Adding an agent to a RADIUS client allows you to control who authenticates through the client by enabling Authentication Manager to associate authentication requests with the specific client used. By default, Authentication Manager cannot authenticate requests from a RADIUS client without an agent.
If you want to authenticate requests from RADIUS clients with no assigned agent, see RADIUS Clients.
Before you begin
Confirm that proxied authentication is enabled by verifying that the securid.ini file parameter CheckUserAllowed ByClient is set to 1. For instructions, see Edit RADIUS Server Files.
In the Security Console, click RADIUS > RADIUS Clients > Manage Existing.
Click the client to which you want to add an agent.
From the context menu, click RSA Agent.
From the RSA Agent tab, click Create Associated Agent.
From the Security Domain drop-down menu, select the security domain to which you want to add the new agent.
If your network uses Dynamic Host Configuration Protocol (DHCP) to assign IP addresses and you have enabled auto-registration, select Protect IP address to prevent auto-registration from unassigning this agent's IP address.
You might select this option to always ensure that the agent is successfully registered with Authentication Manager.
In the Notes field, enter any notes for this agent, for example, For wireless network device at San Jose site.
(Optional) From the RADIUS Profile drop-down menu, select a RADIUS profile to assign to this agent.
Select whether to disable the agent. Do one of the following:
If you want the server to process RADIUS client authentication requests, make sure that Agent is disabled is cleared.
If you want to temporarily remove the server from RSA RADIUS, select Agent is disabled.
Determine who can use the agent for authentication. Do one of the following:
If you do not want to limit who can request access from the client, clear Allow access only to members of user groups who are granted access to this agent.
If you want to limit who can request access from the client, select Allow access only to members of user groups who are granted access to this agent.
Configure the Authentication Manager contact list:
If you want the agent to send authentication requests to the Authentication Manager instance that responds the quickest, select Automatically assign automatic contact list from instance that responds first.
If your organization has specific requirements for directing the agent's authentication requests to particular Authentication Manager instances, select Manually assign contact list, and select the contact list from the drop-down list. For more information, see Contact Lists for Authentication Requests.
If your organization uses trusted realms and you want trusted users to authenticate through this agent, select Enable Trusted Realm Authentication, and determine which trusted users can access the authentication agent. Do one of the following:
If you do not want to limit which trusted users can access this agent, select Open to all Trusted Users. After trusted users authenticate to Authentication Manager, Authentication Manager automatically creates them in the security domain for the trusted realm.
If you want to limit which trusted users can access this agent, select Only Trusted Users in Trusted User Groups with access to the agent can authenticate.
(Optional) If you want to use risk-based authentication (RBA) from the agent associated with this RADIUS client, do the following:
Select Enable this agent for risk-based authentication.
If you want to restrict RBA access on this RADIUS client, select Allow access only to users who are enabled for risk-based authentication.
Select an authentication method for RBA users.
Choose one of the following options to save the settings for this agent.
If you enabled this agent for RBA, click Save Agent and Go to Download Page.
The system saves the settings and displays the Integration Script page, where you select and download the integration script for this RADIUS client agent.
If you did not enable this agent for RBA, click Save.