This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
ANDREASMITH1
Beginner
Beginner
‎2016-04-13 03:30 PM

using RSA radius profile to request username and password and tokencode

After 8.1 upgrade, Cyberark radius authentication only show username/password, which is actually tokencode. It did have 3 fields, username, password, tokencode.  Where do I need to fix it to require all three when the client sends the authentication request?

0 Likes
Reply
3 Replies
_EricaChalfin
Employee (Retired) Employee (Retired)
Employee (Retired)
‎2017-02-22 12:05 PM

Andrea Smith‌,

 

My apologies for taking so long to reply to your question.  I've moved it from the https://community.rsa.com/community/products/access-manager?sr=search&searchId=50ab2977-139c-49f8-8f2f-f5c7dd02853a&searchIndex=0 space to the https://community.rsa.com/community/products/securid?sr=search&searchId=a037926e-3611-4eaa-9190-2b0b733fc48b&searchIndex=0 space since it is about using an RSA RADIUS profile to request username, password and tokencode during the authentication.

 

Please let me know if you still have questions on this that we can help you answer.

 

Regards,
Erica

0 Likes
Reply
EdwardDavis
Employee
Employee
‎2017-02-22 12:46 PM

You need to fix the CyberArk side. Possibly.

 

The RSA server can only handle 2 fields for authentication: the userid and [password field (which contains the passcode, or pin+token)]. If there is another password field in play (like ldap password or anything not a pin+token) it is not controlled on the RSA server side.

 

Once the user and the passcode is authenticated, with radius, we can attach radius return attributes (if you configure it) along with access-accept,  for the radius client device to act upon. If CyberArk was using radius return attributes and now they are missing, that could be what changed.

 

 

CyberArk Software Inc. - Technology Integrations 

 

If you only upgraded the RSA server from (what version?) to 8.1..all I can guess is you were using Radius

return attributes previously, and the CyberArk was using that return data to trigger some other action, and the new RSA server does not have the same radius profile. So, was a radius profile being used on the previous RSA server before upgrade ?

 

 

short summary: 

RSA server sees incoming userid, checks if the user exists and is not locked out

RSA server looks at the password field and sees if it matches a pin and token belonging to that user

RSA server send back access-accept

RSA server checks if the user or the agent has a radius profile assigned, and if so, it appends additional attributes

to the access-accept return message.

The Radius client itself may be expecting the return radius attributes to contain specific parameters on what action to do next.

0 Likes
Reply
ANDREASMITH1
Beginner
Beginner
In response to _EricaChalfin
‎2017-02-22 01:27 PM

Yes I still have not been able to do this with Cyberark

 

Sent from my iPhone

0 Likes
Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.