SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
New Contributor
New Contributor

RSA Auth Manager and Palo Alto MFA with AD

Hi all,

Firstly, Im pretty new to RSA Secure / Auth Manager.

Ive have been tasked with setting up MFA Radius based authentication from a Palo Alto firewall, with AD integration. 

Im unsure how this would hang together, in terms of the three entities involved. Does either the FW or RSA need to be joined to the AD domain?

Is it a case whereby RSA auth manager will receive the RADIUS / AD user request from the Palo FW, and proxy it into the AD environment?

Im may have explained this badly, but hopefully I have conveyed a general idea on my objective.

RSA v8.1.


1 Reply
Occasional Contributor Occasional Contributor
Occasional Contributor

Hello Dave

  The Radius server on the AM 8.1 server is not going to proxy the Domain password to your Domain Controller. Radius is only used to transport the username and passcode to the AM server. You integrate the AM server with AD as an Identity Source only.

I am not a PA expert, so I am not sure if this functionality is available on a PA firewall. In the Cisco ASA you can setup AAA server groups for both AD and SecurID (either SDI or Radius). Then you can set a policy for a Primary and Secondary authentication using the two AAA server groups. The ASA sends the username and domain password to the DC and the username and passcode to the AM server.