------------------------------
Regards,

Jorge Lee
------------------------------

It depends what you mean with "manage AS/400 users".

IBM i accounts can only be created/changed via CRTUSRPRF/CHGUSRPRF (or the graphical equivalent in Navigator) on IBM i itself.

You can't use other directories like AD, LDAP, RADIUS, ... to store you accounts so the answer is no.

You can however use AD with Kerberos for SSO, or use RADIUS to authenticate external services (it could be used in the past for PPP Dial-In but I don't know it's actual state) to IBM i.

------------------------------
Paul Nicolay
------------------------------

Original Message:
Sent: Tue November 11, 2025 05:54 PM
From: Jorge Lee
Subject: RADIUS EN IBM i

Hello Everyone,

 

Is it possible to configure RADIUS on IBM i to manage AS/400 users?

 

Is it configured in the following section?

 

Network > Server > TCP/IP Servers > RADIUS NAS. It appears as UNKNOWN in the Navigator for IBM i.

------------------------------
Regards,

Jorge Lee
------------------------------

Better qualify the request and need, but take in account that if it says "NAS" it is the client side of RADIUS.

------------------------------
--ft
------------------------------

Original Message:
Sent: Tue November 11, 2025 05:54 PM
From: Jorge Lee
Subject: RADIUS EN IBM i

Hello Everyone,

 

Is it possible to configure RADIUS on IBM i to manage AS/400 users?

 

Is it configured in the following section?

 

Network > Server > TCP/IP Servers > RADIUS NAS. It appears as UNKNOWN in the Navigator for IBM i.

------------------------------
Regards,

Jorge Lee
------------------------------

Hello Everyone,

I'm working with a customer who is implementing an IAM solution and wants to "govern" the users of their IBM i .

The customer's proposal is to integrate IBM i with their IAM platform using RADIUS. The high-level architecture they have in mind is as follows:

• End-user workstations connect to the IBM i.

• The IBM i (AS/400) would act as a NAS (Network Access Server).

• When a user attempts to sign on, the IBM i sends a RADIUS Authentication Request to an external RSA Authentication Manager (RSA AM) server.

• The RSA AM checks the user against its credentials database (tokens / OTP / IAM directory) and returns an Access-Accept or Access-Reject back to the IBM i.

• Based on the RADIUS response, access to the IBM i session would be allowed or denied.

• In practice, what is the recommended way to configure IBM i so that it behaves as a RADIUS client (NAS) towards an external RSA AM server?

• Is this only supported when IBM i is used as a RAS server (PPP/L2TP), or is there any supported pattern to tie interactive sign-ons (e.g. Telnet 5250) directly to RADIUS?

• Are there common patterns to minimize local user management (for example using generic IBM i profiles plus IAM identities, EIM mappings, etc.)?

• Any real-world examples, Redbooks, or best-practice configurations where IBM i was integrated with an external IAM using RADIUS?

• If you have gone through a similar design and decided to use another approach instead , I would also appreciate your reasoning and recommendations.
  
  Any guidance, architectural advice, or configuration hints would be very helpful before we define the final approach with the customer.

------------------------------
Jorge Lee
------------------------------

Original Message:
Sent: Thu November 13, 2025 05:58 AM
From: ac
Subject: RADIUS EN IBM i

Better qualify the request and need, but take in account that if it says "NAS" it is the client side of RADIUS.

------------------------------
--ft

Original Message:
Sent: Tue November 11, 2025 05:54 PM
From: Jorge Lee
Subject: RADIUS EN IBM i

Hello Everyone,

 

Is it possible to configure RADIUS on IBM i to manage AS/400 users?

 

Is it configured in the following section?

 

Network > Server > TCP/IP Servers > RADIUS NAS. It appears as UNKNOWN in the Navigator for IBM i.

------------------------------
Regards,

Jorge Lee
------------------------------

Ok, clear what you want to achieve. The Radius thing on the IBMi I think was used to enable dialins in a pre VPN era, and sincerely it's not clear the future of such components, as long with other internet stuff like the TFTP server (yes, ibmi has also TFTP server, and still use it for some old networking equipment).

IMHO your best bet is integrate via some sort of Kerberos KDC (AD microsoft being one of those, used directly or indirectly regarding password source).

My experience is limited with straight AD (especially for netshare shares on the ibmi, otherwise is a messy from the user side using win client workstation). During user creation on the IBMi side, our workflow asks also for microsoft UPN (useful also  then to call into MS API like Teams messages from the i) , then uses the eim*** API calls under the hood to map the users between the two worlds.

my 2c

------------------------------
--ft
------------------------------

Original Message:
Sent: Thu November 13, 2025 12:27 PM
From: Jorge Lee
Subject: RADIUS EN IBM i

Hello Everyone,

I'm working with a customer who is implementing an IAM solution and wants to "govern" the users of their IBM i .

The customer's proposal is to integrate IBM i with their IAM platform using RADIUS. The high-level architecture they have in mind is as follows:

• End-user workstations connect to the IBM i.

• The IBM i (AS/400) would act as a NAS (Network Access Server).

• When a user attempts to sign on, the IBM i sends a RADIUS Authentication Request to an external RSA Authentication Manager (RSA AM) server.

• The RSA AM checks the user against its credentials database (tokens / OTP / IAM directory) and returns an Access-Accept or Access-Reject back to the IBM i.

• Based on the RADIUS response, access to the IBM i session would be allowed or denied.

• In practice, what is the recommended way to configure IBM i so that it behaves as a RADIUS client (NAS) towards an external RSA AM server?

• Is this only supported when IBM i is used as a RAS server (PPP/L2TP), or is there any supported pattern to tie interactive sign-ons (e.g. Telnet 5250) directly to RADIUS?

• Are there common patterns to minimize local user management (for example using generic IBM i profiles plus IAM identities, EIM mappings, etc.)?

• Any real-world examples, Redbooks, or best-practice configurations where IBM i was integrated with an external IAM using RADIUS?

• If you have gone through a similar design and decided to use another approach instead , I would also appreciate your reasoning and recommendations.
  
  Any guidance, architectural advice, or configuration hints would be very helpful before we define the final approach with the customer.

The attached diagram shows the high-level proposal:

 

On the left we have the end-user workstations, which connect to the IBM i  system.

 

The IBM acts as a NAS (Network Access Server): it receives the user connection and, instead of validating the password locally, it sends a RADIUS authentication request to the RSA Authentication Manager (RSA AM) server.

 

RSA AM, acting as the RADIUS server, validates the credentials against its credentials database (tokens, OTP, etc.).

 

It then returns an Access-Accept or Access-Reject response to the AS400 (shown in the diagram as "Solicitud Aceptada o Rechazada").

 

Based on that response, the AS400 either allows or denies the user's session.

------------------------------
Jorge Lee

Original Message:
Sent: Thu November 13, 2025 05:58 AM
From: ac
Subject: RADIUS EN IBM i

Better qualify the request and need, but take in account that if it says "NAS" it is the client side of RADIUS.

------------------------------
--ft

Original Message:
Sent: Tue November 11, 2025 05:54 PM
From: Jorge Lee
Subject: RADIUS EN IBM i

Hello Everyone,

 

Is it possible to configure RADIUS on IBM i to manage AS/400 users?

 

Is it configured in the following section?

 

Network > Server > TCP/IP Servers > RADIUS NAS. It appears as UNKNOWN in the Navigator for IBM i.

------------------------------
Regards,

Jorge Lee
------------------------------

The IBM PowerSC MFA product does a lot of what you require, acting as a RADIUS Client and authenticating users before granting access to the IBM i. Please check out the documentation at https://www.ibm.com/docs/en/powersc-mfa/2.3.0?topic=methods-configuring-generic-radius-authentication-method and reach out to the team to set up a POC if you think it check out.

Best-

------------------------------
Hrithik Govardhan
Senior Engineer
Rocket Software
MN
------------------------------

Original Message:
Sent: Thu November 13, 2025 12:27 PM
From: Jorge Lee
Subject: RADIUS EN IBM i

Hello Everyone,

I'm working with a customer who is implementing an IAM solution and wants to "govern" the users of their IBM i .

The customer's proposal is to integrate IBM i with their IAM platform using RADIUS. The high-level architecture they have in mind is as follows:

• End-user workstations connect to the IBM i.

• The IBM i (AS/400) would act as a NAS (Network Access Server).

• When a user attempts to sign on, the IBM i sends a RADIUS Authentication Request to an external RSA Authentication Manager (RSA AM) server.

• The RSA AM checks the user against its credentials database (tokens / OTP / IAM directory) and returns an Access-Accept or Access-Reject back to the IBM i.

• Based on the RADIUS response, access to the IBM i session would be allowed or denied.

• In practice, what is the recommended way to configure IBM i so that it behaves as a RADIUS client (NAS) towards an external RSA AM server?

• Is this only supported when IBM i is used as a RAS server (PPP/L2TP), or is there any supported pattern to tie interactive sign-ons (e.g. Telnet 5250) directly to RADIUS?

• Are there common patterns to minimize local user management (for example using generic IBM i profiles plus IAM identities, EIM mappings, etc.)?

• Any real-world examples, Redbooks, or best-practice configurations where IBM i was integrated with an external IAM using RADIUS?

• If you have gone through a similar design and decided to use another approach instead , I would also appreciate your reasoning and recommendations.
  
  Any guidance, architectural advice, or configuration hints would be very helpful before we define the final approach with the customer.

The attached diagram shows the high-level proposal:

 

On the left we have the end-user workstations, which connect to the IBM i  system.

 

The IBM acts as a NAS (Network Access Server): it receives the user connection and, instead of validating the password locally, it sends a RADIUS authentication request to the RSA Authentication Manager (RSA AM) server.

 

RSA AM, acting as the RADIUS server, validates the credentials against its credentials database (tokens, OTP, etc.).

 

It then returns an Access-Accept or Access-Reject response to the AS400 (shown in the diagram as "Solicitud Aceptada o Rechazada").

 

Based on that response, the AS400 either allows or denies the user's session.

------------------------------
Jorge Lee

Original Message:
Sent: Thu November 13, 2025 05:58 AM
From: ac
Subject: RADIUS EN IBM i

Better qualify the request and need, but take in account that if it says "NAS" it is the client side of RADIUS.

------------------------------
--ft

Original Message:
Sent: Tue November 11, 2025 05:54 PM
From: Jorge Lee
Subject: RADIUS EN IBM i

Hello Everyone,

 

Is it possible to configure RADIUS on IBM i to manage AS/400 users?

 

Is it configured in the following section?

 

Network > Server > TCP/IP Servers > RADIUS NAS. It appears as UNKNOWN in the Navigator for IBM i.

------------------------------
Regards,

Jorge Lee
------------------------------

Give it up.  Even if you got it to work it would only work short term.  "Remote Authentication Dial In User Service (RADIUS)" is last supported on 7.5.  You want confirmation?  First try  

Planning to upgrade to IBM i 7.6 (Software)  Next try changing the URL at https://www.ibm.com/docs/en/i/7.5.0?topic=ppp-enabling-radius-dhcp-services-connection-profiles from 7.5.0 to 7.6.0.

What 7.6 does bring to the table  is MFA or Multi Factor Authentication.

To generate users on IBM i we are using IBM Security Verify Governance.  Formerly known by such names as ISIM or ITIM back from when IBM was slapping Tivoli on every product name.  Under the covers it runs CRTUSRPRF remotely.  You change your password in Windows and it automatically gets propagated to the IBM i.

------------------------------
Robert Berendt IBMChampion
Business Systems Analyst, Lead
Dekko
Fort Wayne
------------------------------

Original Message:
Sent: Tue November 11, 2025 05:54 PM
From: Jorge Lee
Subject: RADIUS EN IBM i

Hello Everyone,

 

Is it possible to configure RADIUS on IBM i to manage AS/400 users?

 

Is it configured in the following section?

 

Network > Server > TCP/IP Servers > RADIUS NAS. It appears as UNKNOWN in the Navigator for IBM i.

------------------------------
Regards,

Jorge Lee
------------------------------

I won't work... it is not designed for that.  As stated above, the only way to integrate IBM i in sort of IAM is by means of SSO/Kerberos.

MFA is also not related to identity management itself, it is just an extra security layer on top of it.

------------------------------
Paul Nicolay
------------------------------

Original Message:
Sent: Thu November 13, 2025 02:27 PM
From: Robert Berendt
Subject: RADIUS EN IBM i

Give it up.  Even if you got it to work it would only work short term.  "Remote Authentication Dial In User Service (RADIUS)" is last supported on 7.5.  You want confirmation?  First try  

Planning to upgrade to IBM i 7.6 (Software)  Next try changing the URL at https://www.ibm.com/docs/en/i/7.5.0?topic=ppp-enabling-radius-dhcp-services-connection-profiles from 7.5.0 to 7.6.0.

What 7.6 does bring to the table  is MFA or Multi Factor Authentication.

To generate users on IBM i we are using IBM Security Verify Governance.  Formerly known by such names as ISIM or ITIM back from when IBM was slapping Tivoli on every product name.  Under the covers it runs CRTUSRPRF remotely.  You change your password in Windows and it automatically gets propagated to the IBM i.

------------------------------
Robert Berendt IBMChampion
Business Systems Analyst, Lead
Dekko
Fort Wayne

Original Message:
Sent: Tue November 11, 2025 05:54 PM
From: Jorge Lee
Subject: RADIUS EN IBM i

Hello Everyone,

 

Is it possible to configure RADIUS on IBM i to manage AS/400 users?

 

Is it configured in the following section?

 

Network > Server > TCP/IP Servers > RADIUS NAS. It appears as UNKNOWN in the Navigator for IBM i.

------------------------------
Regards,

Jorge Lee
------------------------------