Questions about Radius client job MAABURAD

book

Article ID: 125270

calendar_today

Updated On:

Products

CA Top Secret CA Top Secret - LDAP

Issue/Introduction

Questions about the MAABURAD job

Transitioning from direct RSA SecurID Multi-factor to Radius Client Authentication and there are some questions about the MAABURAD job.
1) What actual value is origName? the SYSNAME from IEASYSxx, the hardware name for the LPAR, the full DNS resolved tcpip name, or something else?
2) Is the shared secret supposed to be in the quotes "" or should the quotes be removed?
3) Are there any considerations for transitioning from direct RSA API to Radius Client calls?

Environment

z/os

Resolution

1) What actual value is origName? the SYSNAME from IEASYSxx, the hardware name for the LPAR, the full DNS resolved tcpip name, or something else?
1A) The DNS (domain name system) of the z/OS LPAR where users are logging onto (as well as where MFASTC running).
2) Is the shared secret supposed to be in the quotes "" or should the quotes be removed?
2A) Yes, in quotes.
3) Are there any considerations for transitioning from direct RSA API to Radius Client calls?
3A) Yes, the factor name would be RADIUS_RSA.
In addition to running MAABURAD to define Radius server to TSS, make sure the following is also true:
1. Radius is activated via TSS control option: TSS MODI MFA(RADIUS(FACILITY))
2. Users planned to use Radius RSA have the MFA segment added to there acid record: TSS ADD(acid) MFACTIVE(RADIUS_RSA) MFADATA(RADIUSNAME:radius_user_id) MFACTIVE(FACILITY)
3. Users are permitted to CASECMFA(TSSMFA.RAD.facility) ACCESS(USE) Note: If not activating MFA Radius via TSS FACILITY, e.g. using either MFA(RADIUS(YES) or on MFA segment MFACTIVE(YES), then there is no need for the CASECMFA permit.