This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
MohitPankhania
Beginner
Beginner
‎2017-02-07 12:51 AM

# Integration with SWIFT

Jump to solution

Hi All,

 

I want to know if we can integrate SWIFT with RSA two factor authentication?

Labels (1)
Labels
0 Likes
Reply
1 Solution

Accepted Solutions
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
In response to CheeHoCalvinNg
‎2017-10-01 09:33 AM

Jump to solution

Ed was saying you can configure your Swift Authentication to a RADIUS server, which basically needs a destination IP address and a shared RADIUS secret.  On the Auth Manager side you configure the Switch server as a RADIUS client with associated Authentication Agent.  Passing RADIUS attributes back through RADIUS profiles can make this more complex, but the Authentication piece is simply, Swift sends a UserID and PassCode (PIN+TokenCode) and Auth Manager either says Yes Success or No Failure.

If unfamiliar with RSA AM RADIUS, do a test with NTRadPing.exe - find it on Novell's Web Site it is a Windows executable 'RADIUS Client'

 

How to configure an #NTRadPing RADIUS client.

 

First, you need the IP address of the PC where the NTRadPing.exe and raddict.dat files are, as this will be your RADIUS client.

Next you need to Add New under RADIUS – RADIUS Clients in the Security Console, like this:

 

SC-RADIUS-Clients_AddNew.png

 

So this is an example of adding a RADIUS client with IP address 10.100.40.205.  Name resolution is not important with RADIUS Client, so you do not have to have the real DNS name or FQDN. 

 

What’s important here is the Shared Secret.  You will have to use the exact same secret on the NTRadPing screen on your PC.

Leave the Make/Model as – Standard RADIUS -, and do not check any of the boxes.  Then “Save and Create Associated RSA Agent” in the lower right. You will have a RADIUS Client and an Authentication Agent Entry.

SC-Access-Agent-RADping.png

Now the Server side is done, the RSA Server knows that a RADIUS clients will be sending Authentication Requests.

 

Next, on your PC, start the NTRadPing.exe (raddict.dat must be in same directory).  It looks like this:

 

NTRadPing.png

Here are the things you need to fill in;

  1. IP address of the RSA Authentication Manager Server with RADIUS Server configured
  2. RADIUS port, usually 1645, but 1812 is also supported

RADIUS Shared Secret – exact same as you entered for RADIUS Client above

UserID or login ID from Authentication Manager

PassCode or fixed PassCode.  Cannot login with Password to Authentication Manger  from agent or RADIUS client.  Also New PIN or Next Token code not supported by NTRadPing, so test this user login from the Self-Server Console or another agent 1st

Send.

 

On the RSA Server side you’ll want to watch two places when you do this Send. 

 

  1. RADIUS Statistics will tell if the packet is reaching RSA from Juniper.  Security Console, under #radius – RADIUS Statistics – RADIUS Client Statistics.  You can filter on a specific RADIUS Client.

SC-RADIUS-Stats-Client.png

  1. RSA RADIUS should hand over the authentication request to AM, which you can watch in the Real Time Auth Monitor.  Security Console – Reporting – Real Time Authentication Monitors – Authentication Activity Monitor.  Then [Start Monitor>]

SC-Report-RTM-Auth.png

If you need to run a TCPdump, filter on either #port 1812 or #1645, and write to file;

SSH to the Virtual Appliance with the operating system account rsaadmin.

                sudo su -

<same password again>                                               This makes you root

#             cd /usr/sbin

./tcpdump -i eth0 -s 1514 -Z root  host 10.100.40.205 -w /tmp/JayPC.pcap                                 This writes to a file in /tmp

./tcpdump -i eth0 -s 1514 -Z root  port 1645 -w /tmp/radius.pcap

chmod 777 /tmp/ radius.pcap                                 This grants full permissions to everyone, makes it easy to copy file off with WinSCP

You will be able to see return attributes in a RADIUS packet capture.

Regards,

View solution in original post

0 Likes
Reply
7 Replies
EdwardDavis
Employee
Employee
‎2017-02-07 08:31 AM

Jump to solution

Swift Alliance access ? Yes it will work with SecurID, with radius. You will need to contact Swift and they will help

you set it up by configuring Swift to authenticate with Radius to the RSA server.

 

Depending on your actual setup and the servers running Swift, it might take some troubleshooting if it doesn't work, but the RSA server does receive valid authentication requests from Swift and send radius access-accept replies back. [In one circumstance the RSA server sent back access-accept, and the operating system running Swift had some other software on it that was molesting the radius reply packet and adding a few bytes, and when passed to the Swift app the packet length field didn't match. Easily corrected.]

Reply
CheeHoCalvinNg
Beginner
Beginner
‎2017-10-01 08:27 AM

Jump to solution

Hi, Edward, I also have this question. Any configuration guide can be provided for SWIFT Alliance Access? I have had several cases about an integration of SWIFT console in financial institutions. However, we are fail in POC stage because of technical problems.

Reply
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
In response to CheeHoCalvinNg
‎2017-10-01 09:33 AM

Jump to solution

Ed was saying you can configure your Swift Authentication to a RADIUS server, which basically needs a destination IP address and a shared RADIUS secret.  On the Auth Manager side you configure the Switch server as a RADIUS client with associated Authentication Agent.  Passing RADIUS attributes back through RADIUS profiles can make this more complex, but the Authentication piece is simply, Swift sends a UserID and PassCode (PIN+TokenCode) and Auth Manager either says Yes Success or No Failure.

If unfamiliar with RSA AM RADIUS, do a test with NTRadPing.exe - find it on Novell's Web Site it is a Windows executable 'RADIUS Client'

 

How to configure an #NTRadPing RADIUS client.

 

First, you need the IP address of the PC where the NTRadPing.exe and raddict.dat files are, as this will be your RADIUS client.

Next you need to Add New under RADIUS – RADIUS Clients in the Security Console, like this:

 

SC-RADIUS-Clients_AddNew.png

 

So this is an example of adding a RADIUS client with IP address 10.100.40.205.  Name resolution is not important with RADIUS Client, so you do not have to have the real DNS name or FQDN. 

 

What’s important here is the Shared Secret.  You will have to use the exact same secret on the NTRadPing screen on your PC.

Leave the Make/Model as – Standard RADIUS -, and do not check any of the boxes.  Then “Save and Create Associated RSA Agent” in the lower right. You will have a RADIUS Client and an Authentication Agent Entry.

SC-Access-Agent-RADping.png

Now the Server side is done, the RSA Server knows that a RADIUS clients will be sending Authentication Requests.

 

Next, on your PC, start the NTRadPing.exe (raddict.dat must be in same directory).  It looks like this:

 

NTRadPing.png

Here are the things you need to fill in;

  1. IP address of the RSA Authentication Manager Server with RADIUS Server configured
  2. RADIUS port, usually 1645, but 1812 is also supported

RADIUS Shared Secret – exact same as you entered for RADIUS Client above

UserID or login ID from Authentication Manager

PassCode or fixed PassCode.  Cannot login with Password to Authentication Manger  from agent or RADIUS client.  Also New PIN or Next Token code not supported by NTRadPing, so test this user login from the Self-Server Console or another agent 1st

Send.

 

On the RSA Server side you’ll want to watch two places when you do this Send. 

 

  1. RADIUS Statistics will tell if the packet is reaching RSA from Juniper.  Security Console, under #radius – RADIUS Statistics – RADIUS Client Statistics.  You can filter on a specific RADIUS Client.

SC-RADIUS-Stats-Client.png

  1. RSA RADIUS should hand over the authentication request to AM, which you can watch in the Real Time Auth Monitor.  Security Console – Reporting – Real Time Authentication Monitors – Authentication Activity Monitor.  Then [Start Monitor>]

SC-Report-RTM-Auth.png

If you need to run a TCPdump, filter on either #port 1812 or #1645, and write to file;

SSH to the Virtual Appliance with the operating system account rsaadmin.

                sudo su -

<same password again>                                               This makes you root

#             cd /usr/sbin

./tcpdump -i eth0 -s 1514 -Z root  host 10.100.40.205 -w /tmp/JayPC.pcap                                 This writes to a file in /tmp

./tcpdump -i eth0 -s 1514 -Z root  port 1645 -w /tmp/radius.pcap

chmod 777 /tmp/ radius.pcap                                 This grants full permissions to everyone, makes it easy to copy file off with WinSCP

You will be able to see return attributes in a RADIUS packet capture.

Regards,

0 Likes
Reply
RanjanP
Beginner
Beginner
In response to CheeHoCalvinNg
‎2018-02-19 01:17 AM

Jump to solution

We completed successful POC integrating SWIFT with RSA, follow the below check list:

 

SWIFT Configuration:

Step1: Logon with LSO -> User management -> Authentication Server Group -> Specify Name, Description, IP of RSA authentication manager, port (1812 or 1645), Local port 1024.  Key left : Support!11111111 (16 characters you have to enter) SAVE and Approve,

 

Step2: Logon with RSO -> User management -> Authentication Server Group -> Approve.

 

RSA Configuraion:

Step1: Logon to security console -> RADIUS -> RADIUS Client -> Add new

 

 

Client Name : Name for RADIUS Client
IP Address : IP address of SWIFT server
Model : Keep default as Standard Radius
Shared Secret : LSO key followed by RSO key
(For Eg: LSO authentication server group password: Support!11111111,
RSO authentication server group password: Support!22222222
In Shared Secret you have to enter password as Support!11111111Support!22222222)

 

Step2: save and associated and click save and for confirmation click Yes, Save Agent

 

Now check the SWIFT user login (user authentication type should be : RADIUS one time password) with RSA PIN/Token/Passcode whatever you configured for the user at RSA AM.

 

Note : Before implementation go through the document which provide by RSA for port communication and other security related configurations.

Reply
JashUpadhyay
Occasional Contributor
Occasional Contributor
In response to RanjanP
‎2018-04-03 12:05 PM

Jump to solution

Hi Ranjan,

 

I tired the steps that you have mentioned,but I am getting an error " Authentication Method Failed,Pass-code format Error". Let me know if you have a resolution for the same.

https://community.rsa.com/thread/190399

Reply
RanjanP
Beginner
Beginner
In response to JashUpadhyay
‎2018-04-24 06:14 AM

Jump to solution

Hi Jash,

 

Kindly capture the UDP packets at the RSA AM server with the following command. (change the 1812 if you are using any other port number)

 

sudo tcpdump -i eth0 udp port 1812 -nn -s 0 -w /tmp/logcap.cap

 

Step 1.) Open the logcap.cap file in wireshark

Step 2.) Right click on Access-Request (swift to RSA AM server) -> select "protocol preferences" -> click "Shared Secret"

Step 3.) Enter LSO password followed by RSO password shared secret like above Support!11111111Support!22222222.

Step 4.) Look the data packet below at RADIUS PROTOCOL -> Attribute Value Pairs -> User-Password

 

The user password which is display at below frame , the same will receives at the RSA AM server.

 

For Example :

User-Password: 1234785412(Passcode) or 785412(TOKEN Code) will authenticate, other any format of token came it will show the error as " Authentication Method Failed,Pass-code format Error"

 

 

Note : If your shared secret is correct you can see the user password at frame, else it will display like decrypted   \1345\66\316546\33465\31

Reply
_EricaChalfin
Employee (Retired) Employee (Retired)
Employee (Retired)
‎2018-04-25 09:02 AM

Jump to solution

Chee Ho Calvin Ng@Ranjan P‌, Jash Upadhyay‌, and of course, Edward Davis‌ and Jay Guillette‌,

 

This is what community is all about.  Thank you all for your responses to help get Mohit Pankhania‌'s device configured and  authenticating.  Nice work!

 

 

Regards,

Erica

0 Likes
Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.