SecurID® Authentication Manager 8.6 Release Notes (August 2021)
SecurID® Authentication Manager 8.6 delivers compelling features that make it faster and easier to take the journey to modern multifactor authentication and the Cloud. Authentication Manager 8.6 includes the following new features and enhancements:
For additional information, see:
- Upgrading from RSA Authentication Manager 8.5
- Upgrading an Existing Deployment that Does Not Yet Use Azure or Amazon Web Services
- RSA Authentication Agent Support
- Fixed Issues
- Known Issues
For a complete list of product documentation, see the RSA Authentication Manager Documentation page.
To receive notifications about changes to this page, sign in to RSA Link and select Subscribe.
To view this page as a PDF, click the More Options (three dots) menu, and select Printer Friendly Page. You can use your browser to save the page as a PDF.
The Cloud Authentication Service and SecurID Authenticate App Release Notes are available here.
New SecurID RADIUS Server
Authentication Manager 8.6 uses FreeRADIUS as the basis for the SecurID RADIUS server, instead of Steel-Belted RADIUS (SBR). FreeRADIUS is the most popular open source RADIUS server in the world. SBR has reached end-of-life and required replacement. SBR is no longer supported after August 2023.
The new SecurID RADIUS server in Authentication Manager 8.6 supports all of the most popular RADIUS features and functionality from earlier releases. The same user interface and prompts display. Users will not see any differences when authenticating with the new version of SecurID RADIUS.
A successful early access program with several large customers minimized the risk and impact for all RADIUS customers.
The migration to the new RADIUS server is included in the upgrade to version 8.6. Existing RADIUS data and configuration files are automatically converted or migrated, and an HTML RADIUS migration report assists you in preparing your data.
The RADIUS server has some changes compared to the earlier versions.
| Feature | Supported or Changed | Unsupported or Deprecated |
|---|---|---|
| Attributes | All RADIUS profile attributes can have more than one value. You can specify an order for all multiple-value attributes that a RADIUS server returns to a RADIUS client when a user is authenticated. An order is not maintained for different types of attributes. Attributes with string data type returned without null terminator. | |
| Authentication Methods | EAP-TTLS and EAP-PEAP | EAP-POTP and multi-step authentication for EAP |
| Authentication Ports | UDP 1645 and UDP 1812 are configured by the upgrade. | UDP 1646, UDP 1813, TCP 1812 and TCP 1813 are closed by the upgrade. |
| Authentication Proxy | From external RADIUS servers to Authentication Manager | From Authentication Manager to external RADIUS servers |
| Dictionary Files | RADIUS supports slightly different data types and a new format for dictionary files. The version 8.6 upgrade converts and migrates your dictionary, profile, and attribute data. | |
| Logging | Logging configured in radiusd.conf | Logging no longer configured in radius.ini |
| RADIUS Profile (Default) | Assigned through System Settings in the Security Console, and not in securid.ini. | RADIUS profiles that contain unknown attributes cannot migrate. |
| RADIUS Replication | RSA Authentication Manager handles SecurID RADIUS replication. All SecurID RADIUS data is stored in the Authentication Manager internal database. For backwards compatibility, some Authentication Manager reports still list information on RADIUS replication. | Separate RSA RADIUS replication |
| RADIUS Server Configuration Files | The structure and format of some SecurID RADIUS server configuration files are changed. The configuration and functionality of EAP certificates have not changed. | |
| securID.ini File | Default SecurID RADIUS prompt strings to customize default messages | Non-RSA strings or any SBR strings |
| TACACS+ | Terminate the connection on a RADIUS server that supports TACACS+ and proxy the authentication request (user name and passcode) to Authentication Manager. | Authentication Manager 8.6 does not support TACACS+. |
| Other | Custom RADIUS ports or multiport configuration is not migrated. Configure these after upgrading. | ISDN Protocol and ISDN-specific properties. RADIUS accounting protocol, accounting statistics, shared secret, and class attributes. Apply Login limit tool (tracks user logins) Access to RADIUS data through LDAP Funk attributes |
For a complete description of the changes, see the upgrade instructions in the Setup and Configuration Guide. A new RADIUS Reference Guide is provided for administrators.
More Disk Space for the VMware Virtual Appliance
The VMware virtual appliance now offers 500 GB of disk space for storage. The new appliance provides more disk space for local backups and also increases the amount of time that a replica instance can remain disconnected from the network, but still be able to synchronize with the primary instance. The greater storage capacity makes it possible to transition from physical hardware appliances to a virtual deployment, resulting in lower administrative costs.
To get 500 GB of disk space, download the full kit for the RSA Authentication Manager 8.6 – VMware Virtual Appliance, rsa-am-vmware-virtual-appliance-8.6.0.0.0.ova from the myRSA website. If you do not require 500 GB, download the RSA Authentication Manager 8.6 – Update kit, rsa-am-update-8.6.0.0.0.zip. Upgrading does not change the size of your existing 100 GB VMware virtual appliances.
You can deploy the 500 GB VMware appliance in a deployment with upgraded 100 GB VMware appliances. Make sure that you have sufficient disk space before restoring an Authentication Manager backup file on a new appliance or promoting a 100 GB replica instance to replace a 500 GB primary instance.
If you want to deploy all 500 GB VMware virtual appliances in an existing deployment, do the following:
Sign into RSA Link, and download rsa-am-update-8.6.0.0.0.zip.
Upgrade to Authentication Manager 8.6.
For instructions, see the RSA Authentication Manager 8.6 Setup and Configuration Guide.
Use the VMware Feature Kit to deploy new 500 GB 8.6 replica instances.
To change your primary instance to 500 GB, promote a 500 GB replica instance, and delete your existing primary instance.
If the new primary instance and the replica instances are out-of-sync, you must synchronize each out-of-sync replica instance in the primary instance Operations Console.
Ability to Provide Your Own Quick Setup Access Code for VMware Virtual Appliance Deployment
When you deploy a VMware virtual appliance, you can provide your own Quick Setup Access Code along with the network settings, or you can allow the system to generate a unique code for your virtual appliance. The Quick Setup Access Code is required to begin Quick Setup.
This new feature allows you to automate Quick Setup using VMware customization specifications. The result is lower administrative costs and faster deployment.
The Quick Setup Access Code must contain eight of the following characters, including at least one number: abcdefghijkmnopqrstuvwxyzACDEFGHIJKLMNPQRSTUVWXYZ0123456789. For example, EgR7t4LR. If you do not meet these requirements, you must redeploy the appliance with a valid access code.
Improved Distributed Token Requests Report
The Distributed Token Requests report lists distributed token requests and the shipping information needed to distribute hardware tokens. RSA Authentication Manager 8.6 adds a Distributed On column that provides the time and date on which token requests were distributed. The additional information provides you with more insight into token distribution.
If you are already using this report, after upgrading to version 8.6, you can add the new output column from the Available field, and change the order of the columns as needed.
If you have never used this report, after installing version 8.6 or upgrading, the new column is located in the Show in Report column.
New input parameters allow you to select the time and date that tokens were distributed.
For example, suppose you want to generate a report that lists the tokens that were distributed during the current year until today. After selecting the Distributed On output column for the report, you can select the year to date for the Distributed On input parameter.
The following is an example of the report output.
Additional Features and Enhancements from Version 8.5 Patches
Authentication Manager 8.6 contains the new features and enhancements from Authentication Manager 8.5 Patch 1 through Patch 3. These include the following:
- You can prevent Authenticate Tokencode users from being prompted for PINs on their first authentication to the Cloud Authentication Service.
- When the Cloud Authentication Service is slow or not available, all users can be prompted for local authentication with Authenticate Tokencode or SecurID authentication, regardless of whether the authentication agent is configured in Authentication Manager mode or Cloud Authentication Service mode.
- Replica instance can perform some administrative tasks, such as clearing PINs and providing emergency access for users.
- When you add or edit a predefined or custom administrative role, you can give the role permission to unlock accounts and you can give the role permission to enable and disable accounts. Previously, these permissions were combined.
For more information, see the RSA Authentication Manager 8.5 Patch 3 Readme.
Upgrading from RSA Authentication Manager 8.5
You can apply the Authentication Manager 8.6 upgrade patch to any hardware appliance or virtual appliance that has Authentication Manager 8.5 software. Follow the standard steps to apply an Authentication Manager update from your web browser, a Windows shared folder, an NFS share, or a DVD or CD.
Each virtual appliance must have at least 9.5 GB of free disk space if you are upgrading Authentication Manager through your web browser. You must have 6 GB of free disk space to apply version 8.7 SP2 from a Windows shared folder, an NFS share, or a DVD or CD.
| Update Source | Minimum Required Disk Space |
|---|---|
| Web browser | 9.5 GB |
| Windows shared folder | 6 GB |
| NFS share | 6 GB |
| DVD or CD | 6 GB |
Note: From earlier versions of RSA Authentication Manager, you must upgrade to Authentication Manager 8.5 before applying version 8.6. For instructions, see the RSA Authentication Manager 8.5 Setup and Configuration Guide.
Authentication Manager 8.6 includes the software fixes in the cumulative Patch 3 for version 8.5. Applying version 8.6 removes any software fixes that are not included in the cumulative Patch 3 for version 8.5 (For the fixed issues, see the RSA Authentication Manager 8.5 Patch 3 Readme). To obtain the software fixes in version 8.5 Patch 4 and Patch 5, you must apply version 8.6 Patch 1.
For upgrade instructions, see the Authentication Manager 8.6 Setup and Configuration Guide.
Note:
If you are using a Windows share, RSA Authentication Manager 8.4 and later requires the SMBv2 or SMBv3 protocol as SMBv1 is no longer supported.
After upgrading the replica side following the primary side, RADIUS authentication will be available after a while. For more information, see https://community.rsa.com/t5/securid-knowledge-base/need-to-wait-until-updating-radius-connector-ini-file-after-am8/ta-p/679401
Upgrading an Existing Deployment that Does Not Yet Use Azure or Amazon Web Services
You can upgrade an existing RSA Authentication Manager deployment that is not yet using the Azure Cloud or Amazon Web Services (AWS) Cloud.
The Azure virtual appliance supports a mixed deployment of Cloud and on-premises appliances. To upgrade an existing deployment that is not yet using the Azure virtual appliance, do the following:
Sign into RSA Link, and download rsa-am-update-8.6.0.0.0.zip.
Upgrade to Authentication Manager 8.6.
For instructions, see the RSA Authentication Manager 8.6 Setup and Configuration Guide.
Deploy new Authentication Manager 8.6 replica instances in Azure.
To move your primary instance into Azure, promote a replica instance, and delete your existing primary instance.
If the new primary instance and the replica instances are out-of-sync, you must synchronize each out-of-sync replica instance in the primary instance Operations Console.
The Amazon Web Services (AWS) virtual appliance supports a mixed deployment of Cloud and on-premises appliances. To upgrade an existing deployment that is not yet using the AWS virtual appliance, do the following:
Sign into RSA Link, and download rsa-am-update-8.6.0.0.0.zip.
Upgrade to Authentication Manager 8.6.
For instructions, see the RSA Authentication Manager 8.6 Setup and Configuration Guide.
Deploy new Authentication Manager 8.6 replica instances in AWS.
To move your primary instance into AWS, promote a replica instance, and delete your existing primary instance.
If the new primary instance and the replica instances are out-of-sync, you must synchronize each out-of-sync replica instance in the primary instance Operations Console.
RSA Authentication Agent Support
RSA authentication agent software is available on the SecurID Access Documentation & Downloads page.
RSA Authentication Manager 8.6 continues to support your authentication agents that use the UDP protocol.
REST protocol authentication agents, such as RSA Authentication Agent 2.0 or later for Microsoft AD FS, RSA Authentication Agent 8.0 or later for PAM, and RSA MFA Agent 2.0.1 or later for Microsoft Windows can use RSA Authentication Manager 8.6 as a secure proxy server for the Cloud Authentication Service.
You may also purchase products that contain embedded RSA authentication agent software. The software is embedded in a number of products, such as remote access servers, firewalls, and web servers. For more information, go to the RSA Ready Partner website at www.rsaready.com.
Fixed Issues
Authentication Manager 8.6 includes the software fixes in the cumulative Patch 3 for version 8.5. Applying version 8.6 removes any software fixes that are not included in the cumulative Patch 3. To obtain all of the software fixes in Patch 4 and later version 8.5 patches, you must apply version 8.6 patches as they become available. For the complete list of resolved issues, see the RSA Authentication Manager 8.5 Patch 3 Readme.
Known Issues
See RSA® Authentication Manager 8.6 Known Issues.
© 1994-2021 RSA Security LLC or its affiliates. All rights reserved. RSA Conference logo, RSA, and other trademarks are trademarks of RSA Security LLC or its affiliates. For a list of RSA trademarks, https://www.rsa.com/en-us/company/rsa-trademarks. Other trademarks are trademarks of their respective owners.
August 2021
Intellectual Property Notice
This software contains the intellectual property of RSA or is licensed to RSA from third parties. Use of this software and the intellectual property contained therein is expressly limited to the terms and conditions of the License Agreement under which it is provided by or on behalf of RSA.
Open Source License
This product may be distributed with open source code, licensed to you in accordance with the applicable open source license. If you would like a copy of any such source code, RSA or its affiliates will provide a copy of the source code that is required to be made available in accordance with the applicable open source license. RSA or its affiliates may charge reasonable shipping and handling charges for such distribution. Please direct requests in writing to RSA Legal, 174 Middlesex Turnpike, Bedford, MA 01730, ATTN: Open Source Program Office.
System Data Collection and Usage Policy
In certain circumstances, RSA collects data from customer installations of RSA products for purposes including but not limited to accurate billing of product usage and to maintain and improve RSA products. For details see "RSA’s right to collect System Data" in Product Usage Rights: https://www.rsa.com/content/dam/en/terms/units-of-measure.pdf.
