RSA SecurID via RADIUS
10.2.11.1. RSA SecurID authentication over RADIUS

RSA SecurID can be connected to Airlock IAM using the universal RADIUS networking protocol.

This article explains how to connect to a RSA SecureID server using the standard RADIUS client plugins described in 10.2.11. Token authentication via RADIUS.

The descriptions have been made with certain version of the RSA Authentication Manager software. It may differ for other software version.

Secure_ID

Goal

Configure Airlock IAM for RSA SecurID authentication using the RADIUS protocol.

Procedure-related prerequisites

  • The RADIUS service has been configured and enabled in the RSA Authentication Manager.
  • Airlock IAM as RADIUS client has been configured in the RSA Authentication Manager.
  • The following information from The RADIUS server is available for IAM configuration: RSA RADIUS server hostname (or IP address), RADIUS port and shared secret.
  • You need to be logged in to the Airlock IAM Adminapp and be able to access the Config Editor.

Instruction step 1 - Add Airlock IAM as a new RADIUS client

The following steps need to be carried out in the RSA Authentication Manager. For up-to-date information, see the manufacturer's documentation.

  • 1.
    Go to: RADIUS >> RADIUS Client >> Add New
  • 2.
    Set a Client Name which represents the Airlock IAM deployment.
  • 3.
    Select the IP Address Type.
  • 4.
    Add the IP of the Airlock IAM deployment.
  • 5.
    For Make / Model, set: Standard Radius
  • 6.
    For Shared Secret, set a password.
  • 7.
    Add a note which describes your Airlock IAM client.
  • 8.
    Click Save & Create Associated RSA Agent.
  • The message Added 1 Radius client(s). appears.
  • 9.
    Click Save to finish the procedure.
  • The new client appears in the client list and RSA Agent is activated for this client.

Instruction step 2 - Configure Airlock IAM Radius Authenticator plugin

Use the RSA RADIUS clients settings from Instruction step 1 to configure the RADIUS client plugin in Airlock IAM.

The actual plugins and configuration details differ between the Loginapp REST UI and the JSP-Loginapp. More information is given in the last section of this page.

  • Configuration hints:
  • As Host, Port, and Shared Secret use the values chosen in RSA Authentication Manager in the first step. This should be enough to test the connection using the Testlet (yellow flash icon) in the Config Editor.
  • To support the Next Token Mode, add the Reply Message Access Challenge Rule mapping the RADIUS reply message for the next token mode (typically "*.next token required.*") to Airlock IAM authentication result Next token required.
  • For correct reporting and logging, set Reported Auth Method to HW_OTP.
  • Set If Credential Is Missing to Ask for token in first step.

Diagnostic steps

  • Enable Log Radius Attributes to write RADIUS attributes to the log file. It usually helps to find out, what went wrong.
  • If Next Token Mode or New PIN Mode is not working as expected, have a look at the reply messages return by the RSA SecurID server and compare them to the patterns used in the Access Challenge Rules. The reply messages may have changed or been customized in the RSA Authentication Manager.

Further information and links