How to set a new PIN for RSA SecurID Tokens in RSA Authentication Manager 8.6 or later using NTRadPing Utility

3 years ago

Originally Published: 2022-01-18

Article Number

000065029

Issue

SecurID Authentication Manager 8.6 uses FreeRADIUS as the basis for the SecurID RADIUS server, instead of Steel-Belted RADIUS (SBR) which has reached end-of-life and required replacement.
This article explains how to use NTRadPing, a third-party RADIUS test utility, to set a New PIN in new Authentication Manager 8.6 or later.

Resolution

This solution uses NTRadPing 1.5 with tokens or fixed passcodes that are in New PIN Mode and set PINs through the NTRadPing interface.
NOTE: The Access-Challenge STATE values shown below may be different when you use NTRadPing.

Pre-requites:
1. Download, install NTRadPing 1.5 and test authentications.
- Please refer a KB article 000014905 for details
2. Create a RADIUS client.
- Please review Online Help Topic, "Add a RADIUS Client"

Steps to set in a new PIN in New PIN Mode with NTRadPing
1. Launch the NTRadPing executable.
2. For the RADIUS Server, enter the FQDN or IP address of the Authentication Manager server and for the RADIUS port, enter 1812
3. For RADIUS Secret Key, enter the Shared Secret you created when defining your new RADIUS client.
4. For User Name, enter the user ID of a test user.
5. For Password, enter the tokencode of your test token. Note: This token should be in New PIN Mode.
6. When done, click Send.
Since the token is in New PIN Mode, the response we get is Access-Challenge, as shown here:
NTRadPing Access-Challenge 01

7. Copy the string and add it to State string similar to below:

RSA|3a50b645-45ab-4727-ba37-9916197781f8|0c41e795-eb94-406e-86ea-08c997ee8185|SECURID_NEWPIN

8. Enter a new PIN in Password field and click Send.
The response will be to re-enter new PIN.
NTRadPing Access-Challenge 03

9. Remove the 1st State string by highlighting it and clicking the Remove button.
10. Copy the New string and add it to the State string similar to below:

RSA|3a50b645-45ab-4727-ba37-9916197781f8|aa9154b0-ff23-4868-aea0-80c34af168ba|SECURID_NEWPIN_CONFIRM

11. Re-enter a new PIN in Password field and click Send.
The response will be, "PIN Accepted. Wait for the token code to change, then enter the new passcode:"
NTRadPing Access-Challenge 04

12. Remove the 2nd State string by highlighting it and clicking the Remove button.
13. Copy the New string and add it to the State string similar to below:

RSA|3a50b645-45ab-4727-ba37-9916197781f8|ee53afe8-d9ae-417b-b58f-b32d5a2bfe83|SECURID

14. Enter a PIN+Tokencode or Passcode in the Password field and click Send.
The response will be, "Access-Accept" for successful authentication.
NTRadPing Access-Challenge 05

Notes

To avoid any type error, administrators may want to turn debugging on and copy the Challenge String .. or may use tcpdump as described in KB 000016395 to copy the State String from a SSH Session.
See details of how to turn on debugging in Online Help Topic, "RADIUS Server Log Files"
Note the string in the example below:
NTRadPing Access-Challenge 06

Don't see what you're looking for?

Potential Impact from Salesforce Device Activation Change

Related Articles

Trending Articles