Add a RADIUS Client for the Cloud Authentication Service
As part of the process to enable step-up authentication for users who access protected resources through RADIUS-capable devices, you must add one or more RADIUS clients, such as VPN servers or wireless access points.
As part of the RADIUS setup process, you must add one or more RADIUS clients, such as VPN servers or firewalls.
Before you begin
You must be a Super Admin in the Cloud Administration Console.
Determine whether the RADIUS client will use the default user authentication interface provided by the manufacturer, or the customized, streamlined web client interface that RSA provides for certain RADIUS client devices. To use the custom interface, you must install the RSA web client kit for your RADIUS client device. For instructions, see Customize the RSA SecurID Access Web Interface for a Cisco Adaptive Security Appliance.
Sign into the Cloud Administration Console.
Click Authentication Clients > RADIUS.
Click Add RADIUS Client and Profiles.
In the Name field, enter a name for the RADIUS client, such as Cisco, or Citrix.
(Optional) In the Description field, enter a unique description to help distinguish this RADIUS client from others in your deployment.
In the IP Address field, enter the IP address of the network device you want to add as RADIUS client.
In the Shared Secret field, enter the shared secret that acts as a password between this client and the RADIUS server.
(Optional). In the Authentication Details section, select how validation will be performed for user requests to this RADIUS client. By default, the Cloud Authentication Service validates the user's directory server password and applies the access policy that is configured for the RADIUS client for additional authentication. You can configure the client to require the Cloud Authentication Service to only apply the configured access policy for additional authentication. In this case, make sure the RADIUS client requires password authentication, or that the access policy requires all users to perform additional authentication.
(Optional). Enable the Automatically prompt for push notification methods field to enable the RADIUS client to send push notifications for Approve and Device Biometrics without forcing users to select a method, when Approve or Device Biometrics is the user's default method. Users who do not respond to the push notification within 40 seconds are prompted to select another method provided from the assurance level in the access policy. Enabling this field does not affect the RADIUS user experience for other authentication methods.
If you enabled Automatically prompt for push notification methods, you can optionally configure the following fields.
Always send push notifications
When selected, the user must authenticate with Approve or Device Biometrics, based on the assurance level in the access policy for the RADIUS client.
Allow users to select authentication method after timeout (seconds)
This is the server timeout. You can increase or decrease the 40 second default. If the assurance level provides an alternate method, RSA recommends that you allow users 10-40 seconds to complete the alternate method. Do not exceed the client’s connection timeout.
If the user taps the device notification or opens the Authenticate app, the app resets the timeout to 60 seconds, regardless of the value set for this field. If the device does not receive the notification, or the user does not tap the notification or open the app, mobile authentication times out on the RADIUS client after 90 seconds and authentication fails.
You cannot configure a timeout if Cloud Authentication Service only applies access policy for additional authentication is selected and Automatically prompt for push notification methods is enabled. The default 90 seconds is used in this case.
In the Access Policy field, select a policy to apply to users who authenticate through this RADIUS client. Any RADIUS profile that you associate with this client must specify a rule set from the access policy you select.
Note:If the policy requires additional authentication, it must specify at least one of these methods: Approve, SecurID Token, Authenticate Tokencode, Device Biometrics, SMS Tokencode, or Voice Tokencode. RADIUS does not support other methods. Also, RADIUS does not support authentication conditions in access policies. Policies with conditions do not appear in the drop-down list.
(Optional) To define checklist attributes that the client sends to the RADIUS server during authentication requests, do the following:
Click ADD in the Checklist Attributes table under Advanced Configuration.
In the Attribute Name field, begin typing the attribute name to see valid attributes from the RADIUS dictionary file and select one from the drop-down list.
Select the Optional for user request processing checkbox if you want the RADIUS server to processes authentication requests that do not contain this attribute. When unselected, the RADIUS server rejects requests that do not contain this attribute.
In the Value field, specify the attribute value required in the user’s authentication request. Click ADD if you need to specify additional values. The order of specified values is important for certain attributes.
Note:You must enter the value using the correct data type. The field hint indicates the data type.
Repeat steps a to e for each checklist attribute you want to add.
In the Web Client Interface field, leave Standard selected if this RADIUS client will use the default user authentication interface provided by the device manufacturer, or select Custom if you plan to use the customized, streamlined web client interface that RSA provides for some specific RADIUS client devices.
If you plan to use the custom web client interface:
Select your RADIUS device from the RADIUS Device Type drop-down menu.
Click Download Custom Web Client Kit, and save the zip package to a location on your local drive. The web client kit contains files that you must install on your RADIUS device to enable the custom web client interface.
Click Save and Next Step.
(Optional) To associate a RADIUS profile with this RADIUS client, select the profile name from the Use an existing profile drop-down menu and click Associate. Repeat this step for each profile you want to associate. Associating applies the profile's rule set and return list attributes to the client. The default profile is automatically associated with all RADIUS clients. To add a new profile, see Configure a RADIUS Profile for the Cloud Authentication Service
Click Publish Changes to apply the configured settings.