000021910 - How to get New PIN mode to work via Telstra Dial IP service with ACE/Server 5.0.1 RADIUS. New PIN mode is not working via some Ascend hardware and ACE/Server 5.0.1 RADIUS.

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000021910
Applies ToRSA ACE/Server 5.0.1 (no longer supported as of 8-15-2004)
Telstra Dial IP
Microsoft Windows 2000
All UNIX platforms
Ascend Communications MAX - RADIUS Client
Ascend MAX
Ascend
IssueHow to get New PIN mode to work via Telstra Dial IP service with ACE/Server 5.0.1 RADIUS. New PIN mode is not working via some Ascend hardware and ACE/Server 5.0.1 RADIUS.
Authenticate SecurID users with Ascend MAX
Ascend Max: Customer cannot authenticate when the token is in New PIN or Next Tokencode Mode
New PIN mode worked before upgrade to RSA ACE/Server 5.0.1
New PIN mode is not functioning properly when user created PIN's are required
User token is in New PIN mode
Problem with New PIN mode
New PIN mode is not working via some Ascend hardware and ACE/Server 5.0.1 RADIUS
Users PIN get set to the initial token code instead of the PIN user typed in
SecurID token is in New PIN mode
New PIN mode does not work
New PIN mode and Next tokencode do not work
Debug data from ACE/Server RADIUS daemon show:"Password is overwritten by Ascend Third Prompt"
ACE LOG shows:Passcode accepted, new PIN required
State attribute is sent in initial packet and it is empty
Ascend Third Prompt is an illegal attribute in the initial packet
CauseAscend RADIUS implements third party authentication using an extra prompt for password
An updated RADIUS RFC 2865 came out in June 2000, this newer RFC makes the earlier RADIUS RFC 2138 obsolete and has more tightened security requirements. ACE/Server 5 RADIUS is based on the newer RFC 2865. The "Ascend Third Prompt" attribute 213 is no longer supported in RFC 2865 due to security risks.
ACE/Server 5.0 has been rewritten for compliance to RADIUS RFC 2865, causing RADIUS authentication from the Ascend MAX to fail if using the "OLD" Auth Compatibility mode
ResolutionThe hot fix will make it possible to chose to "enable" or "disable" the use of Ascend Third Prompt (attribute 213). Please contact RSA Security Support to obtain the hot fix for defect number tst00023660. This hot fix will be included in future patch releases for ACE/Server 5.0.1, such as Patch 3 available on SecurCare Online's Download Center.
WorkaroundACE/Server has been upgraded from 4.1 or earlier to ACE/Server 5.0.1
Legacy Article IDa8677

Attachments

    Outcomes