Authenticating in New PIN Mode from SonicWall Fails After Upgrading to Authentication Manager V8.6 or Later
Originally Published: 2022-09-06
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.6 or later
Issue
When authenticating from SonicWall in New PIN mode, the Authentication Activity Monitor shows "Passcode accepted, New PIN required", and when setting the PIN, the NetExtender crashes and the user is unable to set a PIN.
Cause
When a packet capture is taken on the RADIUS server during authentication, you can see that:
- the State variable in the Access-Challenge sent from the RADIUS server to SonicWall is 94 characters:
RSA|355c997e-1fef-499b-b5da-a794e00195e8|8c702a4e-f9d9-4a02-9443-2dcf7a9dca4a|SECURID_NEWPIN
- the State variable in the Access-Request sent from SonicWall to the RADIUS server is 66 characters:
RSA|355c997e-1fef-499b-b5da-a794e00195e8|8c702a4e-f9d9-4a02-9443
According to the RADIUS RFC that talks about the State variable (https://datatracker.ietf.org/doc/html/rfc2865#section-5.24), "This Attribute is available to be sent by the server to the client in an Access-Challenge and MUST be sent unmodified from the client to the server in the new Access-Request reply to that challenge, if any."
As per the RFC, the expectation of AM's RADIUS implementation is that the State variable be returned unmodified by any RADIUS client. The RFC does not constrain the State variable to any particular length.
Resolution
Customers have to work with SonicWall on fixing this issue as FreeRADIUS is open source and has standard RADIUS implementation used by many vendors.
