000014905 - RADIUS authentication test with RSA RADIUS 7.1

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000014905
Applies ToRSA Authentication Manager 7.1
RSA RADIUS 7.1
RADIUS authentication
Authentication Test 
RADIUS Authentication Test
Issue

Security Console Authentication Monitor displays the following message after a RADIUS authentication:



  

Date & Time


  

  

<date & time>


  

  

Log Level


  

  

ERROR


  

  

Activity Key


  

  

Principal authentication


  

  

Description


  

  

User ?rsalocaltest? attempted to authenticate using authenticator ?SecurID_Native?. The user belongs to security domain ?SystemDomain?


  

  

Action Result Key


  

  

Failure


  

  

Result Key


  

  

AUTH_METHOD_FAILED


  

  

Result


  

  

Authentication Method failed


  

  

User ID


  

  

<user ID>


  


RSA RADIUS 7.1 log file reports 'Authentication Response (reject)'
RSA RADIUS 7.1 log files reports 'Unable to find user rsalocaltest with matching password'

NTRADping RADIUS Server reply:



  

Sending authentication request to server <IP address of RSA RADIUS 7.1 server:port>
   Transmitting packet, code=nn id=nn length=nnn
   received response from the server in nnnn milliseconds
   reply packet code=nn id=nn length=nnn
   response: Access-Reject
   ----------------------------attribute dump-----------------------------


  

 


  
Resolution

Here is a test for RSA RADIUS 7.1 with an internal database user with a fixed PASSCODE and a RADIUS test client called NTRADPing.


 


1)       Download NTRADping ? a free RADIUS test client from URL http://www.mastersoft-group.com/download/
 - unzip the file in to a working directory e.g. C:\temp\NTRADping


2)       Add a test user to the RSA Authentication Manager 7.1 Internal Database
RSA Security Console > Identity > Users > Add New
in the form:



  

Identity Source


  

  

select Internal Database


  

  

Last Name


  

  

rsalocaltest


  

  

User ID


  

  

rsalocaltest


  

  

Password


  

  

<enter a password>


  

  

Confirm Password


  

  

<enter a password as above>


  

  

Force Password Change


  

  

uncheck ?Require use to change password at next logon?


  

  

 


  

  

click {Save} button


  

 


3)       Assign Authentication Settings to the user ?rsalocaltest?
RSA Security Console > Identity > Users > Manage Existing



  

SecurityDomain


  

  

SystemDomain


  

  

Identity Source


  

  

Internal Database


  

  

For


  

  

All Users


  

  

Where


  

  

Last Name  starts with  rsalocaltest


  

  

 


  

  

click {Search} button


  


Left click the user name and select Authentication Settings


4)       in the form:



  

Fixed Passcode


  

  

check ?Allow authentication with a fixed passcode?


  

  

Fixed Passcode


  

  

<enter a passcode> e.g. 12345678


  

  

Confirm Fixed Passcode


  

  

<enter a passcode as above> e.g. 12345678


  

  

 


  

  

click {Save} button


  

 


5)       Ensure there is an unrestricted agent configured for the system the RADIUS test client NTRADping is being used on:
RSA Security Console > Access > Authentication Agents > Manage Existing
If there is no agent defined then use the {Add New} button to create one and ensure Agent May Be Accessed by All Users
in the form:



  

Security Domain


  

  

SystemDomain


  

  

Hostname


  

  

<hostname>


  

  

IP Address


  

  

<IP address>


  

  

Agent May be Accessed by


  

  

All Users {default setting}


  

  

 


  

  

click {Save} button


  

 


6)       Ensure there is a defined RADIUS Client for the system NTRADping is being used on:
RSA Security Console > RADIUS > RADIUS Clients > Manage Existing
If there is no RADIUS client defined then use the {Add New} button



  

Client Name


  

  

<enter resolvable name>


  

  

IP Address


  

  

<enter IP address>


  

  

Make/Model


  

  

- Standard Radius -


  

  

Shared Secret


  

  

1234 <this MUST match the RADIUS Secret key in NTRADping>


  

  

 


  

  

click {Save without RSA Agent} button


  

 


7)       Here is a typical example of the configuraiton in the RADIUS test client NTRADping:
 



  

RADIUS Server/port


  

  

<IP address of RSA RADIUS 7.1 server> <port>


  

  

Reply timeout (sec)


  

  

3


  

  

Retries


  

  

2


  

  

RADIUS Secret key


  

  

1234 <this MUST match the Shared Secret in the RADIUS Client>


  

  

User-Name


  

  

rsalocaltest


  

  

Password


  

  

<fixed passcode>


  

  

CHAP


  

  

<leave unchecked>


  

  

Request Type


  

  

Authentication Request


  

  

Additional RADIUS Attributes


  

  

<leave blank>


  

  

 


  

  

click {Send} button


  

 


RADIUS Server reply:



  

Sending authentication request to server <IP address of RSA RADIUS 7.1 server:port>
   Transmitting packet, code=nn id=nn length=nnn
   received response from the server in nnnn milliseconds
   reply packet code=nn id=nn length=nnn
   response: Access-Challenge
   ----------------------------attribute dump-----------------------------
   Prompt=No-Echo
   Reply-Message=\0x0d\0x0a Enter your new PIN, containing 4 to 8 c
   State=SBR-CH 4|1\0x00


  


Please note: NTRADping can do New PIN Mode and the response will be Access-Challenge. see solution a52716 on how to do this.


This is expected and if this user was not in New Pin Mode the RADIUS Server reply would be as follows:
RADIUS Server reply:



  

Sending authentication request to server <IP address of RSA RADIUS 7.1 server:port>
   Transmitting packet, code=nn id=nn length=nnn
   received response from the server in nnnn milliseconds
   reply packet code=nn id=nn length=nnn
   response: Access-Accept
   ----------------------------attribute dump-----------------------------
   Class=2SBRCL\0xd4\0x80\0xdd\0xad\0x94\0x8d\0x80\0xbe\oxd8\


  

 


Please refer to  knowledge article 'RSA RADIUS 7.1 replication not working after replica installation' to complete an RSA RADIUS 7.1 primary and replica configuraiton before performing RSA RADIUS 7.1 authentication testing.


Contact RSA Customer Support if you still require further assistance with RSA RADIUS 7.1 configurations and authentication testing.

Legacy Article IDa42378

Attachments

    Outcomes