This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
AleksMarfunenko
Beginner
Beginner
‎2016-09-01 08:00 AM

TTLS-PAP

Hi,

i still try to configure VPN and SecurID for Windows 10.
I found this article.

On servers

  • Install RSA Authentication Manager, and configure it to accept and process TTL-PAP authentication requests.

  • Configure the VPN server (Microsoft RRAS or a third-party server) to redirect all authentication requests to RSA Authentication Manager.

i done the second requirement. How can i configure the first requirement ?

 

thank you!

Labels (1)
0 Likes
Reply
6 Replies
AleksMarfunenko
Beginner
Beginner
‎2016-09-01 11:09 AM

looks like i need to enable EAP-TTLS, that described "RSA Authentication Manager 8.2 Administrator's Guide.pdf" page 213.

now, i try to issue certificate from corporate PKI.

 

How i can generate request in AM ?

 

As AM is Linux, i did

openssl req -nodes -newkey rsa:2048 -keyout key.pem -out req.csr

seems good.

0 Likes
Reply
HusseinElBaz
Employee
Employee
In response to AleksMarfunenko
‎2016-09-02 09:31 AM

Hello Aleks,

 

Make sure you have a keystore (.pfx) file that contains the new server certificate and the associated private key. This file should be in PKCS #12 file format and contain the replacement certificate and private key only. If the key-store contains
more than one certificate, the wrong certificate may be used as the replacement server certificate.

 

As long as we are going to use .pfx, then there is no need to generate the private key from the server. Please refer to https://community.rsa.com/docs/DOC-45070?sr=search&searchId=78b0fb6f-0a2d-4eb0-b417-c9235e5a1742&searchIndex=1‌ as it will help you if there is any other queries you have.

 

So kindly check and advise us back if there is any assistance needed from our side.

 

Best Regards,

0 Likes
Reply
AleksMarfunenko
Beginner
Beginner
In response to HusseinElBaz
‎2016-09-02 09:49 AM

Hi Hussein,

i created .cer file on my Windows server with common name rsa1.domain.domain.com
then i exported it to PFX file.

and then i imported it to RSA Radius EAP Certificates (Trusted Root Certificates imported as well)
but during the connection I still get an error:

 

09/02/2016 14:31:19 Server Certificate SHA1 Fingerprint: CF:2B:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:0C:DD

09/02/2016 14:31:19 DCF system started

09/02/2016 14:31:19 RSA RADIUS -- Powered by Steel-Belted Radius is operational.

09/02/2016 14:34:30 Request contained EAP Identity Response, but Identity did not match User-Name

09/02/2016 14:34:30 Request has invalid syntax (e.g. invalid, missing or duplicate attributes), Rejecting

09/02/2016 14:34:30 Sent reject response

maybe i have to configure some Radius Profile?

0 Likes
Reply
HusseinElBaz
Employee
Employee
‎2016-09-02 09:52 AM

Hello Aleks,

 

RSA RADIUS server does not support MSCHAP, change VPN to use PAP instead should resolve the issue.

 

Best Regards,

0 Likes
Reply
AleksMarfunenko
Beginner
Beginner
In response to HusseinElBaz
‎2016-09-02 10:04 AM

My Windows users are using EAP:

 

Does it mean, that RSA not suitable for Apple OS X ???  i'm not sure if OS X supports EAP.

0 Likes
Reply
AleksMarfunenko
Beginner
Beginner
In response to AleksMarfunenko
‎2016-09-13 06:30 AM

so, OS X supports EAP. right now i had configured VPN on OS X with machine certificate.
I can't configure users certificate, because OS X has a huuuuuuge problem... 

0 Likes
Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.