Configure RSA SecurID RADIUS

You must configure the IBM® MFA AZFSIDR1 settings if you want to use RSA SecurID RADIUS.

Before you begin

You must have already performed the following tasks:

Configured a PKCS#11 token as described in Configuring a PKCS#11 token before you configure IBM MFA for RSA SecurID RADIUS. The AZFSIDR1 authentication factor users the PKCS#11 token to encrypt the shared secret before it is stored in RACF®, and to generate random authenticators for use inside the RADIUS packet.
Configured the RSA SecurID RADIUS server to accept communications from each z/OS system or LPAR that is running the IBM MFA services started task. The network administrator may configure a RADIUS client with or without an RSA Authentication Agent for each z/OS system or LPAR that is running the IBM MFA services started task.

About this task

Configuration data for RSA SecurID RADIUS is stored in the RACF database. The configuration data include settings related to the AZFSIDR1 authentication load module.

Procedure

Execute AZFEXEC and choose AZFSIDR1.

Provide the following:

Table 1. AZFSIDR1 Factor Attributes
Setting	Allowed Values	Description
PKCS#11 Token Name	Actual PKCS#11 token name	Enter the name of the PKCS#11 token to be used for cryptographic operations. You created this token in Configuring a PKCS#11 token.
Key Label	Actual PKCS#11 key label	The PKCS#11 key label has a limit of 32 characters. The value you specify for PKCS#11 key label is used if it already exists and is created if it does not exist.
Primary Server Host Name	Valid host name or IP address	Enter the fully qualified hostname or IP address for the primary RSA SecurID RADIUS server. Must be set.
Primary Server Port	Valid port number	The port number of the primary RSA SecurID RADIUS server. Must be set. The default is 1812.
Secondary Server Host Name	Valid host name or IP address	Enter the fully qualified hostname or IP address for the secondary RSA SecurID RADIUS server, if applicable.
Secondary Server Port	Valid port number	The port number of the secondary RSA SecurID RADIUS server, if applicable.
Tertiary Server Host Name	Valid host name or IP address	Enter the fully qualified hostname or IP address for the tertiary RSA SecurID RADIUS server, if applicable.
Tertiary Server Port	Valid port number	The port number of the tertiary RSA SecurID RADIUS server, if applicable.
Number of Retries	Integer, from 1 through 15	The number of times IBM MFA attempts to contact the RSA Authentication Server should the connection become inactive.
Timeout	Number of seconds, from 1 through 180	The amount of time the connection between IBM MFA and the RADIUS server can remain inactive before the session is timed out.
Shared Secret	Actual shared secret	The shared secret (case-sensitive password) that is used by the RSA RADIUS server to recognize the IBM MFA RADIUS client. The RADIUS client uses the same shared secret when communicating with the RADIUS primary server or RADIUS replica servers. Important: The shared secret must be the same for all LPARs in a sysplex. Consult your RADIUS documentation for configuration information. Note: The shared secret is not displayed on the panel after you enter it. Note: When translating EBCDIC into ASCII to send to an external server the translation is performed using host code page IBM-1047 and server code page ISO-8859-1. This may have implications if you are using other code pages when specifying the host data.
Initial Trace Level	0 through 3	Choose the initial trace level. Valid values are 0 through 3, where the higher number increases the level of verbosity. The default is 0.

See Configure IBM MFA Compound In-Band for information about configuring IBM MFA Compound In-Band.
Press F3 to save your changes and exit.
Verify that the RSA SecurID RADIUS server accepts communications from each z/OS system or LPAR that is running the IBM MFA services started task.

If you change the PKCS#11 token name or key label values, you must re-enter the shared secret value.