SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
Occasional Contributor
Occasional Contributor

RSA AM f5. Create VIP for AM

@Hello Al


I have a project to be submitted.


Here's the scenario.

I have 2 RSA Authentication Managers in Prod. Right now, our privilege access management is pointing to primary RSA AM, and when I am doing maintenance I have to manually switch RADIUS authentication to secondary. To overcome with this problem I am looking to create F5 VIP which will then point to both primary & secondary AM as failover.


I am little confused with few question and not sure about the answers


Virtual Server FQDN:

Virtual IP Address:

Protocol: ? ------------------------

Service Port 1812 TCP.

Persistence (default & Fallback): ? ------------- Source_addr or Universal Persistance?

Monitor Type: ? ---------------------

Send String: -------------------------

Receive String: UP

Member server hostname: &

Member IP: &

Service Port: 1812

Priority Group: Disabled

Load Balancing Method: Round Robin


If this has been accomplished in your environment would you help me fill the blanks please.

Virtual Server FQDN / URLVirtual IP AddressProtocolService Port (TCP) HTTPS RedirectPersistance (default & fallback)Montor TypeFreq. (Secs)TOut (secs)Send StringReceive StringUsernamePasswordMember Server (Hostname)Member IP AddressService PortPriority GroupLoad Balancing  MethodMonitor Failure Action
Labels (1)
9 Replies
Employee (Retired) Employee (Retired)
Employee (Retired)

Jai Pagare‌,


Great question!  OK, RSA SecurID Access" data-type="space‌ community, can anyone help Jai out?




Apprised Contributor Apprised Contributor
Apprised Contributor

Doesn't your privilege access management System RADIUS configuration have a place for failover RADIUS server?  Typically you put primary in main URL and replica in Failover.  RADIUS does not have a load balance capability itself, but many vendor, e.g. Citrix, allow you to configure load balancing.  But basic RADIUS should allow a failover configuration entry

Occasional Contributor
Occasional Contributor

Unfortunately, our Beyond Trust Privilege access management doesn't have option placed for failover RADIUS server.


Jay, so mean to say is.. I will be able to create F5 VIP, but it won't work, because RADIUS doesn't have a load balance capability?

Cisco ASA has you create a server group for RADIUS, and Add RADIUS servers to it, while the Cisco ACS allows you to configure a primary and secondary or failover RADIUS Server 


The F5 should work, you could configure it as either load balance or failover.  

Trusted Contributor Trusted Contributor
Trusted Contributor

F5 LTM supports using it as a RADIUS load balancer.. 

LTM 12 Radius load balancing datagram lb 


There are some tricks to it so consult the docs.. I'm not an expert.. I just know people have done it.



Were you able to configure this?  I'm curious as I have the exact issue.  Please advise.

Respected Contributor
Respected Contributor

Hi Jai pagare,


If I am not wrong BT released new patch that will allow you to configure secondary RADIUS, check with your BT vendor, I had one project implemented same as your environment.

Frequent Contributor Frequent Contributor
Frequent Contributor

Hi Jai,


You'll want to use an iApp template from F5. F5 provides a pre-configured RADIUS iApp template. 


To get true monitoring, you'll need to provide an account that can perform an authentication against the RADIUS server (Authentication Manager) as a simple ping test may result in the F5 marking the server as active before all services have started. To set up a monitoring account, you'll need to configure an account in Authentication Manager with a "fixed passcode." Please be aware that a fixed passcode is a static secret with none of the benefits of 2FA. The normal service account management best practices should be applied. For example, rotating the fixed passcode, storing the fixed passcode securely, and restricting access that this service account has.