Questions about Radius client job MAABURAD

Document ID : KB000125270
Last Modified Date : 06/03/2019
Show Technical Document Details
Introduction:
questions about the MAABURAD job
Question:
We are transitioning from direct RSA SecurID Multi-factor to Radius Client Authentication and have questions about the MAABURAD job.
1) What actual value is origName? the SYSNAME from IEASYSxx, the hardware name for the LPAR, the full DNS resolved tcpip name, or something else?
2) Is the shared secret supposed to be in the quotes "" or should the quotes be removed?
3) Are the any considerations for transitioning from direct RSA API to Radius Client calls?
Environment:
z/os
Answer:
1) What actual value is origName? the SYSNAME from IEASYSxx, the hardware name for the LPAR, the full DNS resolved tcpip name, or something else?
1A) The DNS (domain name system) of the z/OS LPAR where users are logging onto (as well as where MFASTC running).
2) Is the shared secret supposed to be in the quotes "" or should the quotes be removed?
2A) Yes, in quotes.
3) Are the any considerations for transitioning from direct RSA API to Radius Client calls?
3A) Yes, the factor name would be RADIUS_RSA.
In addition to running MAABURAD to define Radius server to TSS, make sure the following is also true:
1. Radius is activated via TSS control option: TSS MODI MFA(RADIUS(FACILITY))
2. Users planned to use Radius RSA have the MFA segment added to there acid record: TSS ADD(acid) MFACTIVE(RADIUS_RSA) MFADATA(RADIUSNAME:radius_user_id) MFACTIVE(FACILITY)
3. Users has permit to CASECMFA(TSSMFA.RAD.facility) ACCESS(USE) Note: If not activating MFA Radius via TSS FACILITY, e.g. using either MFA(RADIUS(YES) or on MFA segment MFACTIVE(YES), then there is no need for the CASECMFA permit.