000018589 - After upgrading/patching the ACE/Server  the RADIUS clients no longer work with New PIN and Next Tokencode mode.

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000018589
Applies ToRSA ACE/Server 4.1 (no longer supported as of 2-1-2004)
RSA ACE/Server 5.0 (no longer supported as of 8-15-2004)
ACE/Server 5.0 will allow the RADIUS prompts to be configurable.  This can result in even more failures of custom RADIUS and some 3rd Party Partner clients.
IssueAfter upgrading/patching the ACE/Server, the RADIUS clients no longer work with New PIN and Next Tokencode mode.
CauseCustom RADIUS Clients and some 3rd Party Partner products hardcode the strings into their clients, resulting in them breaking if the RADIUS server changes prompts.
(It is STRONGLY discouraged to hardcode these prompt strings in a RADIUS client; if the client simply passes the prompt of all challenge packets, the code will continue to work if the prompts change.)
Patch 2 for 4.1 and patch 16 for 3.3 introduced a new RADIUS server which changed the challenge prompts.
ResolutionThe prompts for RADIUS after applying ACE/Server patch 2 on v4.1 and patch 16 for 3.3 are:
On UNIX:
        "Your new PIN is %s."

        "Wait for the token code to change,
        then enter the passcode: "

        "Enter a new PIN having %d digits: "
        OR
        "Enter a new PIN having %d alphanumeric characters: "
        OR
        "Enter a new PIN having from %d to %d digits: "
        OR
        "Enter a new PIN having from %d to %d alphanumeric characters: "

        "Please enter 'y' or 'n': "

        "PIN rejected. Please try again."

        "PASSCODE Accepted"

        "Wait for token to change,
        then enter the new tokencode: "

        "A new PIN is required.
        Do you want system to generate your new PIN? (y/n): "

        "PIN Accepted.
        Wait for the token code to change,
        then enter the new passcode: "

        "Invalid PIN was specified"

        "Access Denied"

        "ARE YOU PREPARED TO HAVE THE SYSTEM GENERATE YOUR PIN? (y/n): "

On NT:
        "Access Denied"

        "Wait for the tokencode to change,
        then enter the new tokencode"

        "Enter a new PIN between %d to %d alphanumeric characters"
        OR
        "Enter a new PIN between %d to %d digits"

        "A new PIN is required
        Do you want the system to generate your new PIN? (y/n): "

        "ARE YOU PREPARED TO HAVE THE SYSTEM GENERATE YOUR PIN? (y/n): "

        "Unknown PIN type for user"

        "PIN Accepted."

        "Wait for the tokencode to change,
        then enter a new PASSCODE."
For ACE/Server 5.0, the new prompts will be:
(UNIX and NT will be the same)
        "Your new PIN is %s."

        "Wait for the token code to change,
        then enter the passcode: "

        "Enter a new PIN having %d digits: "
        OR
        "Enter a new PIN having %d alphanumeric characters: "
        OR
        "Enter a new PIN having from %d to %d digits: "
        OR
        "Enter a new PIN having from %d to %d alphanumeric characters: "

        "Please enter 'y' or 'n': "

        "PIN rejected. Please try again."

        "PASSCODE Accepted"

        "Wait for token to change,
        then enter the new tokencode: "

        "A new PIN is required.
        Do you want system to generate your new PIN? (y/n): "

        "PIN Accepted.

        "Wait for the token code to change,
        then enter the new passcode: "

        "Invalid PIN was specified"

        "Access Denied"

        "ARE YOU PREPARED TO HAVE THE SYSTEM GENERATE YOUR PIN? (y/n): "
Legacy Article IDa1974

Attachments

    Outcomes