3.62. <AuthBy RSAAM> Previous topic Parent topic Child topic Next topic

This module provides authentication via RSA Authentication Manager AM 7.1 and later. AM 7.1 provides more features than the ACE server and RSA Mobile servers it replaces. <AuthBy RSAAM> supports more features than either <AuthBy ACE> or <AuthBy RSAMOBILE>. Therefore <AuthBy RSAAM> may be your preferred module for use with AM 7.1 or later.
AM 7.1 supports traditional SecurID two-factor token cards, as well as static passwords. It also supports OnDemand tokencodes, where a random tokencode is sent to the user via email or SMS. It also supports authentication through a series of user-configurable security questions. All these authentication methods are supported by AuthBy RSAAM.
AuthBy RSAAM can authenticate the following protocols against AM. Note that CHAP, MSCHAPV1, MSCHAPV2 and EAP-MSCHAPV2 cannot be authenticated against AM.
  • PAP
  • TTLS-PAP
  • EAP-GTC
  • EAP-OTP
  • PEAP-GTC
AuthBy RSAAM works on all platforms supported by Radiator, including Windows, Linux, Solaris, Unix etc. AuthBy RSAAM connects the AM server by SSL and SOAP, and therefore required the following Perl modules from CPAN:
  • SOAP::Lite and its prerequisites
  • Either Crypt::SSLeay or IO::Socket::SSL
  • Net::SSLeay
For more information, see Section 2.1.2. CPAN.
Tip
Sample configuration files are provided in the goodies directory of your distribution in rsaam.cfg and eap_peap_gtc_rsaam.cfg.
Tip
RSA AM is not able to specify the preferred authentication policy to use for each user. Therefore, if you need to use different authentication policies for different groups of user, you will need an <AuthBy RSAAM> clause for each policy, and then direct requests to the appropriate clause using one of the many methods supported by Radiator.
Tip
AuthBy RSAAM returns IGNORE if it unable to communicate with its configured AM server. This means you can chain several AuthBy RSAAM clauses together using AuthByPolicy ContinueWhileIgnore to implement failover from one AM server to another in the event of AM server unavailability.
Tip
In some circumstances, The Radiator connection to RSA AM may fail with an error message in the RSA Weblogic server like:
Received fatal alert: bad_record_mac at sun.reflect.NativeConstructorAccessorImpl.
newInstance0
This can be fixed by adding these lines to the weblogic server start file:
  • Dhttps.protocols=SSLv3,TLSv1
  • Dsun.security.ssl.allowLegacyHelloMessages=true
  • Dsun.security.ssl.allowUnsafeRenegotiation=true

Configuring Authentication Manager for AuthBy RSAAM

In order to configure Authentication Manager to work with AuthBy RSAAM:
  1. Install RSA AM 7.1 on your platform of choice, or Install 8.0 virtual appliance
  2. Install Radiator on your platform of choice. It may be the same as the AM 7.1 host, or a different one in case of AM 8.0.
  3. Install SOAP::Lite and its prerequisites on the Radiator host.
  4. Starting with one of the sample RSAAM configuration files, configure Radiator.
  5. Get the user name and password required for AuthBy RSAAM to connect to AM. These commands will print out the user name and password that AM automatically generates during installation.
    Do this on AM7.1 or earlier:
    cd "C:\Program Files\RSA Security\RSA Authentication Manager\Utils rsautil 
          manage-secrets -m <MASTERPWD> -a list
    Do this on AM 8.0:
    cd /opt/rsa/am/utils
    ./rsautil manage-secrets --action list
    This will print out the user name and password required for Radiator to connect to AM 7.1 or 8.0. Enter the user name and password as SessionUsername and Session- Password in your Radiator configuration file.
  6. Select which authentication method you will use to authenticate all your users. Set Policy in your Radiator configuration file.
  7. Set Host in your Radiator configuration file to the FQDN (fully qualified domain name) and port number of your AM host. For example
    Host boodgie.open.com.au:7002
  8. Add and configure a test user to AM. If required allocate a token to the user.
  9. Start Radiator and test with a command like:
    radpwtst -noacct -user username -password password -interactive -timeout 60