SecurID® Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.
Article Number
000064989
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.6
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.6
Issue
Authentication Manager server up to 8.5 P5 used Steel-Belted RADIUS (SBR) as the basis for SecurID server.
Authentication Manager 8.6 uses FreeRADIUS as the basis for the SecurID RADIUS server. FreeRADIUS is the most popular open source RADIUS server in the world. SBR has reached end-of-life and required replacement. SBR is no longer supported after August 2023.
The new SecurID RADIUS server in SecurID Authentication Manager 8.6 supports all of the most popular RADIUS features and functionality from earlier releases. The same user interface and prompts display. Users will not see any differences when authenticating with the new version of SecurID RADIUS.
The following articles walk through the steps on how to perform RADIUS authentication tests, setting PINs and navigating Next Tokencode Mode using NTRadPing:
000014905 Performing RADIUS authentication tests with NTRadPing to RSA Authentication Manager
000027040 How to set PINs and navigate Next Tokencode Mode for RSA SecurID Tokens using NTRadPing
Authentication Manager 8.6 uses FreeRADIUS as the basis for the SecurID RADIUS server. FreeRADIUS is the most popular open source RADIUS server in the world. SBR has reached end-of-life and required replacement. SBR is no longer supported after August 2023.
The new SecurID RADIUS server in SecurID Authentication Manager 8.6 supports all of the most popular RADIUS features and functionality from earlier releases. The same user interface and prompts display. Users will not see any differences when authenticating with the new version of SecurID RADIUS.
The following articles walk through the steps on how to perform RADIUS authentication tests, setting PINs and navigating Next Tokencode Mode using NTRadPing:
000014905 Performing RADIUS authentication tests with NTRadPing to RSA Authentication Manager
000027040 How to set PINs and navigate Next Tokencode Mode for RSA SecurID Tokens using NTRadPing
Task
Resolution
The same steps work for all supported versions of Authentication Manager, with minimal changes at 8.6.
1. Login to the Security Console and navigate to RADIUS > RADIUS Client > Add New.
2. Enter information to register your local machine as a RADIUS client:![]()
The following differences would be noted in the RADIUS server reply:
Unlike short state values with SBR RADIUS server responses, RADIUS state values of Authentication Manager 8.6 using FreeRADIUS are longer.![]()
RADIUS Server reply:![]()
The RADIUS Server replies:![]()
The RADIUS Server replies:![]()
Create a test RADIUS client
- With Authentication Manager 8.5 and below that use Steel Belted RADIUS, use - Standard RADIUS for the make/model.
- For Authentication Manager 8.6 and up, create a test RADIUS client with make/model of - FreeRADIUS.
1. Login to the Security Console and navigate to RADIUS > RADIUS Client > Add New.
2. Enter information to register your local machine as a RADIUS client:
- Enter a client name and the IP address of your machine.
- Set the make/model as - FreeRADIUS -
- Create a RADIUS shared secret, such as 12345. You will need to enter this secret into the NTRadPing interface, so make a note of it.
- Click Save & Create Associated RSA Agent.
- Click Save when prompted.
- Click Yes, Save Agent.
The following differences would be noted in the RADIUS server reply:
Unlike short state values with SBR RADIUS server responses, RADIUS state values of Authentication Manager 8.6 using FreeRADIUS are longer.
- When a tokencode is obtained from a token in New PIN Mode, a new fixed passcode is sent to the RADIUS server, the response we get back is an Access-Challenge, as shown here:
RADIUS Server reply:
response: Access-Challenge
----------------------------attribute dump-----------------------------
Reply-Message=\0x0d\0x0a Enter your new PIN having from 4 to 8 ....
State=RSA|cb3c9a64-6f94-493c-82fd-233c11677c51|868a764f-bdf1-4c86-93cc-bea84f0b9c7a|SECURID_NEWPIN- In the right hand drop-down box, above the Load and Save buttons, enter the full STATE value that FreeRADIUS returned. In our example above, this is RSA|cb3c9a64-6f94-493c-82fd-233c11677c51|868a764f-bdf1-4c86-93cc-bea84f0b9c7a|SECURID_NEWPIN
- Click Add.
- You will see that value goes in the Additional Radius Attributes box as State=RSA|cb3c9a64-6f94-493c-82fd-233c11677c51|868a764f-bdf1-4c86-93cc-bea84f0b9c7a|SECURID_NEWPIN.
- Now put in the new PIN you want in the Password field, and press Send.
The RADIUS Server replies:
response: Access-Challenge
----------------------------attribute dump-----------------------------
Reply-Message=\0x0d\0x0a Please re-enter new PIN:
State=RSA|cb3c9a64-6f94-493c-82fd-233c11677c51|7e87113d-5d51-4489-8b2c-106b9cdf74aa|SECURID_NEWPIN_CONFIRM- You will get another Access-Challenge reply from the RADIUS server. Note that the new challenge displays a new state value. This second response has a value of RSA|cb3c9a64-6f94-493c-82fd-233c11677c51|7e87113d-5d51-4489-8b2c-106b9cdf74aa|SECURID_NEWPIN_CONFIRM. What the change of state value means is that Authentication Manager received your first PIN. Just like when navigating New PIN Mode through an RSA Authentication Agent interface, you need to enter the same PIN again.
- Send the second confirmation PIN as a reply to the second Access-Challenge
- Highlight the Additional Radius Attributes field, and remove the State=RSA|cb3c9a64-6f94-493c-82fd-233c11677c51|868a764f-bdf1-4c86-93cc-bea84f0b9c7a|SECURID_NEWPIN value
- Repeat steps 2 through 5 again, using the PIN you created. Note that when you repeat step 2, enter the updated State=RSA|cb3c9a64-6f94-493c-82fd-233c11677c51|7e87113d-5d51-4489-8b2c-106b9cdf74aa|SECURID_NEWPIN_CONFIRM value. You have just sent the two PINs to the Authentication Manager server.
The RADIUS Server replies:
response: Access-Challenge
----------------------------attribute dump-----------------------------
Reply-Message=\0x0d\0x0a Wait for the token code to change
Reply-Message=\0x0d\0x0a then enter the new passcode:
State=RSA|cb3c9a64-6f94-493c-82fd-233c11677c51|84789bc6-dbdd-485e-a298-2530f63eb72c|SECURID- Send the final confirmation new PIN + tokencode in response to the final Access-Challenge. In this test the new State=RSA|cb3c9a64-6f94-493c-82fd-233c11677c51|84789bc6-dbdd-485e-a298-2530f63eb72c|SECURID.
- Repeat steps 2 through 5 for the last time, changing the State=RSA|cb3c9a64-6f94-493c-82fd-233c11677c51|84789bc6-dbdd-485e-a298-2530f63eb72c|SECURID.
- This time, put the new PIN and the current tokencode into the password field and press Send.
- The result changes from Access-Challenge to Access-Accept and you now have a token with an associated PIN.
Notes
In this article
