000036959 - Configuring authentication with RADIUS attributes with a NetWare Core Protocol (NCP) server for RSA Authentication Manager 8.x

Document created by RSA Customer Support Employee on Oct 15, 2019Last modified by RSA Customer Support Employee on Oct 15, 2019
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000036959
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager 
RSA Version/Condition:  8.x
IssueThis article explains how to map a NetWare Core Protocol (NCP) server attribute from the vendor configuration file to the RSA Authentication Manager server and how to perform a test with these attributes using the NTRadPing RADIUS test utility.
Resolution
  1. In a text editor such as Notepad++, create a file with the required attributes from the vendor dictionary file and save it as a .dct file:


@radius.dct
ATTRIBUTE NCPS-Ip-PoolNr 261 integer r
ATTRIBUTE NCPS-Timeout 264 integer r


  1. Login to the primary Authentication Manager Operations Console, then:

    1. Select Deployment Configuration > RADIUS Server.
    2. Click on the context arrow next to the primary server name and choose Manage server files.  
    3. Click on the Dictionary Files tab. 
    4. Click the Add New button.
    5. Click Choose File and browse to the NCP.dct file created in step 1.
    6. Click Submit.

User-added image


  1. Verify the content of the .dct by clicking on the Dictionary Files tab.  Scroll to the ncp.dct and from the context arrow, choose Edit

User-added image


  1. Click Save & Restart RADIUS server.
  2. Click on the Configuration Files tab.
  3. Click on the context arrow next to the dictiona.dcm file and choose Edit.

User-added image


  1. In the dictiona.dcm file, add the ncp.dct file name.  The recommendation is that files be listed in the correct alphabetic order.  Since the file we are adding is called ncp.dct, the example below shows it listed after nautica.dct and before netblazr..dct.

User-added image


  1. Click Save & Restart RADIUS Server.
  2. Again on the Configuration Files tab, select vendor.ini and choose Edit.
  3. In the vendor.ini file scroll down so that the entry below is in alphabetical order (in the example below, the new text goes between Microsoft RRAS for Windows NT and Netscreen Technologies) then add the following text:


vendor-product       = NCP-VPN
dictionary           = NCPS
ignore-ports         = no
port-number-usage    = per-port-type
help-id              = 2000



User-added image


  1. When done, click Save & Restart RADIUS Server.
  2. Make sure that the RADIUS server status is synchronized.

Before continuing, repeat step 2 through step 8 for every replica in the deployment.




Adding a RADIUS client



  1. Login to the Security Console and select RADIUS > RADIUS Clients > Add New.
  2. Create the RADIUS client,
    1. Name the client device.
    2. Set the IP address type and use the IP address of the NCP server.
    3. For the Make/Model, select NCP-VPN, since that was what was added to the vendor.ini.
    4. Enter the RADIUS shared secret that was configured on the NPC server.
    5. Click Save & Create Associated RSA Agent when done.

User-added image


  1. On the Add New Authentication Agent page, complete the fields for Authentication Agent Basics and Authentication Agent attributes.
  2. Click Save when done.


Adding a RADIUS profile



  1. Select RADIUS > RADIUS Profile > Add New.
  2. The attributes are shown as in the image below in the drop down menu of the return list attributes:

User-added image


  1.  Configure the RADIUS profile with the desired check list and /or return list attributes.
  2. Click Save.


Assigning the RADIUS profile to an agent or user



  1. Navigate to RADIUS > RADIUS Profiles > Manage Existing.
  2. Click on the context arrow and select Associated Users or Associated Agents.
  3. Depending on the selection click on Assign to More Users or Assign to More Agents.
  4. Place a check next to the user(s) or agent(s) and click Assign Profile.


Test RADIUS authentication with NTRadPing



NTRadPing is a free RADIUS test utility. For information on how to install and use it, please see 000014905 - Performing RADIUS authentication tests with NTRadPing to RSA Authentication Manager.


To perform the authentication test using NTRad Ping, the attribute must be defined in the dictionary file of the utility.  If not defined, the following warning will be seen:
 
User-added image


To skip the warning the attributes must be defined in the raddict.dat file for NTRadPing  as shown below. 
  1. First extract the files as explained in 000014905 - Performing RADIUS authentication tests with NTRadPing to RSA Authentication Manager.
  2. Edit the raddict.dat with a text editor to add the attributes as shown:


ATTRIBUTE    NCPS-Ip-PoolNr              246    integer
ATTRIBUTE    NCPS-Timeout                227    integer


  1. Launch NTRadPing.
  2. From the Security Console, navigate to Reporting > Real Time Activity Monitors > Authentication Activity Monitor and click Start Monitor.
  3. Following the steps in 000014905 - Performing RADIUS authentication tests with NTRadPing to RSA Authentication Manager, enter the RADIUS server and port, the RADIUS secret key, a user ID and passcode.  
  4. Click Send to see the text results.  A successful authentication will show as Access-Accept.  Access-Reject is a failed authentication and Access-Challenge is a message showing the passcode used has an issue and is either in New PIN Mode or Next Tokencode Mode. 

User-added image


Notes

Please contact the vendor of the third-party device or software for assistance regarding the attributes if the vendor specific attributes do not exist.

Attachments

    Outcomes