Configuring the IBM MFA for RSA SecurID RADIUS authentication method

You must configure the IBM® MFA for RSA SecurID RADIUS settings to use this authentication method.

Before you begin

The IBM MFA for RSA SecurID RADIUS authentication method requires network access to a RADIUS server configuration that is functioning properly. You must have already configured communication between the RADIUS server and the system that is running the IBM MFA server, created accounts for the users in the RADIUS server, and assigned tokens. For more information, see your RADIUS server documentation

About this task

To configure the IBM MFA for RSA SecurID RADIUS authentication method, complete the following steps:

Procedure

  1. In the IBM MFA GUI, click the Authentication Methods tab.
  2. Select the RSA SecurID RADIUS method.
  3. Use the following table to specify the RSA SecurID RADIUS authentication method:
    Table 1. RSA SecurID RADIUS Authentication Method Attributes
    Setting Allowed Values Description
    Trace Level 0 through 3 Choose the initial trace level. Valid values are 0 through 3, where the higher value indicates a higher level of verbosity. The default value is 0.
    RADIUS Primary Server Valid host name or IP address Enter the host name or IP address for the primary RADIUS server. The host name must be sufficiently qualified for web clients to resolve the host name. This attribute must be set.
    RADIUS Primary Server Port Valid port number The port number of the primary RADIUS server. The default value is 1812.
    RADIUS Secondary Server Valid host name or IP address Enter the host name or IP address for the secondary RADIUS server, if applicable. This value is required only if you have multiple servers. The host name must be sufficiently qualified for web clients to resolve the host name.
    RADIUS Secondary Server Port Valid port number The port number of the secondary RADIUS server, if applicable. This value is required only if you have multiple servers.
    RADIUS Tertiary Server Valid host name or IP address Enter the host name or IP address for the tertiary RADIUS server, if applicable. This value is required only if you have multiple servers. The host name must be sufficiently qualified for web clients to resolve the host name.
    RADIUS Tertiary Server Port Valid port number The port number of the tertiary RADIUS server, if applicable. This value is required only if you have multiple servers.
    RADIUS Shared Secret Actual shared secret The shared secret (case-sensitive password) that is used by the RADIUS server to recognize the IBM MFA RADIUS client. The RADIUS client uses the same shared secret while communicating with the RADIUS primary server or RADIUS replica servers.
    Receive Timeout Number of seconds, from 1 through 30 The time duration for which the connection between IBM MFA and the RADIUS server can remain inactive before the session is timed out. The default value is 10 seconds.
    Retry Count Integer, from 1 through 15 The number of times IBM MFA attempts to contact the RADIUS server if the connection becomes inactive.
    PKCS#11 Key Label Actual PKCS#11 key label The name of the Key Label that is used to encrypt the shared secret. The PKCS#11 key label has a limit of 32 characters.
    Note: If you change the PKCS#11 key label, you must also re-enter the existing shared secret.
  4. Click Save.
  5. Restart the IBM MFA daemon, as described in Restarting the IBM MFA server.
  6. Ensure that the RADIUS server accepts communication from the system that is running the IBM MFA server. See your RADIUS documentation for configuration information.