Configure an IPv4/IPv6 Agent

Follow these steps to deploy and configure the IPv4/IPv6 agent in RSA Authentication Manager.

Before you begin

  • Determine whether the authentication agent is restricted or unrestricted:

    • Unrestricted agents. Unrestricted agents process all authentication requests from all users in the same deployment as the agent.

      However, to allow a user to authenticate with a logon alias, the user must belong to a user group that is associated with the logon alias and that is enabled on the unrestricted agent.

    • Restricted agents. Restricted agents process authentication requests only from users who are members of user groups that have been granted access to the agent.

      Users who are not members of a permitted user group cannot use the restricted agent to authenticate. Resources protected by restricted agents are considered to be more secure because they process requests only from a subset of users.

  • (Optional) Define IPv6 network settings on the primary and replica instances. IPv4/IPv6 authentication agents can use IPv4 or IPv6 addresses.

    If you are using IPv6 addresses, RSA strongly recommends configuring IPv6 network settings on more than one instance. Multiple instances provide deployment-level redundancy and failover authentication, if an instance becomes unresponsive. For instructions, see Create IPv6 Network Settings on a Primary or Replica Instance.

  • Generate the Authentication Manager Configuration File

  • Add an Authentication Agent


  1. In the Security Console, click Setup > System Settings.

  2. Under Authentication Settings, click Agents.

  3. On the Agents page, click the link to configure IPv6 agents.

    The IPv4/ IPv6 Agents page is displayed.

  4. In the Authentication Servers section, do the following:

    1. Select All Instances to allow the IPv4/IPv6 agent to communicate with any primary or replica instance in the current deployment. The agent can select any instance for authentication requests, and any NIC configured for the selected instance.

    2. Select Specified Server Names or Addresses to choose the fully qualified hostnames or IP addresses of specific instances, or a DNS name that resolves to a list of instances.

      In the Hostname or IP Addresses field, you can add or remove entries from the list of fully qualified hostnames and IP addresses. RSA strongly recommends entering more than one instance. Multiple instances provide redundancy and support failover authentication.

  5. In the Authentication Service Port field, enter a port number between 1025 and 49151. The default is 5500.

    Note: If you change the port number, the agent cannot retrieve configuration data, until after a new sdconf.rec configuration file is updated on the agent. Configure your routers and firewalls to pass TCP traffic on the port.

  6. In the Connection Timeout field, specify how long the agent waits while attempting to establish a connection to the server. The default is 60 seconds.

  7. In the Read Timeout field, specify how long the agent waits while attempting to retrieve data from a previously established connection. The default is 60 seconds.

  8. (Optional) In the Import Certificate of the New Primary Server field, click Browse to locate and import a new root certificate.

    Note: You must import a new root certificate if you are moving agents to a new deployment or authenticating to a new instance that you specified in step 4.

  9. Click Update.

After you finish

(Optional) IPv4/IPv6 authentication agents do not require a node secret, but instead, a dynamically negotiated key is used to encrypt the channel along with a strong encryption algorithm. If you choose to create a node secret, then you must load the node secret manually. For instructions, see Manage the Node Secret.