using RSA radius profile to request username and password and tokencode
After 8.1 upgrade, Cyberark radius authentication only show username/password, which is actually tokencode. It did have 3 fields, username, password, tokencode. Where do I need to fix it to require all three when the client sends the authentication request?
My apologies for taking so long to reply to your question. I've moved it from the https://community.rsa.com/community/products/access-manager?sr=search&searchId=50ab2977-139c-49f8-8f2f-f5c7dd02853a&searchIndex=0 space to the https://community.rsa.com/community/products/securid?sr=search&searchId=a037926e-3611-4eaa-9190-2b0b733fc48b&searchIndex=0 space since it is about using an RSA RADIUS profile to request username, password and tokencode during the authentication.
Please let me know if you still have questions on this that we can help you answer.
You need to fix the CyberArk side. Possibly.
The RSA server can only handle 2 fields for authentication: the userid and [password field (which contains the passcode, or pin+token)]. If there is another password field in play (like ldap password or anything not a pin+token) it is not controlled on the RSA server side.
Once the user and the passcode is authenticated, with radius, we can attach radius return attributes (if you configure it) along with access-accept, for the radius client device to act upon. If CyberArk was using radius return attributes and now they are missing, that could be what changed.
If you only upgraded the RSA server from (what version?) to 8.1..all I can guess is you were using Radius
return attributes previously, and the CyberArk was using that return data to trigger some other action, and the new RSA server does not have the same radius profile. So, was a radius profile being used on the previous RSA server before upgrade ?
RSA server sees incoming userid, checks if the user exists and is not locked out
RSA server looks at the password field and sees if it matches a pin and token belonging to that user
RSA server send back access-accept
RSA server checks if the user or the agent has a radius profile assigned, and if so, it appends additional attributes
to the access-accept return message.
The Radius client itself may be expecting the return radius attributes to contain specific parameters on what action to do next.