Questions regarding the RADIUS pre-migration to Authentication Manager v. 8.6 script
Three weeks ago the RSA Advisory recommending that customers wait before updating Authentication Manager to ver. 8.6 until a new RADIUS pre-migration script is available.
This situation arises because the SBR RADIUS used in AM 8.5 and earlier is being replaced with FreeRADIUS (Free RADIUS) in AM 8.6. This situation therefore raises several questions:
1. Is there any ETA for this script?
2. Does the script only identify potential RADIUS configuration issues for remediation or will the script perform any modifications to RADIUS data on the AM 8.5 Server?
3. If the script modifies RADIUS data, any assessment of any risk involved in doing these modifications?
4. Does RSA have any recommendations as to when this script should be run, and if it should be run multiple times, e.g. run it once immediately before updating to 8.6 versus running it multiple times because the script identifies RADIUS configuration issues, that could be changed necessitating running the script again?
Authentication Manager ver. 8.6 uses a new version of RADIUS, Free RADIUS, so the SBR Pulse version of RADIUS used in AM 8.5 must be migrated into Free RADIUS. A RADIUS pre-migration script was developed by RSA Engineering to identify potential problems that could make this RADIUS migration fail.
The RADIUS Pre-Migration Script released February 18, 2022 reports finding a FAILURE that there was an Error while exporting the trusted root certificate.
There are two causes for this finding, which is a false flag finding
1. The AM 8.5 appliance that this script was run against has restored a backup from a different AM 8.5 appliance
2. The RADIUS Pre-Migration Script released February 18, 2022 was used
The RADIUS Pre-Migration Script released February 18, 2022 is only 7KB while the March 3rd script is 9Kb. Both were named rsa-am-pre-upgrade-check-1.0.zip
This FAILURE is a script failure, not a potential migration error. The RADIUS Pre-Migration Script released March 3rd, 2022 does not find this FAILURE, because this version of the script changes file permissions on the trusted root certificate file so that it can read this Certificate and decrypt the RADIUS database.