Radius agent uses old shared secret even after new shared secret is updated in Authentication Manager database
3 years ago
Article Number
000068178
Applies To
RSA Product Set:  SecurID
RSA Product/Service Type:  Authentication Manager
RSA Version/Condition:  8.x
Issue
After changing shared secret of radius agents, authentication requests would still succeed using old shared secret.


Explanation:

When changing radius shared secret, it will be updated in Authentication Manager database. To verify this point, access database following article https://community.rsa.com/t5/securid-knowledge-base/how-to-run-a-sql-query-for-authentication-manager-8-0-or-8-1-and/ta-p/8449
Then run command: < select client_name, ip_address, shared_secret from am_radius_clients; >

The old shared secret would still be used for an amount of time that can be configured using option “lifetime” in radius configuration file “dynamic-clients”.
This option is responsible on refreshing radius agents every certain time. (Default 600 seconds)
Resolution
Access Operation console > Deployment Configuration > Radius server > Manage server files > dynamic-clients.
Change “lifetime” to smaller value for IPv4. (This could be done for ipv6 if needed) > Save & Restart RADIUS Server.

For more information about “dynamic-clients” configuration file, please check the corresponding RSA Authentication Manager RADIUS Reference Guide. 

Workaround:

Restarting radius service from CLI would refresh radius agent with new shared secret.
https://community.rsa.com/t5/securid-knowledge-base/how-to-stop-start-and-restart-rsa-authentication-manager-8-x/ta-p/5136

Related Articles

Trending Articles

Don't see what you're looking for?