You must add a RADIUS client to the deployment for each RADIUS device that is configured to use RSA SecurID as its authentication method. The RADIUS client sends authentication requests to the RSA RADIUS server, which then forwards the request to RSA Authentication Manager.
If you want to use risk-based authentication (RBA), RBA must be enabled for the agent associated with the RADIUS client.
In the Security Console, click RADIUS > RADIUS Clients > Add New.
In the Client Name field, enter the name of the client, for example, VPN-London. If you are creating the <ANY> client in step 3, do not enter a name.
The name can contain letters, digits, hyphens (–), and underlines(_). Spaces, tabs, @ signs, most symbols, and non-printable characters are not allowed. This field is limited to 50 characters.
After you save the client, you cannot change its name. If you want to rename the client, you must delete it and then add a new client with the new name.
(Optional) Select the ANY Client checkbox if you do not want to track which RADIUS client sends authentication requests (for example, because you want to quickly add many RADIUS clients). Authentication requests using the shared secret specified for the <ANY> client are processed regardless of the originating client’s IP address.
You cannot enter an IP address if you select ANY Client because the IP address is not applicable. Go to step 5.
If you select this option, you also need to disable proxy authentication so that the RADIUS server does not authenticate on behalf of this RADIUS client. For more information, see RADIUS Clients.
In the IP Address Type field, select the RADIUS client IP address type that is required by your agents.
If this is an IPv4 RADIUS client, do the following:
In the IPv4 Address field, enter the IPv4 address of the RADIUS client, for example, 22.214.171.124.
If this is an IPv6 RADIUS client, do the following:
In the IPv6 Address field, enter the IPv6 address of the RADIUS client, for example, 2001:0db8:85a3:0000:0000:8a2e:0370:7335.
In addition to the IPv6 address that you enter, Authentication Manager automatically creates an IPv4 address for the RADIUS client. This IPv4 address begins with the number “255,” and it is not used for communication with agents. Authentication Manager uses this number to identify the RADIUS client.
In the Make/Model drop-down list, select the type of RADIUS client. If you are unsure of the make and model of the RADIUS client, select Standard Radius.
The RADIUS server uses the make and model to determine which dictionary of RADIUS attributes to use when communicating with this client.
In the Shared Secret field, enter the authentication shared secret (case-sensitive password) that you specified during the RADIUS client installation and configuration.
The RADIUS client uses the same shared secret when communicating with the RADIUS primary server or RADIUS replica server.
If you want to use a different shared secret (other than the one specified in step 6) for accounting transactions between the RADIUS client and RADIUS server, select Accounting.
In the Accounting Shared Secret field, enter the accounting shared secret that you entered during the RADIUS client installation and configuration. The RADIUS client uses the same shared secret when communicating with the RADIUS primary server or RADIUS replica server.
Select Client Status to specify how many seconds the RADIUS server maintains the client connection without receiving a keepalive packet from the RADIUS client.
In the Inactivity Time field, enter the number of seconds. Enter a slightly higher value than the keepalive value specified in the RADIUS client configuration. If you choose a time frame that is too short, the server might close valid connections. For more information, see the RADIUS client documentation.
In the Notes field, enter any notes for this client, for example, “Located at London site.”
To save your changes, do one of the following:
Click Save and Create Associated RSA Agent. This choice allows Authentication Manager to determine which RADIUS agent is used for authentication and to log this information. This option is required if you want to use risk-based authentication (RBA).
Click Save only if you have disabled proxied authentication (by setting the securid.ini file parameter CheckUserAllowedByClient to 0). In this case, you cannot assign a profile to this client, and all authentications appear to Authentication Manager as though they are coming from the RADIUS server.
After you finish
If you created an associated RSA agent for this RADIUS client, you must configure the agent.