Top Secret

  • 1.  TSS MFA Radius Server ?

    Posted Feb 06, 2018 10:19 AM

    Documentation for TSS Advanced Authentication Mainframe feature support for Radius server shows two forms of authentication, RADIUS RSA and RADIUS DEFENDER, but doesn't elaborate on what the two are.  What's the difference between the two and why would you use on over the other?



  • 2.  Re: TSS MFA Radius Server ?

    Broadcom Employee
    Posted Feb 06, 2018 12:06 PM

    Hi,

    Along with RADIUS factors RADIUS RSA and RADIUS DEFENDER, we recently added additional factors for RADIUS:

    RADIUS_SAFENET, RADIUS_GENERIC, and RADIUS_OTP.

     

    These factor names correlate to the RADIUS server you are using to perform your RADIUS logon authentications. 

    For example:If your RADIUS server is SafeNet, then use would use RADIUS_SAFENET.

     

    The most important part in the MFA RADIUS configuration is matching the RADIUS factor name supplied in the MAABURAD JCL (this job defines the RADIUS server to Top Secret), to the factor name used in setting up the users.

     

    For example: TSS ADD(acid) MFACTOR(RADIUS_SAFENET) MFADATA(RADIUSNAME:radius user ID

    MFACTIVE(YES)   

     

    Hope this help.

    Paul Kot

    Top Secret development



  • 3.  Re: TSS MFA Radius Server ?

    Posted Feb 06, 2018 12:56 PM

    Which PTF added the new factors?  We use Symantec VIP for other 2 factor applications here.  I assume that would be RADIUS_GENERIC?



  • 4.  Re: TSS MFA Radius Server ?
    Best Answer

    Broadcom Employee
    Posted Feb 06, 2018 01:27 PM

    That is correct. In your case, you would use RADIUS_GENERIC.

     

    The PTF that introduced RADIUS support was RO98716. The PTF in question is SO00132. A recent PTF for RADIUS MFADATA (tag data) correction is SO00250. With all three of these APARS applied --- you are good to go for the Top Secret side. 

     

    In addition to Top Secret maintenance, any MFA authentication service requires either: CA Advanced Authentication for Mainframe (AAM) installed and configured; or IBM's Multi-factor Authentication (MFA). 

     

    If you are using CA's AAM, the PTF's require are: RO97949.

    If IBM MFA: SO00132 (TSS PTF) 

     

    Warm regards,

    Paul



  • 5.  Re: TSS MFA Radius Server ?

    Posted Mar 09, 2018 06:11 AM

    Hi,

     

    Is it also the same (RADIUS_GENERIC) for Vasco (OTP) ?

     

    Thank you,

     

    Erdem.



  • 6.  Re: TSS MFA Radius Server ?

    Broadcom Employee
    Posted Mar 09, 2018 10:45 AM

    Hi Erdem,

    For Vasco (OTP), you could use RADIUS_OTP as the factor name. However, although Top Secret recognizes these RADIUS factor names, the CA-Advanced Authentication for Mainframe (CA-AAM) doesn't at this time. 

    An update to CA-AAM is forthcoming to recognize RADIUS factors such as: RADIUS_GENERIC, RADIUS_SAFENET, and RADIUS_OTP. 

    The good news through, you can use the factor name of RADIUS_RSA to accomplish the same goal of supporting OTP, Safe Net, VIP, etc. Please read my comments above for more details on the factor name processing under Top Secret.

     

    Warm regards,

    Paul Kot

    Top Secret development 



  • 7.  Re: TSS MFA Radius Server ?

    Posted Mar 13, 2018 04:23 AM

    Hi Paul,

     

    Thanks for your explanation. Is there any release date for the new function for CA AAM, so that we can use RADIUS_GENERIC or RADIUS_OTP?

     

    Kind regards,

     

    Erdem.



  • 8.  Re: TSS MFA Radius Server ?

    Broadcom Employee
    Posted Mar 14, 2018 02:35 PM

    Hi Erdem,

    No ETA as yet. But planning for next PI is coming up shortly, and this AAM update does reside in the story backlog. Hoping we can get this done very soon.

     

    Warm regards,

    Paul



  • 9.  Re: TSS MFA Radius Server ?

    Broadcom Employee
    Posted May 11, 2018 03:47 PM

    Hi Erdem,

     

    Good news! Solutions have been written and published to provide support for the newest RADIUS factors:

    RADIUS_GENERIC, RADIUS_OTP, RADIUS_SAFENET, and RADIUS_PASSWORD (which allows for the TSS password to be a 1st-factor credential instead of a PIN).

     

    AAM APAR: SO01592

    TSS APARS: SO01198 and SO01630

     

    Warm regards,

    Paul Kot

    Top Secret Development.