Configure McAfee Enterprise Security Manager 5.3 as RADIUS client to authenticate to RSA Authentication Manager 8.x
RSA Product Set: SecurID RSA Product/Service Type: Authentication Manager RSA Version/Condition: 8.1 and later
This article explains how to protect the McAfee management interface with RSA SecurID two-factor authentication.
McAfee Enterprise Security Manager (ESM) can send RADIUS authentication,s but cannot handle the RADIUS challenge response. This means the ESM cannot support New PIN Mode or Next Tokencode Mode.
Where RADIUS is used to send the authentication to RSA Authentication Manager 8.x deployment, a RADIUS client and an associated RSA agent record must be created using the Security Console for the software/device sending the RADIUS authentication.
In the Security Console select RADIUS > RADIUS Client > Add New.
Enter a client name, IP address and IP address.
Leave the default Make/Model value as - Standard Radius -.
Create the Shared Secret. This secret must be the same as the one on the RADIUS client.
Click Save & Create Associated RSA Agent. You will see the message Added 1 RADIUS client(s).
McAfee Enterprise Security Manager requires a RADIUS profile be returned which provides group access after a successful authentication.
In the Security Console select RADIUS > RADIUS Profiles > Add New.
Enter a Profile Name.
In the section for Return List Attributes, select the Filter-ID[M] attribute and enter a value, such as McAfee:version=1:groups=<ACCESS_GROUPS>, replacing <ACCESS_GROUPS> with a comma-separated list of ESM access groups. For example, if you had an ESM access group called AllRights, you would type: McAfee:version=1:groups=AllRights.
For two access groups called Policy and Reporting that require this policy, you would type McAfee:version=1:groups=Policy,Reporting. For example,
Click Add in the Return List Attribute section and then click Save.
Left-click the name of the profile created above.
Select Associated Users.
Select Assign to More Users.
Use the Search Criteria to search for User IDs.
Select the User IDs to assign to the RADIUS profile and click Assign Profile. For example,
Perform a RADIUS authentication with the User ID that is assigned the RADIUS profile. In this example a test RADIUS authentication was done using NTRadPing to an RSA Authentication Manager 8.1 server.
In the screen shot we see the RADIUS server reply with an Access-Accept and the Filter-ID and group information crated above.
The RADIUS log file created in /opt/rsa/am/radius and named for the date that the test was done (in this case, 20160926.log), shows the line:
09/26/2016 15:29:39 Sent accept response for user rsatest to client NTRADPING