RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
RSA Authentication Manager 8.5 and earlier uses RADIUS administration port 1813 which still requires SSLv3 even after implementing strict TLS v1.2 mode.
The new PCI regulation requires TLS v1.2. RSA Authentication Manager 8.2 supports two TLS configuration modes.
Strict TLS 1.2 mode
In this mode, all ports in RSA Authentication Manager 8.2 will be in TLS v1.2 mode except the RADIUS administration port 1813 which will negotiate in SSLv3 since RADIUS does not support TLS mode. This mode can be enabled only if customer environment requires it and it needs optional configuration.
Non-strict TLS 1.2 mode (default mode of Authentication Manager 8.2)
The default mode of RSA Authentication Manager 8.2 is non-strict TLS 1.2. This mode supports all TLS versions of TLS protocol such as TLS 1.1, TLS 1.0, and SSLv3. This mode is used as default mode mainly to keep the backward compatibility with the older Agents and SDK agents.
Limitations of strict TLS 1.2 mode
These limitations are mostly due to the inability of older clients to negotiate with TLS v1.2 protocol. The strict TLS mode does not support the following:
- Provisioning of software token via CT-KIP to Android versions prior to 5.0.2, iOS versions prior to 8.x, Software token for Macintosh and Blackberry.
- Auto registration and Offline Authentication in RSA Authentication Agents prior to 7.3.
- RADIUS administration TCP port 1813 of Steel-Belted RADIUS server still requires SSLv3.
- The enabling of strict TLS mode requires the CLU to be run on each server to update the server configuration.
Notes for Authentication Manager 8.6 and later
Enabling strict TLS 1.2 mode in RSA Authentication Manager 8.6 and later ensures that all communications occur over TLS 1.2, disabling SSLv3, TLS 1.0, and TLS 1.1. With Authentication Manager prior to 8.6, there was an exception for the RADIUS administration port (port 1813), which continued to use SSLv3 even when strict TLS 1.2 mode is enabled. Starting with Authentication Manager 8.6, we no longer use Steel Belted RADIUS and administration port 1813.
Refer to the RSA Authentication Manager 8.2 Release Notes for details on enabling strict TLS v1.2 mode. The CLU allows to enable TLS v1.2 mode. However, in order to take effect of the configuration changes the RSA services must be restarted.
Refer to the article entitled How to enable or disable strict TLS 1.2 mode in RSA Authentication Manager 8.2 for instructions on enabling or disabling strict TLS 1.2 mode.
Related Articles
Enable Strict TLS 1.2 Mode Number of Views windows eventing Access Denied Error 401 Number of Views "Enable Strict TLS 1.2 Mode" changes to disabled after installing the RSA Authentication Manager 8.6 patches Number of Views Customizing Secure Communication Number of Views After installing patches to RSA Authentication Manager 8.6, the option to enable strict TLS 1.2 mode changes to disabled. Number of Views
Trending Articles
Downloading RSA Authentication Manager license files or RSA Software token seed records RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Release Notes for RSA Authentication Manager 8.8 Download RSA SecurID Access Cloud User Event audit logs using Cloud Administration REST API CLU RSA SecurID Software Token 5.0.2 for Windows Desktop displays message after reboot due to roaming profile: No token stor…
