Configure Agent Settings Configure Agent Settings

Authentication agents can automatically add an agent record to the Authentication Manager internal database. The process of adding an agent record is called registering the agent. This process benefits networks using Dynamic Host Configuration Protocol (DHCP) to assign IPv4 addresses by eliminating the need for the administrator to add agents and maintain IPv4 addresses manually.

You can also define the port number for the agent to communicate with the Authentication Service, and configure mappings between NT LAN Manager (NTLM) names and User Principal Names (UPN). Port number changes prevent an agent from authenticating until a new sdconf.rec file has been generated and copied to the agent host.

Procedure

1. In the Security Console, click Setup > System Settings.

2. Under Authentication Settings, click Agents.

3. Under the Agent Auto-Registration, do the following:

   1. Select Allow authentication agent auto-registration to automatically register with the authentication server.

   2. Select Agent IP Update to automatically update the IP addresses of authentication agents.

4. Under the Communication Ports, do the following:

   1. In the Port field for the Authentication Service, enter the port number the agent will use to communicate with the Authentication Service. The default is 5500.

   2. In the Port field for the Agent Auto-Registration Service, enter the port number the agent will use to communicate with the Agent Auto-Registration Service. The default is 5550.

   3. In the Port field for the Offline Authentication Download Service, enter the port number to use for requesting and receiving offline authentication data, which allows users to authenticate when they are not connected to the network. The default is 5580.

   4. If your RSA Authentication Manager deployment does not use offline authentication, then you might want to prevent security scans from finding that the default offline authentication port 5580/TCP is enabled and listening. Click the Disable Offline Authentication Port checkbox to disable this port.

      Authentication Manager does not allow you to disable this port if offline authentication is enabled for any security domains in your deployment.

   5. From the Client Response Delay drop-down menu, select the amount of time you want Authentication Manager to delay the response to the agent. The time delay allows the Authentication Manager to detect simultaneous authentication attempts with the same User ID and passcode.

      Note: Increasing the response delay may cause other applications that depend on the authentication timing to fail. Decreasing or eliminating the response delay may affect the server’s ability to detect attempts to re-use passcodes.

5. (Optional) In the Domain Name Mapping section, enter mappings between NT LAN Manager (NTLM) names and Windows User Principal Names (UPN). Authentication Manager does not support NTLM name format Domain\userid it receives from Windows agents. Authentication Manager converts the NTLM name to a UPN name for authentication. For example, if Windows agent sends NTLMDOMAIN\asmith, where NTLMDOMAIN is the NTLM name mapped to the UPN name UPNDOMAIN, the NTLM userid is converted to asmith@UPNDOMAIN

6. Click Save.

7. Restart Authentication Manager. For instructions, see the RSA Authentication Manager Administrator's Guide.

8. To generate the sdconf.rec file, see Generate the Authentication Manager Configuration File.

9. Copy the sdconf.rec to the agent host. See your agent documentation for instructions.