Add a RADIUS Client

You must add a RADIUS client to the deployment for each RADIUS device that is configured to use RSA SecurID as its authentication method. The RADIUS client sends authentication requests to the RSA RADIUS server, which then forwards the request to RSA Authentication Manager.

If you want to use risk-based authentication (RBA), RBA must be enabled for the agent associated with the RADIUS client.

Before you begin

(Optional) Before you can add a RADIUS client with an IPv6 address, you must create IPv6 network settings on each primary and replica instance in your deployment. For instructions, see Create IPv6 Network Settings on a Primary or Replica Instance.

Procedure

  1. In the Security Console, click RADIUS > RADIUS Clients > Add New.

  2. In the Client Name field, enter the name of the client, for example, VPN-London. If you are creating the <ANY> client in step 3, do not enter a name.

    The name can contain letters, digits, hyphens (–), underlines(_), and spaces. Tabs, @ signs, most symbols, and non-printable characters are not allowed. This field is limited to 50 characters.

    After you save the client, you cannot change its name. If you want to rename the client, you must delete it and then add a new client with the new name.

  3. (Optional) Select the ANY Client checkbox if you do not want to track which RADIUS client sends authentication requests (for example, because you want to quickly add many RADIUS clients). Client authentication statistics are not supported for the <ANY> client.

    Authentication requests using the shared secret specified for the <ANY> client are processed regardless of the originating client’s IP address.

    You cannot enter an IP address if you select ANY Client because the IP address is not applicable. Go to step 5.

    If you select this option, you also need to disable proxy authentication so that the RADIUS server does not authenticate on behalf of this RADIUS client.

  4. In the IP Address Type field, select the RADIUS client IP address type that is required by your agents.

    • If this is an IPv4 RADIUS client, do the following:

      1. Select IPv4.

      2. In the IPv4 Address field, enter the IPv4 address of the RADIUS client, for example, 111.222.33.44.

    • If this is an IPv6 RADIUS client, do the following:

      1. Select IPv6.

      2. In the IPv6 Address field, enter the IPv6 address of the RADIUS client, for example, 2001:0db8:85a3:0000:0000:8a2e:0370:7335.

      In addition to the IPv6 address that you enter, Authentication Manager automatically creates an IPv4 address for the RADIUS client. This IPv4 address begins with the number “255,” and it is not used for communication with agents. Authentication Manager uses this number to identify the RADIUS client.

  5. In the Make/Model drop-down list, select the type of RADIUS client. If you are unsure of the make and model of the RADIUS client, select Standard Radius.

    The RADIUS server uses the make and model to determine which dictionary of RADIUS attributes to use when communicating with this client.

  6. In the Shared Secret field, enter the authentication shared secret (case-sensitive password) that you specified during the RADIUS client installation and configuration.

    The RADIUS client uses the same shared secret when communicating with the RADIUS primary server or RADIUS replica server.

  7. In the Notes field, enter any notes for this client, for example, “Located at London site.”

  8. To save your changes, do one of the following:

    • Click Save and Create Associated RSA Agent. This choice allows Authentication Manager to determine which RADIUS agent is used for authentication and to log this information. This option is required if you want to use risk-based authentication (RBA).

    • Click Save only if you have disabled proxied authentication (by setting the securid.ini file parameter CheckUserAllowedByClient to 0). In this case, you cannot assign a profile to this client, and all authentications appear to Authentication Manager as though they are coming from the RADIUS server.

After you finish

If you created an associated RSA agent for this RADIUS client, you must configure the agent.