This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

Configure McAfee Enterprise Security Manager 5.3 as RADIUS client to authenticate to RSA Authentication Manager 8.x

Article Number

000056802

Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1 and later

Issue

This article explains how to protect the McAfee management interface with RSA SecurID two-factor authentication.

Resolution

McAfee Enterprise Security Manager (ESM) can send RADIUS authentications, but cannot handle the RADIUS challenge response.  This means the ESM cannot support New PIN Mode or Next Tokencode Mode.

Where RADIUS is used to send the authentication to RSA Authentication Manager 8.x deployment, a RADIUS client and an associated RSA agent record must be created using the Security Console for the software/device sending the RADIUS authentication.
  1. In the Security Console select RADIUS > RADIUS Client > Add New.  
  2. Enter a client name, IP address and IP address.
  3. Leave the default Make/Model value as - Standard Radius -.
  4. Create the Shared Secret.  This secret must be the same as the one on the RADIUS client.
  1. Click Save & Create Associated RSA Agent.  You will see the message Added 1 RADIUS client(s).

 

McAfee Enterprise Security Manager requires a RADIUS profile be returned which provides group access after a successful authentication.
  1. In the Security Console select RADIUS > RADIUS ProfilesAdd New.
  2. Enter a Profile Name.
  3. In the section for Return List Attributes, select the Filter-ID[M] attribute and enter a value, such as McAfee:version=1:groups=<ACCESS_GROUPS>, replacing <ACCESS_GROUPS> with a comma-separated list of ESM access groups. For example, if you had an ESM access group called AllRights, you would type: McAfee:version=1:groups=AllRights.
  4. For two access groups called Policy and Reporting that require this policy, you would type McAfee:version=1:groups=Policy,Reporting.  For example,
 
  1. Click Add in the Return List Attribute section and then click Save.
 
  1. Left-click the name of the profile created above.  
  2. Select Associated Users.
  3. Select Assign to More Users.
  4. Use the Search Criteria to search for User IDs.
  5. Select the User IDs to assign to the RADIUS profile and click Assign Profile.  For example, 
  1. Perform a RADIUS authentication with the User ID that is assigned the RADIUS profile.  In this example a test RADIUS authentication was done using NTRadPing to an RSA Authentication Manager 8.x server.
  1. In the screen shot we see the RADIUS server reply with an Access-Accept and the Filter-ID and group information crated above.
  2. The RADIUS log file created in /opt/rsa/am/radius and named for the date that the test was done (in this case, 20160926.log), shows the line: 

09/26/2016 15:29:39 Sent accept response for user rsatest to client NTRADPING
  1. The Authentication Monitor output is as follows:

Notes

For more information on using NTRadPing, see 000014905 - Performing RADIUS authentication tests with NTRadPing to RSA Authentication Manager.
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2023-04-21 12:49 PM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.