Configuring the generic RADIUS authentication method

You must configure the generic RADIUS settings to use this authentication method.

1. In the IBM PowerSC MFA GUI, click the Authentication Methods tab.
2. Select the generic RADIUS method.
3. Use the following table to specify an generic RADIUS authentication method:

   Table 1. generic RADIUS Authentication Method Attributes

   Setting	Allowed Values	Description
   Initial Trace Level	0 through 3	Choose the initial trace level. Valid values are 0 through 3, where the higher value indicates a higher level of verbosity. The default value is 0.
   RADIUS Primary Server	Valid host name or IP address	Enter the host name or IP address for the primary RADIUS server. The host name must be sufficiently qualified for web clients to resolve the host name. This attribute must be set.
   RADIUS Primary Server Port	Valid port number	The port number of the primary RADIUS server. The default value is 1812.
   RADIUS Secondary Server	Valid host name or IP address	Enter the host name or IP address for the secondary RADIUS server, if applicable. This value is required only if you have multiple servers. The host name must be sufficiently qualified for web clients to resolve the host name.
   RADIUS Secondary Server Port	Valid port number	The port number of the secondary RADIUS server, if applicable. This value is required only if you have multiple servers.
   RADIUS Tertiary Server	Valid host name or IP address	Enter the host name or IP address for the tertiary RADIUS server, if applicable. This value is required only if you have multiple servers. The host name must be sufficiently qualified for web clients to resolve the host name.
   RADIUS Tertiary Server Port	Valid port number	The port number of the tertiary RADIUS server, if applicable. This value is required only if you have multiple servers.
   RADIUS Shared Secret	Actual shared secret	The shared secret (case-sensitive password) that is used by the RADIUS server to recognize the IBM PowerSC MFA RADIUS client. The RADIUS client uses the same shared secret while communicating with the RADIUS primary server or RADIUS replica servers.
   Disable Message-Authenticator	On or Off	When set to On, the RADIUS client does not send the Message-Authenticator attribute in a request and does not expect to receive it in a response. When set to Off, the RADIUS client sends the Message-Authenticator attribute in a request as the first attribute in a list. The RADIUS client validates the Message-Authenticator attribute in a response, where it must also be the first attribute in a list. Contact your RADIUS server provider to see whether it is patched for CVE-2024-3596: If the RADIUS server is patched for CVE-2024-3596, set Disable Message-Authenticator to Off. If the RADIUS server is not patched for CVE-2024-3596, set Disable Message-Authenticator to On. Important: The default is Off and message authenticator is enabled. With the default setting, unpatched RADIUS servers that worked in previous releases will stop working until the RADIUS servers are patched.
   Receive Timeout	Number of seconds, from 1 through 30	The time duration for which the connection between IBM PowerSC MFA and the RADIUS server can remain inactive before the session is timed out. The default value is 10 seconds.
   Retry Count	Integer, from 1 through 15	The total number of retries that IBM PowerSC MFA attempts across all configured RADIUS servers.

4. Click Save.
5. Restart the IBM PowerSC MFA daemon, as described in Restarting the IBM PowerSC MFA server.
6. Ensure that the RADIUS server accepts communication from the system that is running the IBM PowerSC MFA server. See your RADIUS documentation for configuration information.