Configuring IBM MFA for RSA SecurID RADIUS

You must configure IBM® MFA for RSA SecurID RADIUS if you want to use the Remote Authentication Dial-In User Service (RADIUS) protocol for SecurID. IBM MFA supports Password Authentication Protocol (PAP) only.

You can use RSA SecurID RADIUS with RSA Authentication Manager to authenticate users. The RSA RADIUS server receives remote user access requests from the RADIUS client, in this case IBM MFA. RSA Authentication Manager determines whether the user's credentials are valid and, if so, returns success to IBM MFA. RACF® then resumes control and completes the authentication and authorization process as usual.

Note: From the user's perspective, there is no difference between being authenticated by the AZFSIDR1 factor and the ASZSIDP1 factor. In both cases they enter their user ID, RSA SecurID token, and PIN.

Choosing between RSA SecurID RADIUS and generic RADIUS

If you are using SecurID, you should choose RSA SecurID RADIUS (AZFSIDR1) instead of generic RADIUS (AZFRADP1). RSA SecurID RADIUS (AZFSIDR1) provides substantially more useful feedback for both successful and unsuccessful authentications. Generic RADIUS (AZFRADP1) returns a simple allowed/denied response.

RSA SecurID RADIUS configuration requirements

Before you configure IBM MFA for RSA SecurID RADIUS, refer to the configuration roadmap in IBM MFA configuration roadmap.