Configuring a restricted agent associated to a RADIUS client to control user access with RSA Authentication Manager 8.x.
Originally Published: 2020-03-29
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
Issue
User Group Access Restriction: Allow access only to members of user groups who are granted access to this agent
The following observations are noted:
- RADIUS authentication is successful when the associated RSA agent is enabled for group restriction. This is not expected. It is expected to see the following message in the Authentication Activity Monitor:
Activity Key: Authentication agent access check
Reason: Principal does not belong to any groups activated on restricted agent
Reason: Principal does not belong to any groups activated on restricted agent
- The Authentication Activity Monitor reports the RSA Authentication Manager's IP address rather than the RADIUS client's IP address in the Agent and Client IPv4 columns.
Cause
...
...
...
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; SecurID General options
[Configuration]
Enable = 1
CheckUserAllowedByClient = 0
;DefaultProfile = DEFAULT
;AllowSystemPins = 0
...
...
...Resolution
- Log in to the command line of the RSA Authentication Manager instance with the operating system account. This can be rsaadmin or another account configured during Quick Setup.
- Enter the command awk '!/;/ && /CheckUserAllowedByClient/{$NF="1"} 1' /opt/rsa/am/radius/securid.ini > /tmp/securid.ini.new
This awk command skips lines that are comments, locates CheckUserAllowedByClient, updates the value to 1, and redirects the output to a new file. For example:
rsaadmin@am84p:~> awk '!/;/ && /CheckUserAllowedByClient/{$NF="1"} 1' /opt/rsa/am/radius/securid.ini > /tmp/securid.ini.new
-
Check the value of CheckUserAllowedByClient in /tmp/securid.ini.new with the command cat /tmp/securid.ini.new | grep CheckUserAllowedByClient. For example:
rsaadmin@am84p:~> cat /tmp/securid.ini.new | grep CheckUserAllowedByClient
CheckUserAllowedByClient = 1
- Check the differences between the original securid.ini file and the changed securid.ini.new file. Only the CheckUserAllowedByClient should have a changed value. For example, where only CheckUserAllowedByClient has changed:
rsaadmin@am84p:~> diff /tmp/securid.ini.new /opt/rsa/am/radius/securid.ini
33c33
< CheckUserAllowedByClient = 1
---
> CheckUserAllowedByClient = 0
- Overwrite the RSA RADIUS server securid.ini file with the changed securid.ini.new file. For example:
rsaadmin@am84p:~> cp /tmp/securid.ini.new /opt/rsa/am/radius/securid.ini
- Check the CheckUserAllowedByClient in /opt/rsa/am/radius/securid.ini is set with a value of 1. For example:
rsaadmin@am84p:~> cat /opt/rsa/am/radius/securid.ini | grep CheckUserAllowedByClient
CheckUserAllowedByClient = 1
-
Restart the RSA RADIUS server at the command line for the change to take effect:
rsaadmin@am84p:~> /opt/rsa/am/server/rsaserv restart radius
Stopping RSA RADIUS Server: ***
RSA RADIUS Server [SHUTDOWN]
Starting RSA Administration Server with Operations Console: *
Starting RSA Database Server: *
RSA Administration Server with Operations Console [RUNNING]
Starting RSA RADIUS Server Operations Console: - RSA Database Server [RUNNING] *
RSA RADIUS Server Operations Console [RUNNING]
Starting RSA Runtime Server: *
RSA Runtime Server [RUNNING]
Starting RSA RADIUS Server: **
RSA RADIUS Server [RUNNING]
- Open real-time authentication activity monitor.
- From the Security Console, select Reporting > Real-time Activity Monitors > Authentication Activity Monitor.
- Click Start Monitor.
- Perform a RADIUS authentication, and check the authentication events.
Notes
The steps that are provided in this knowledge article avoid having to use the vi editor.
Should you have Linux and vi editor experience, an alternative would be:
- Make a copy of the /opt/rsa/am/radius/securid.ini file.
- Update the CheckUserAllowedByClient parameter.
- Save the change.
- Restart the RSA RADIUS Server.
Related Articles
Configuring a Restricted Agent to Control User Access Number of Views PASSCODE slow to appear in post dial terminal window after end user enters username (and domain name depending on the conf… Number of Views Microsoft Exchange rejects all digital signatures Number of Views How to collect data from an RSA Authentication Agent 7.x for Windows for troubleshooting Number of Views Error: MIGRATION_INVALID_LICENSE when migrating database into AM 8.1 Number of Views
Trending Articles
Download RSA SecurID Access Cloud User Event audit logs using Cloud Administration REST API CLU How to create and configure certificates for HTTPS access when using intermediate CA certs in RSA Identity Governance & Li… RSA MFA Agent 2.4.3 for Microsoft Windows Release Notes RSA Authentication Manager 8.9 Patches and Hotfixes Readme This certificate or its signing CA is not valid error when importing a certificate chain in RSA Authentication Manager 8.x…
Don't see what you're looking for?
