This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
FSP_ICT-IPT
Beginner
Beginner
‎2019-09-12 01:50 AM

Any way to automatically register a RHEL PAMAgent?

Jump to solution

OS: RHEL 7.5

PAM Agent: 8.5.0

Authentication Protocol: UDP

 

Is there any way to have Red Hat Linux VDI Clones self register via the PAM Agent automatically as Windows Agents can in RSA Security Console; as per https://community.rsa.com/docs/DOC-77203 

 

Regards

Garry

Labels (1)
Labels
0 Likes
Reply
1 Solution

Accepted Solutions
SrirangaPrasan1
Employee
Employee
‎2019-09-12 05:46 AM

Jump to solution

This as of now a product limitation for PAM agents. The agent auto registration feature is only for Windows agents for now. 

View solution in original post

0 Likes
Reply
9 Replies
SrirangaPrasan1
Employee
Employee
‎2019-09-12 05:46 AM

Jump to solution

This as of now a product limitation for PAM agents. The agent auto registration feature is only for Windows agents for now. 

0 Likes
Reply
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
‎2019-09-12 10:55 AM

Jump to solution

There is an Ideas Page submitted request for this feature

https://community.rsa.com/ideas/1400?commentID=36081#comment-36081 

Which you could vote on.  

Another approach would be configuring your PAM agent to authenticate with ReST instead of UDP.  The ReST agents can be logical, in other words you create one entry in the Security Console with a name but no IP address, and you configure your PAM agents to use that same logical name in their ReST configuration file.

Reply
RandyBelbin
Frequent Contributor Frequent Contributor
Frequent Contributor
‎2019-09-12 02:38 PM

Jump to solution

We strongly recommend moving to the REST protocol which would eliminate the need for registration of any kind. The end result is the same but without all of the overhead of the auto-registration process.

 

 

Now that we are moving all of our agents to the REST protocol, it's unlikely that we would invest in the auto-registration feature for the Linux agent. Rather, we would encourage our customers to take advantage of the new functionality in the REST agent.

Reply
DavidMoreno1
New Contributor
New Contributor
In response to RandyBelbin
‎2020-12-02 01:59 PM

Jump to solution

Can I use the REST protocol to auto register Linux clients? Like EMR or Hadoop node?

0 Likes
Reply
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
In response to DavidMoreno1
‎2020-12-02 04:18 PM

Jump to solution

Auto-Registration began as a Windows UDP agent concept so as you would not need to manually enter, then change the possibly changing DHCP address of the agent.  You have some options to kind of go around the fact that there is no auto-registration for PAM agents, but the only direct answer is that there is currently no auto-registration for PAM agents.

 1. There is an RFE, Request for Enhancement for this - RSA Authentication Agent for PAM support for AutoRegistration  - which you can vote on

 2. If the Linux servers or workstations have fixed IP addresses, you could bulk create them through AMBA with AAH command.

 3. PAM 8.x agents can be configured in more than one way, so instead of using the legacy UDP protocol for Authentication, you could configure the PAM agent to use the ReST TCP-based protocol for Authentication, and you can configure a Logical agent name instead of using the PAM agent's hostname, DNS short name or FQDN. You could do this on 100s or 1000s of PAM agents, all of which could use the same Logical Agent Name uses a single Agent host entry on the AM security Console - so you avoid the need for auto-registration.

Reply
DavidMoreno1
New Contributor
New Contributor
In response to JayGuillette
‎2020-12-02 04:24 PM

Jump to solution

Jay,

 

Can you please elaborate on the item below?

 

PAM 8.x agents can be configured in more than one way, so instead of using the legacy UDP protocol for Authentication, you could configure the PAM agent to use the ReST TCP-based protocol for Authentication, and you can configure a Logical agent name instead of using the PAM agent's hostname, DNS short name or FQDN. You could do this on 100s or 1000s of PAM agents, all of which could use the same Logical Agent Name uses a single Agent host entry on the AM security Console - so you avoid the need for auto-registration

 

With this solution am I going to have to convert my current UDP authentication environment to REST authentication or can I run both in parallel?

 

David.

0 Likes
Reply
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
In response to DavidMoreno1
‎2020-12-02 04:45 PM

Jump to solution

ReST agents are newer, you need to enable ReST on the Primary and on the Replicas, but the Primary and Replicas can support both UDP legacy agents and the newer ReST API agents.

SC-Setup-System-Agent-API.png

0 Likes
Reply
SeanDoyle
Trusted Contributor Trusted Contributor
Trusted Contributor
‎2020-12-02 05:10 PM

Jump to solution

You don't need it.. use the REST mode of the modern agents and use a single agent instance in the configuration and you can deploy without registering client IPs. 

0 Likes
Reply
StaceyWatt
New Contributor
New Contributor
In response to JayGuillette
‎2021-03-04 09:41 PM

Jump to solution

In regards to the below:

PAM 8.x agents can be configured in more than one way, so instead of using the legacy UDP protocol for Authentication, you could configure the PAM agent to use the ReST TCP-based protocol for Authentication, and you can configure a Logical agent name instead of using the PAM agent's hostname, DNS short name or FQDN. You could do this on 100s or 1000s of PAM agents, all of which could use the same Logical Agent Name uses a single Agent host entry on the AM security Console - so you avoid the need for auto-registration.

When you mention:

same Logical Agent Name uses a single Agent host entry on the AM security Console

 

does that mean in the AM security console you create a new entry of the logical name as the hostname and leave the rest blank?
is there anything else required after you create the host in the AM security console and turned on the authenticate API?

0 Likes
Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.