/8449
Then run command: < select client_name, ip_address, shared_secret from am_radius_clients; >

The old shared secret would still be used for an amount of time that can be configured using option “lifetime” in radius configuration file “dynamic-clients”.
This option is responsible on refreshing radius agents every certain time. (Default 600 seconds)

Resolution

Access Operation console > Deployment Configuration > Radius server > Manage server files > dynamic-clients.
Change “lifetime” to smaller value for IPv4. (This could be done for ipv6 if needed) > Save & Restart RADIUS Server.

For more information about “dynamic-clients” configuration file, please check the corresponding RSA Authentication Manager RADIUS Reference Guide.

Workaround:

Restarting radius service from CLI would refresh radius agent with new shared secret.
https://community.rsa.com/t5/securid-knowledge-base/how-to-stop-start-and-restart-rsa-authentication-manager-8-x/ta-p/5136

Don't see what you're looking for?

Related Articles

Trending Articles