Deploying RADIUS for the Cloud Authentication Service
Complete these high-level steps to deploy Integrated Windows Authentication (IWA) in your RSA SecurID Access deployment.
Complete these high-level steps to deploy RADIUS for the Cloud Authentication Service and enable SecurID Access authentication for users attempting to access protected networks through RADIUS-capable devices.
Note:This topic does not apply to deployments that use the embedded identity router in RSA Authentication Manager.
Before you begin
You must be a Super Admin in the Cloud Administration Console.
At least one cluster must be configured.
Users must access the protected network through RADIUS-capable network devices.
Note:For RADIUS and relying party deployments, only two identity source attributes are supported as username credentials when prompting users for primary authentication. Active Directory supports sAMAccountName or mail. LDAP supports uid or mail. These attributes are not configurable.
Configure your RADIUS client devices to direct authentication requests to the identity routers in your deployment on port 1812. For identity routers in the Amazon cloud, direct requests to the private IP address. For on-premises identity routers, use the management interface IP address. Some client devices can connect to multiple identity routers in the same cluster to provide load balancing or failover functionality. For configuration instructions, refer to the documentation provided by the device manufacturer. RSA provides configuration guides for some client devices on RSA Link.
Note:Do not configure clients to send authorization requests to the identity router.
RADIUS for the Cloud Authentication Service supports only Password Authentication Protocol (PAP).
Note: The connection timeout value configured in your RADIUS client software balances the amount of time users have to respond to push methods against failover performance. The recommended starting value is 45 seconds. Increase the value to give users more time to authenticate or decrease the value to improve failover. Failover occurs when the client determines the server is down and sends a request to another server. Also consider if retries are configured for the RADIUS clients. For example, if the client allows three retries, the effective timeout is really 2 minutes and 15 seconds. In the RADIUS client settings configured in the Cloud Administration Console (Authentication Clients > RADIUS), if Automatically prompt for push notification methods is enabled, make sure the server timeout (Allow users to select authentication method after timeout) does not exceed the client’s connection timeout. See Add a RADIUS Client for the Cloud Authentication Service for more information.
Test the RADIUS configuration by attempting to authenticate using a RADIUS client. If unsuccessful, confirm that the RADIUS client and profile settings are correct.
After you finish
If you have not done so already, roll out the RSA SecurID Authenticate mobile app to your users. RSA SecurID Authenticate is required to use the Approve and Authenticate Tokencode methods for RADIUS authentication. For more information, see Cloud Authentication Service Rollout to Users.