000027040 - How to set PINs and navigate Next Tokencode Mode for RSA SecurID Tokens using NTRadPing

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Jan 19, 2018
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000027040
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition:  7.1, 8.x
IssueNTRadPing can provide a RADIUS server reply of Access-Challenge, but there is no explanation of how to get from Access-Challenge to Access-Accept.  This article explains how to use NTRadPing, a third party RADIUS test utility, to navigate New PIN Mode or Next Tokencode Mode and get the Access Accept response.
ResolutionSteps to use NTRadPing 1.5 with tokens or fixed passcodes that are in New PIN Mode and set PINs through the NTRadPing interface (you may need to practice this for speed, so tokencodes do not rollover unexpectedly):

NOTE: The Access-Challenge STATE values shown below may be different when you use NTRadPing.  The numbers below are examples of the values returned, when these are the first challenges sent to RSA RADIUS.

Download and install NTRadPing

  1. Download NTRadPing, a free RADIUS test client.
  2. Unzip the file in to a working directory on your local machine (for example, C:\temp\ntradping).  There will be two files:  a RADIUS dictionary file and the NTRadPing executable.

Create a test RADIUS client

  1. Login to the Security Console and navigate to RADIUS > RADIUS Client > Add New.
  2. Enter information to register your local machine as a RADIUS client. 
    1. Enter a client name and the IP address of your machine.
    2. Leave the make/model as - Standard RADIUS -
    3. Create a RADIUS shared secret, such as 12345.  You will need to enter this secret into the NTRadPing interface, so make a note of it.
    4. Click Save & Create Associated RSA Agent.
    5. Click Save when prompted.
    6. Click Yes, Save Agent.

Test authentication of a token in New PIN Mode with NTRadPing

  1. Launch the NTRadPing execuable.
  2. For the RADIUS Server, enter the FQDN or IP address of the Authentication Manager server.
  3.  For the RADIUS port, the registered UDP port for RADIUS traffic is 1812.  Early deployments of RADIUS used 1645 UDP.  Newer deployments use 1812 UDP, so you may need to test to see which port is correct for your install.
  4. Leave the Reply timeout at 3 and change and Retries to 2.
  5. For RADIUS Secret Key, enter the secret you created when defining your new RADIUS client.
  6. For User Name, enter the user ID of a test user.
  7. For Password, enter the tokencode of your test token.  Note:  this token should be in New PIN Mode.
  8. Authentication Manager does not accept CHAP, so leave the option unchecked.
  9. Leave the Request type as Authentication Request.
  10. Leave Additional RADIUS Attributes blank.
  11. When done, click Send.
  12. Since the token is in New PIN Mode, the response we get back is Access-Challenge, as shown here:

Sending authentication request to server <IP address of RSA RADIUS 7.1 server:port>
Transmitting packet, code=nn id=nn length=nnn
received response from the server in nnnn milliseconds
reply packet code=nn id=nn length=nnn
response: Access-Challenge
----------------------------attribute dump-----------------------------
Reply-Message=\0x0d\0x0a Enter your new PIN, containing 4 to 8 c
State=SBR-CH 0|1\0x00

  1. Note the last line of the reply, that shows a State=SBR-CH value.  Make a note of this string.  This value may be different depending on the RADIUS server you are using and when you do this test.  Use whatever value the reply window shows you.

Send the first PIN in response to the first Access-Challenge

Now that we have this value, we can work through the Access-Challenge to the Access-Accept.

  1. In the lower left hand drop-down box, right above the Add and Remove buttons, click on the dropdown arrow and select STATE.
  2. In the right hand drop-down box, above the Load and Save buttons, enter the full STATE value that SBR returned.  In our example above, this is SBR-CH 0|1.
  3. Click Add.
  4. You will see that value goes in the Additional Radius Attributes box as State=SBR-CH 0|1.
  5. Now put in the new PIN you want in the Password field, and press Send.
  6. You will get another Access-Challenge reply from the RADIUS server.  Note that this new challenge displays a new SBR-CH value. This second response has a value of SBR-CH 0|2.  What the change of state value means is that Authentication Manager received your first PIN.  Just like when navigating New PIN Mode through an RSA Authentication Agent interface, you need to enter the same PIN again.
  7. Send the second confirmation PIN as a reply to the second Access-Challenge.
  8. Highlight the Additional Radius Attributes field, and remove the State=SBR-CH 0|1 value.
  9. Repeat steps 2 through 5 again, using the PIN  you created.  Note that when you repeat step 2, enter the updated State=SBR-CH 0|2 value.  You have just sent the two PINs to the Authentication Manager server.
  10. Send the final confirmation new PIN + tokencode in response to the final Access-Challenge.  In this test the new State=SBR-CH value that is returned is 0|3.
  11. Repeat steps 2 through 5 for the last time, changing the State=SBR-CH to State=SBR-CH 0|3.
  12. This time, put the new PIN and the current tokencode into the password field and press Send.
  13. The result changes from Access-Challenge to Access-Accept and you now have a token with an associated PIN.

Clearing Next Tokencode Mode

You can use a slight variation of the methods above to clear Next Tokencode Mode.

NotesThis process can also be used where a fixed passcode has been assigned to a user.  
For additional information, see 000014095 Performing RADIUS authentication tests to RSA Authentication Manager.
Legacy Article IDa52716