This article explains how to create a RADIUS monitoring account that attempts to log into the RADIUS server.
On the RSA Authentication Manager server
Login to the Security Console of your primary server.
Create a new user (Identity > Users > Add New), being sure to ad all required information. When done, click Save.
Using the Search Criteria options on the left, search for the new user.
Click on the context arrow next to the user ID and choose Authentication Settings.
Check the option to Allow authentication with a fixed passcode.
Enter and confirm the fixed passcode. For example, 87654321.
Click Save when done.
Be sure to login to the Self-Service Console at least once with the new user ID and fixed passcode because you will be asked to change the fixed passcode.
When prompted, change the fixed passcode to something else (for example, 12345678).
Use the newly updated fixed passcode with the monitoring account.
There is no need to assign a token to your monitoring user as long as you are using a fixed passcode. You don’t want to waste a token on a user just for monitoring.
On the Citrix NetScaler
In the NetScaler Configuration Utility, on the left under Traffic Management > Load Balancing, click Monitors. On the right, click Add.
Provide a name for the monitor.
Change the Type listed in the drop-down to RADIUS.
On the Standard Parameters tab, you might have to increase the Response Time-out to 4.
On the Special Parameters tab, enter valid RADIUS credentials:
In the User Name field, type the user ID of the user created in the Security Console.
In the Password field, enter the fixed passcode which was set in the Self-Service Console.
In the Radius Key Field, enter the shared secret configured on RSA Authentication Manager server and Citrix NetScaler:
On the left, expand Traffic Management, expand Load Balancing, and click Service Groups then choose the created service group for RSA RADIUS.
On the right, in the Advanced Settings column, click Monitors and on the Monitors Section, click on No Service Group to Monitor Binding.
Click the arrow next to Click to select andSelect your new RADIUS monitor. Click Select thenclick Bind.
To verify that RADUS monitoring is working correctly
After Binding, verify that member is up by clicking on Service Group Members and click Monitor Details. It should say RADIUS response code 2 or 3 was received. Click OK then Done.
From the Security Console add a new report, selecting the Authentication Activity template or use the real time authentication activity report (Reporting > Real-time Activity Monitors > Authentication Activity Monitor > Start Monitor). With either option there should be see successful login attempts from the RADIUS monitoring account