We have successfully had RSA SecurID set up as an authentication method using the UAG. We now plan to change that to Radius as we are implementing RSA's cloud connect product. Not knowing that we couldn't have both options in use, we set up the Radius settings. After reading up some more we realized you can only use one or the other option. So we attempted to disable the SecurID option. When I disable and click save I get the following: Please enable the authentication method
I can't disable either option and save the settings. Authentication is still working fine with the SecurID option. I suppose I have to deploy another instance of the UAG and set things up again?
Thanks.
Chris_Nodak - If you've added the RADIUS config (under "Authentication Settings") on UAG you should be able to select that in the Horizon Settings (under "Edge Service Settings") in "Auth Methods". Set it to radius-auth & sp-auth instead of (securid-auth & sp-auth). It is the Horizon Edge Service Settings that determines what authentication will actually be used for Horizon clients.
From what I've seen once a authentication method is configured it can't be unconfigured. However, you can have multiple authentication methods configured with AND or OR operators. It just comes down to what is enabled under the edge settings which can be multiples (You could have securid-auth & radius-auth or securid-auth OR radius-atuh). One of the examples given on the UAG is having securid-auth OR radius-auth configured where one or the other will be enforced.
Edit: I did some additional digging and starting with UAG 3.4 there is a note that is not present with prior versions. markbenson is this a known issue in 3.4, change in 3.4 or did this not actually work in the past?
Configuring Authentication in DMZ
Note:
Only one of the two factor user authentication methods can be specified for an Edge Service. This can be Certificate/Smart Card authentication, RADIUS authentication, or RSA Adaptive Authentication.
Chris_Nodak - If you've added the RADIUS config (under "Authentication Settings") on UAG you should be able to select that in the Horizon Settings (under "Edge Service Settings") in "Auth Methods". Set it to radius-auth & sp-auth instead of (securid-auth & sp-auth). It is the Horizon Edge Service Settings that determines what authentication will actually be used for Horizon clients.
BenFB Thanks for the reply. I did find that in the Edge settings. And that note you found is what I was referring to about running both options. After some initial testing, I couldn't get it to work, but I expect that's a configuration issue on our end with the identity router, I'll follow up with RSA on that piece.
markbenson Yes, thank you. I forgot about that field. Will do some additional testing. Thanks!
This seems mad that you cant change authentication settings either, I can't even clear node secret and press save without ' choose authentication method errors''
Has anyone else got round this?
( RSA SecurID)