This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
GlennGardner
Beginner
Beginner
‎2018-01-23 12:03 PM

AM 8.2.x Identity Sources (Active Directory)

Jump to solution

When RSA authenticates tokens via RADIUS, does it confirm with Identity Source (Active Directory) wether or not the user is in good standing in AD?

 

 

When the RADIUS server queries Identity Source (Active Directory), does it reuse existing connections? Or does it create a new connection for each query? If it uses existing connections, when are existing connections re-established?  

 

Does RSA RADIUS use connection pooling? If so, what is the default pool size and is it configurable?  

Labels (1)
Labels
0 Likes
Reply
1 Solution

Accepted Solutions
EdwardDavis
Employee
Employee
‎2018-01-23 12:16 PM

Jump to solution

RSA Radius in RSA Authentication Manager is a 'standard authentication agent', that lives on the server.

 

RSA Radius does zero with ldap connections by itself.

 

10,000 foot view:

It receives an incoming radius auth request, checks IP to see if it is a known RAS client, then sends the userid and password field to RSA server as a normal 'securid auth' (on loopback interface and udp/5500). Radius itself does no name lookups of any type. Then the RSA server sees that one of it's agents (it's own IP address) is doing a securid auth and it processes it the same as any other securid auth. At that stage, the RSA server looks up the username the same way it looks up any other ldap username from any other authentication request. If auth success, then RSA server sends the accept answer back to the agent (which is it's own radius on loopback interface) and then radius will attempt to apply any return radius attributes (if there is a radius profile involved) and then sends the outgoing access-accept or access-reject message to the end device.

 

 

So, radius or not radius, RSA Auth Manager and ldap lookups are handled by the same mechanism... which are ldap pools it maintains. These are not normally configurable or tunable. When someone is actually trying to log in, and we are doing a name lookup, this is called a 'runtime' lookup. The only thing we have which is tunable in this regard is, if you configure a global catalog connection for runtime lookups, and pair that with an administrative connection (for admin work, such as assigning tokens and this is the connection used when in Security Console when you list users from ldap). If you use GC's the runtime lookup can be faster as we do less work and less network traffic to do a simple name and account status lookup on a GC connection.

View solution in original post

Reply
4 Replies
EdwardDavis
Employee
Employee
‎2018-01-23 12:16 PM

Jump to solution

RSA Radius in RSA Authentication Manager is a 'standard authentication agent', that lives on the server.

 

RSA Radius does zero with ldap connections by itself.

 

10,000 foot view:

It receives an incoming radius auth request, checks IP to see if it is a known RAS client, then sends the userid and password field to RSA server as a normal 'securid auth' (on loopback interface and udp/5500). Radius itself does no name lookups of any type. Then the RSA server sees that one of it's agents (it's own IP address) is doing a securid auth and it processes it the same as any other securid auth. At that stage, the RSA server looks up the username the same way it looks up any other ldap username from any other authentication request. If auth success, then RSA server sends the accept answer back to the agent (which is it's own radius on loopback interface) and then radius will attempt to apply any return radius attributes (if there is a radius profile involved) and then sends the outgoing access-accept or access-reject message to the end device.

 

 

So, radius or not radius, RSA Auth Manager and ldap lookups are handled by the same mechanism... which are ldap pools it maintains. These are not normally configurable or tunable. When someone is actually trying to log in, and we are doing a name lookup, this is called a 'runtime' lookup. The only thing we have which is tunable in this regard is, if you configure a global catalog connection for runtime lookups, and pair that with an administrative connection (for admin work, such as assigning tokens and this is the connection used when in Security Console when you list users from ldap). If you use GC's the runtime lookup can be faster as we do less work and less network traffic to do a simple name and account status lookup on a GC connection.

Reply
_EricaChalfin
Employee (Retired) Employee (Retired)
Employee (Retired)
In response to EdwardDavis
‎2018-01-23 12:55 PM

Jump to solution

Great explanation, pFAX8dqXawUTDxZ4I3nhT1XEt83rjtLgTslU9FLYwZU=‌.  Thanks for your input.

 

Regards,

Erica

0 Likes
Reply
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
‎2018-01-23 02:26 PM

Jump to solution

I would only add to Ed's great explanation, that in his words the operative term in "If you use GC's the runtime lookup can be faster..." is "can"   Unless you have thousands of AD users, you probably will not notice a difference in Authentication time between a GC lookup or straight to your Administrative AD connection with no GC.

Reply
_EricaChalfin
Employee (Retired) Employee (Retired)
Employee (Retired)
In response to JayGuillette
‎2018-01-24 08:47 AM

Jump to solution

Also a great point, Jay Guillette, and something for Authentication Manager admins to consider when creating their external identity sources.

 

Regards,

Erica

0 Likes
Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.