RADIUS ClientsRADIUS Clients

A RADIUS client is a RADIUS-enabled device at the network perimeter that enforces access control for users attempting to access network resources.

A RADIUS client can be one of the following:

• VPN server

• Wireless access point

• Network access server supporting dial-in modems

• Dial-in modem

A RADIUS client sends a user’s access request to the RADIUS server. The RADIUS server forwards the request to RSA Authentication Manager for validation. If Authentication Manager validates the access request, the RADIUS client accepts the user’s request for network access. Otherwise, the RADIUS client rejects the user’s request for network access.

You can configure RADIUS clients with or without an assigned authentication agent. The difference between the two methods is in the level of access control and logging you want to have.

• RADIUS client with an agent. Adding an agent to a RADIUS client allows Authentication Manager to determine which RADIUS client is used for authentication and to save this information in log files.

  When you add a RADIUS client, you have the option to create an associated agent. If you manually configure an agent with the same hostname and IP address as the RADIUS client, the agent is automatically recognized as a RADIUS client agent.

• RADIUS client without an agent. Without an assigned RADIUS client agent, Authentication Manager cannot track which RADIUS client sends authentication requests and you cannot assign a profile to the client. The RADIUS server simply confirms that the shared secret from the RADIUS client matches the shared secret stored in RSA RADIUS, and then forwards the request without any client information to Authentication Manager.

  All authentication requests appear to be coming from the RADIUS server through its assigned authentication agent. While using this method, if you add an agent to a RADIUS client in the Security Console, Authentication Manager does not associate the agent with the client, so it does not apply any of the agent properties that you specify to the client.

To allow the system to authenticate users from clients with no assigned agent, you must set the SecurID.ini file parameter CheckUserAllowedByClient to 0. By default, this parameter is set to 1, which allows the system to authenticate users from clients with an assigned agent. For more information, see the RSA Authentication Manager RADIUS Reference Guide.

If you need to add a large number of RADIUS clients to Authentication Manager, you might not want to assign agents to RADIUS clients. For example, you are an ISP administrator and need to add and configure one thousand network access servers with the RSA RADIUS server. Instead of adding an agent to each RADIUS client, you select ANY RADIUS client, and enter the same shared secret for each RADIUS client. When an ANY client sends a network request to its associated RADIUS server, the RADIUS server confirms the shared secret and forwards the request without any client information to Authentication Manager.

Note: Client refresh time takes ten minutes to reflect the changes on the FreeRADIUS server.
For example, if you change the shared secret for a RADIUS client that has already authenticated to a RADIUS server, the RADIUS server continues to use the older client data for up to ten minutes.

Add a RADIUS ClientAdd a RADIUS Client

You must add a RADIUS client to the deployment for each RADIUS device that is configured to use SecurID as its authentication method. The RADIUS client sends authentication requests to the RSA RADIUS server, which then forwards the request to RSA Authentication Manager.

If you want to use risk-based authentication (RBA), RBA must be enabled for the agent associated with the RADIUS client.

Before you begin

(Optional) Before you can add a RADIUS client with an IPv6 address, you must create IPv6 network settings on each primary and replica instance in your deployment. For instructions, see Create IPv6 Network Settings on a Primary or Replica Instance.

Procedure

1. In the Security Console, click RADIUS > RADIUS Clients > Add New.

2. In the Client Name field, enter the name of the client, for example, VPN-London. If you are creating the <ANY> client in step 3, do not enter a name.

   The name can contain letters, digits, hyphens (–), underlines(_), and spaces. Tabs, @ signs, most symbols, and non-printable characters are not allowed. This field is limited to 50 characters.

   After you save the client, you cannot change its name. If you want to rename the client, you must delete it and then add a new client with the new name.

3. (Optional) Select the ANY Client checkbox if you do not want to track which RADIUS client sends authentication requests (for example, because you want to quickly add many RADIUS clients). Client authentication statistics are not supported for the <ANY> client.

   Authentication requests using the shared secret specified for the <ANY> client are processed regardless of the originating client’s IP address.

   You cannot enter an IP address if you select ANY Client because the IP address is not applicable. Go to step 5.

   If you select this option, you also need to disable proxy authentication so that the RADIUS server does not authenticate on behalf of this RADIUS client.

4. In the IP Address Type field, select the RADIUS client IP address type that is required by your agents.

   • If this is an IPv4 RADIUS client, do the following:

     1. Select IPv4.

     2. In the IPv4 Address field, enter the IPv4 address of the RADIUS client, for example, 111.222.33.44.

   • If this is an IPv6 RADIUS client, do the following:

     1. Select IPv6.

     2. In the IPv6 Address field, enter the IPv6 address of the RADIUS client, for example, 2001:0db8:85a3:0000:0000:8a2e:0370:7335.

     In addition to the IPv6 address that you enter, Authentication Manager automatically creates an IPv4 address for the RADIUS client. This IPv4 address begins with the number “255,” and it is not used for communication with agents. Authentication Manager uses this number to identify the RADIUS client.

5. In the Make/Model drop-down list, select the type of RADIUS client. If you are unsure of the make and model of the RADIUS client, select Standard Radius.

   The RADIUS server uses the make and model to determine which dictionary of RADIUS attributes to use when communicating with this client.

6. In the Shared Secret field, enter the authentication shared secret (case-sensitive password) that you specified during the RADIUS client installation and configuration.

   The RADIUS client uses the same shared secret when communicating with RADIUS on the primary server or RADIUS on the replica server.

7. In the Notes field, enter any notes for this client, for example, “Located at London site.”

8. To save your changes, do one of the following:

   • Click Save and Create Associated RSA Agent. This choice allows Authentication Manager to determine which RADIUS agent is used for authentication and to log this information. This option is required if you want to use risk-based authentication (RBA).

   • Click Save only if you have disabled proxied authentication (by setting the securid.ini file parameter CheckUserAllowedByClient to 0). In this case, you cannot assign a profile to this client, and all authentications appear to Authentication Manager as though they are coming from the RADIUS server.

After you finish

If you created an associated RSA agent for this RADIUS client, you must configure the agent.

Edit a RADIUS ClientEdit a RADIUS Client

Edit a RADIUS client if you need to change its properties, such as the shared secret or IP address. For example, you might edit the shared secret because your corporate security policy requires a password change. When you update a RADIUS client make and model, you might need to update the RADIUS profile attributes. If a make and model is no longer used in your deployment, any unused attributes are marked as unknown.

Procedure

1. In the Security Console, click RADIUS > RADIUS Clients > Manage Existing.

2. Click the client that you want to edit.

3. From the context menu, click Edit.

4. On the RADIUS Client page, make any necessary changes to the client. For more information, see Add a RADIUS Client or Add a RADIUS Client Agent.

5. Click Save.

   After you save the client record, the Security Console displays the secret as eight asterisks (*) in the client properties, regardless of how many characters you entered.

6. By default, RSA Authentication Manager requires up to 600 seconds (10 minutes) to reflect any updates that are made to RADIUS clients that previously authenticated to the RADIUS server. To change this time, see Change How Often the RADIUS Server Updates RADIUS Client Information.

   Restarting the RADIUS server causes any changes to take effect immediately. See Restart a RADIUS Server.

   RSA Authentication Manager replication notifies the RADIUS servers on the replica instances about this updated client.

Delete a RADIUS ClientDelete a RADIUS Client

Delete a RADIUS client to permanently remove the RADIUS client from RSA Authentication Manager. For example, you might delete a RADIUS client if you remove the RADIUS device from the network.

If you delete a RADIUS client, Authentication Manager also deletes the agent associated with the RADIUS client.

Procedure

1. In the Security Console, click RADIUS > RADIUS Clients > Manage Existing.

2. Click the client that you want to delete.

3. From the context menu, click Delete.