Configuring a restricted agent associated to a RADIUS client to control user access with RSA Authentication Manager 8.x.
Originally Published: 2020-03-29
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
Issue
User Group Access Restriction: Allow access only to members of user groups who are granted access to this agent
The following observations are noted:
- RADIUS authentication is successful when the associated RSA agent is enabled for group restriction. This is not expected. It is expected to see the following message in the Authentication Activity Monitor:
Activity Key: Authentication agent access check
Reason: Principal does not belong to any groups activated on restricted agent
Reason: Principal does not belong to any groups activated on restricted agent
- The Authentication Activity Monitor reports the RSA Authentication Manager's IP address rather than the RADIUS client's IP address in the Agent and Client IPv4 columns.
Cause
...
...
...
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; SecurID General options
[Configuration]
Enable = 1
CheckUserAllowedByClient = 0
;DefaultProfile = DEFAULT
;AllowSystemPins = 0
...
...
...Resolution
- Log in to the command line of the RSA Authentication Manager instance with the operating system account. This can be rsaadmin or another account configured during Quick Setup.
- Enter the command awk '!/;/ && /CheckUserAllowedByClient/{$NF="1"} 1' /opt/rsa/am/radius/securid.ini > /tmp/securid.ini.new
This awk command skips lines that are comments, locates CheckUserAllowedByClient, updates the value to 1, and redirects the output to a new file. For example:
rsaadmin@am84p:~> awk '!/;/ && /CheckUserAllowedByClient/{$NF="1"} 1' /opt/rsa/am/radius/securid.ini > /tmp/securid.ini.new
-
Check the value of CheckUserAllowedByClient in /tmp/securid.ini.new with the command cat /tmp/securid.ini.new | grep CheckUserAllowedByClient. For example:
rsaadmin@am84p:~> cat /tmp/securid.ini.new | grep CheckUserAllowedByClient
CheckUserAllowedByClient = 1
- Check the differences between the original securid.ini file and the changed securid.ini.new file. Only the CheckUserAllowedByClient should have a changed value. For example, where only CheckUserAllowedByClient has changed:
rsaadmin@am84p:~> diff /tmp/securid.ini.new /opt/rsa/am/radius/securid.ini
33c33
< CheckUserAllowedByClient = 1
---
> CheckUserAllowedByClient = 0
- Overwrite the RSA RADIUS server securid.ini file with the changed securid.ini.new file. For example:
rsaadmin@am84p:~> cp /tmp/securid.ini.new /opt/rsa/am/radius/securid.ini
- Check the CheckUserAllowedByClient in /opt/rsa/am/radius/securid.ini is set with a value of 1. For example:
rsaadmin@am84p:~> cat /opt/rsa/am/radius/securid.ini | grep CheckUserAllowedByClient
CheckUserAllowedByClient = 1
-
Restart the RSA RADIUS server at the command line for the change to take effect:
rsaadmin@am84p:~> /opt/rsa/am/server/rsaserv restart radius
Stopping RSA RADIUS Server: ***
RSA RADIUS Server [SHUTDOWN]
Starting RSA Administration Server with Operations Console: *
Starting RSA Database Server: *
RSA Administration Server with Operations Console [RUNNING]
Starting RSA RADIUS Server Operations Console: - RSA Database Server [RUNNING] *
RSA RADIUS Server Operations Console [RUNNING]
Starting RSA Runtime Server: *
RSA Runtime Server [RUNNING]
Starting RSA RADIUS Server: **
RSA RADIUS Server [RUNNING]
- Open real-time authentication activity monitor.
- From the Security Console, select Reporting > Real-time Activity Monitors > Authentication Activity Monitor.
- Click Start Monitor.
- Perform a RADIUS authentication, and check the authentication events.
Notes
The steps that are provided in this knowledge article avoid having to use the vi editor.
Should you have Linux and vi editor experience, an alternative would be:
- Make a copy of the /opt/rsa/am/radius/securid.ini file.
- Update the CheckUserAllowedByClient parameter.
- Save the change.
- Restart the RSA RADIUS Server.
Related Articles
Configuring a Restricted Agent to Control User Access Number of Views Creating agent shows as RADIUS client agent in authentication agents. Number of Views RADIUS Clients Number of Views How to map the value of a Microsoft Active Directory object to a RADIUS user attribute definition to be associated to a RA… Number of Views How to configure restricted access times for authentication agents in RSA Authentication Manager 8.x Number of Views
Trending Articles
RSA SecurID Software Token 5.0.2 for Windows Desktop displays message after reboot due to roaming profile: No token stor… RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Release Notes for RSA Authentication Manager 8.8 RSA Authentication Manager 8.9 Release Notes (January 2026) Troubleshooting RSA SecurID Access Application Portal unsuccessful logon message due to a bad identity source bind
Don't see what you're looking for?
