This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

Configuring a restricted agent associated to a RADIUS client to control user access with RSA Authentication Manager 8.x.

Article Number

000038649

Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x

Issue

A RADIUS client with an associated RSA agent is created in the Security Console, and the RSA agent has the following setting enabled:
 
User Group Access Restriction: Allow access only to members of user groups who are granted access to this agent 

The following observations are noted:
  • RADIUS authentication is successful when the associated RSA agent is enabled for group restriction. This is not expected.  It is expected to see the following message in the Authentication Activity Monitor:
Activity Key: Authentication agent access check 
Reason: Principal does not belong to any groups activated on restricted agent
  • The Authentication Activity Monitor reports the RSA Authentication Manager's IP address rather than the RADIUS client's IP address in the Agent and Client IPv4 columns.

Cause

The CheckUserAllowedByClient parameter in the [Configuration] section of the /opt/rsa/am/radius/securid.ini file has a value of 0, as shown below: 
...
...
...
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; SecurID General options
[Configuration]
Enable = 1
CheckUserAllowedByClient = 0
;DefaultProfile = DEFAULT
;AllowSystemPins = 0

...
...
...

Resolution

For the group restriction to work for a RADIUS client with an associated RSA Agent, an administrator must ensure the CheckUserAllowedByClient parameter in the [Configuration] section of the /opt/rsa/am/radius/securid.ini file has a value of 1.  Once the value is updated, you must restart the RSA RADIUS server on the Authentication Manager instance using the steps below:
  1. Log in to the command line of the RSA Authentication Manager instance with the operating system account. This can be rsaadmin or another account configured during Quick Setup.
  2. Enter the command awk '!/;/ && /CheckUserAllowedByClient/{$NF="1"} 1' /opt/rsa/am/radius/securid.ini > /tmp/securid.ini.new
This awk command skips lines that are comments, locates CheckUserAllowedByClient, updates the value to 1, and redirects the output to a new file. For example: 
rsaadmin@am84p:~> awk '!/;/ && /CheckUserAllowedByClient/{$NF="1"} 1' /opt/rsa/am/radius/securid.ini > /tmp/securid.ini.new

  1. Check the value of CheckUserAllowedByClient in /tmp/securid.ini.new with the command cat /tmp/securid.ini.new | grep CheckUserAllowedByClient. For example:

rsaadmin@am84p:~> cat /tmp/securid.ini.new | grep CheckUserAllowedByClient
CheckUserAllowedByClient = 1
  1. Check the differences between the original securid.ini file and the changed securid.ini.new file. Only the CheckUserAllowedByClient should have a changed value. For example, where only CheckUserAllowedByClient has changed:
rsaadmin@am84p:~> diff /tmp/securid.ini.new /opt/rsa/am/radius/securid.ini
33c33
< CheckUserAllowedByClient = 1
---
> CheckUserAllowedByClient = 0
  1. Overwrite the RSA RADIUS server securid.ini file with the changed securid.ini.new file. For example:
rsaadmin@am84p:~> cp /tmp/securid.ini.new /opt/rsa/am/radius/securid.ini
  1. Check the CheckUserAllowedByClient in /opt/rsa/am/radius/securid.ini is set with a value of 1. For example:
rsaadmin@am84p:~> cat /opt/rsa/am/radius/securid.ini | grep CheckUserAllowedByClient
CheckUserAllowedByClient = 1

  1. Restart the RSA RADIUS server at the command line for the change to take effect:

rsaadmin@am84p:~> /opt/rsa/am/server/rsaserv restart radius
Stopping RSA RADIUS Server: ***
RSA RADIUS Server                                          [SHUTDOWN]
Starting RSA Administration Server with Operations Console: *
Starting RSA Database Server: *
RSA Administration Server with Operations Console          [RUNNING]
Starting RSA RADIUS Server Operations Console: - RSA Database Server                                        [RUNNING]             *
RSA RADIUS Server Operations Console                       [RUNNING]
Starting RSA Runtime Server: *
RSA Runtime Server                                         [RUNNING]
Starting RSA RADIUS Server: **
RSA RADIUS Server                                          [RUNNING]
  1. Open real-time authentication activity monitor.
  2. From the Security Console, select Reporting > Real-time Activity Monitors > Authentication Activity Monitor.
  3. Click Start Monitor
  4. Perform a RADIUS authentication, and check the authentication events.

Notes

The steps that are provided in this knowledge article avoid having to use the vi editor.

Should you have Linux and vi editor experience, an alternative would be:

  1. Make a copy of the /opt/rsa/am/radius/securid.ini file.
  2. Update the CheckUserAllowedByClient parameter.
  3. Save the change.
  4. Restart the RSA RADIUS Server.
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2020-12-12 11:18 AM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.