RSA SecurID authentication over RADIUS

RSA SecurID can be connected to Airlock IAM using the RADIUS protocol.

This article explains how to connect to a RSA SecureID server using the standard RADIUS client plugins described in Token authentication via RADIUS.

The descriptions have been made with a certain version of the RSA Authentication Manager software. It may differ for other software versions.



Configure Airlock IAM for RSA SecurID authentication using the RADIUS protocol.

Procedure-related prerequisites

  • The RADIUS service has been configured and enabled in the RSA Authentication Manager.
  • Airlock IAM as a RADIUS client has been configured in the RSA Authentication Manager.
  • The following information from The RADIUS server is available for IAM configuration: RSA RADIUS server hostname (or IP address), RADIUS port, and shared secret.
  • You need to be logged in to the Airlock IAM Adminapp and be able to access the Config Editor.

Instruction step 1 - Add Airlock IAM as a new RADIUS client

The following steps need to be carried out in the RSA Authentication Manager. For up-to-date information, see the manufacturer's documentation.

  1. Go to: RADIUS >> RADIUS Client >> Add New
  2. Set a Client Name that represents the Airlock IAM deployment.
  3. Select the IP Address Type.
  4. Add the IP of the Airlock IAM deployment.
  5. For Make / Model, set: Standard Radius
  6. For Shared Secret, set a password.
  7. Add a note which describes your Airlock IAM client.
  8. Click Save & Create Associated RSA Agent.
  9. The message Added 1 Radius client(s). appears.
  10. Click Save to finish the procedure.
  11. The new client appears in the client list and RSA Agent is activated for this client.

Instruction step 2 - Configure Airlock IAM OTP Check via RADIUS Step plugin

Use the RSA RADIUS clients settings from Instruction step 1 to configure the RADIUS client plugin in Airlock IAM.

  • Configuration hints:
  • As Host, Port, and Shared Secret use the values chosen in RSA Authentication Manager in the first step. This should be enough to test the connection using the Testlet (yellow flash icon) in the Config Editor.
  • To support the Next Token Mode, add the OTP Check Access Challenge Rule mapping the RADIUS reply message for the next token mode (typically *.next token required.*) to Airlock IAM authentication result Next token required.
  • For correct reporting and logging, set Reported Auth Method to HW_OTP.

Diagnostic steps

  • Enable Log Radius Attributes to write RADIUS attributes to the log file. It usually helps to find out, what went wrong.
  • If Next Token Mode is not working as expected, have a look at the reply messages returned by the RSA SecurID server and compare them to the patterns used in the configured access challenge rules. The reply messages may have changed or been customized in the RSA Authentication Manager.