RADIUS Clients

A RADIUS client is a RADIUS-enabled device at the network perimeter that enforces access control for users attempting to access network resources.

A RADIUS client can be one of the following:

  • VPN server

  • Wireless access point

  • Network access server supporting dial-in modems

  • Dial-in modem

A RADIUS client sends a user’s access request to the RADIUS server. The RADIUS server forwards the request to RSA Authentication Manager for validation. If Authentication Manager validates the access request, the RADIUS client accepts the user’s request for network access. Otherwise, the RADIUS client rejects the user’s request for network access.

You can configure RADIUS clients with or without an assigned authentication agent. The difference between the two methods is in the level of access control and logging you want to have.

  • RADIUS client with an agent. Adding an agent to a RADIUS client allows Authentication Manager to determine which RADIUS client is used for authentication and to save this information in log files.

    When you add a RADIUS client, you have the option to create an associated agent. If you manually configure an agent with the same hostname and IP address as the RADIUS client, the agent is automatically recognized as a RADIUS client agent.

  • RADIUS client without an agent. Without an assigned RADIUS client agent, Authentication Manager cannot track which RADIUS client sends authentication requests and you cannot assign a profile to the client. The RADIUS server simply confirms that the shared secret from the RADIUS client matches the shared secret stored in RSA RADIUS, and then forwards the request without any client information to Authentication Manager.

    All authentication requests appear to be coming from the RADIUS server through its assigned authentication agent. While using this method, if you add an agent to a RADIUS client in the Security Console, Authentication Manager does not associate the agent with the client, so it does not apply any of the agent properties that you specify to the client.

To allow the system to authenticate users from clients with no assigned agent, you must set the SecurID.ini file parameter CheckUserAllowedByClient to 0. By default, this parameter is set to 1, which allows the system to authenticate users from clients with an assigned agent. For more information, see the RSA Authentication Manager RADIUS Reference Guide.

If you need to add a large number of RADIUS clients to Authentication Manager, you might not want to assign agents to RADIUS clients. For example, you are an ISP administrator and need to add and configure one thousand network access servers with the RSA RADIUS server. Instead of adding an agent to each RADIUS client, you select ANY RADIUS client, and enter the same shared secret for each RADIUS client. When an ANY client sends a network request to its associated RADIUS server, the RADIUS server confirms the shared secret and forwards the request without any client information to Authentication Manager.