Configure McAfee Enterprise Security Manager 5.3 as RADIUS client to authenticate to RSA Authentication Manager 8.x
3 years ago
Originally Published: 2016-09-29
Article Number
000056802
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1 and later
Issue
This article explains how to protect the McAfee management interface with RSA SecurID two-factor authentication.
Resolution
McAfee Enterprise Security Manager (ESM) can send RADIUS authentications, but cannot handle the RADIUS challenge response.  This means the ESM cannot support New PIN Mode or Next Tokencode Mode.

Where RADIUS is used to send the authentication to RSA Authentication Manager 8.x deployment, a RADIUS client and an associated RSA agent record must be created using the Security Console for the software/device sending the RADIUS authentication.
  1. In the Security Console select RADIUS > RADIUS Client > Add New.  
  2. Enter a client name, IP address and IP address.
  3. Leave the default Make/Model value as - Standard Radius -.
  4. Create the Shared Secret.  This secret must be the same as the one on the RADIUS client.
User-added image
  1. Click Save & Create Associated RSA Agent.  You will see the message Added 1 RADIUS client(s).
User-added image
 

McAfee Enterprise Security Manager requires a RADIUS profile be returned which provides group access after a successful authentication.
  1. In the Security Console select RADIUS > RADIUS ProfilesAdd New.
  2. Enter a Profile Name.
  3. In the section for Return List Attributes, select the Filter-ID[M] attribute and enter a value, such as McAfee:version=1:groups=<ACCESS_GROUPS>, replacing <ACCESS_GROUPS> with a comma-separated list of ESM access groups. For example, if you had an ESM access group called AllRights, you would type: McAfee:version=1:groups=AllRights.
  4. For two access groups called Policy and Reporting that require this policy, you would type McAfee:version=1:groups=Policy,Reporting.  For example,
User-added image
 
  1. Click Add in the Return List Attribute section and then click Save.
User-added image
 
  1. Left-click the name of the profile created above.  
  2. Select Associated Users.
  3. Select Assign to More Users.
  4. Use the Search Criteria to search for User IDs.
  5. Select the User IDs to assign to the RADIUS profile and click Assign Profile.  For example, 
User-added image
User-added image
  1. Perform a RADIUS authentication with the User ID that is assigned the RADIUS profile.  In this example a test RADIUS authentication was done using NTRadPing to an RSA Authentication Manager 8.x server.
User-added image
  1. In the screen shot we see the RADIUS server reply with an Access-Accept and the Filter-ID and group information crated above.
  2. The RADIUS log file created in /opt/rsa/am/radius and named for the date that the test was done (in this case, 20160926.log), shows the line: 
09/26/2016 15:29:39 Sent accept response for user rsatest to client NTRADPING
  1. The Authentication Monitor output is as follows:
User-added image
Notes
For more information on using NTRadPing, see 000014905 - Performing RADIUS authentication tests with NTRadPing to RSA Authentication Manager.

Related Articles

Trending Articles

Don't see what you're looking for?