This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

Performing RADIUS authentication tests with NTRadPing to RSA Authentication Manager

Article Number

000040483

Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 7.1, 8.x

Issue

  • The RSA Authentication Manager Security Console Authentication Monitor displays the following message after a RADIUS authentication:
Date & Time:        1/25/2018 2:13:44
Log Level:          Error
Activity Key:       Principal authentication
Description:        User "rsalocaltest" attempted to authenticate using authenticator "SecurID_Native".
                    The user belongs to security domain "SystemDomain"
Action Result Key:  Failure
Result Key:         AUTH_METHOD_FAILED
UserID:             rsalocaltest
Result:             Authentication Method Failed
  • The RSA RADIUS date.log file located in /opt/rsa/am/radius lists the following errors:
Authentication Response (reject)
Unable to find user rsalocaltest with matching password
  • Testing RADIUS authentications with a utility such as NTRadPing shows the following RADIUS Server reply:
Sending authentication request to server <IP address of RSA RADIUS 7.1 server:port>
Transmitting packet, code=nn id=nn length=nnn
received response from the server in nnnn milliseconds
reply packet code=nn id=nn length=nnn
response: Access-Reject
----------------------------attribute dump-----------------------------

Resolution

Run a RADIUS test with an internal database user with a fixed passcode and a RADIUS test client

Download and install NTRadPing

  1. Download NTRadPing, a free RADIUS test client.
  2. Unzip the file in to a working directory on your local machine (for example, C:\Temp\ntradping).  There will be two files:  a RADIUS dictionary file and the NTRadPing executable.

Create a test RADIUS client

  1. Login to the Security Console and navigate to RADIUS > RADIUS Client > Add New.
  2. Enter information to register your local machine as a RADIUS client. 
    1. Enter a client name and the IP address of your machine.
    2. Leave the make/model as - Standard RADIUS -
    3. Create a RADIUS shared secret, such as 12345.  You will need to enter this secret into the NTRadPing interface, so make a note of it.
    4. Click Save & Create Associated RSA Agent.
    5. Click Save when prompted.
    6. Click Yes, Save Agent.

Create a test user

  1. From the Security Console navigate to Identity > Users > Add New.
  2. Add a test user to the Authentication Manager internal database.
    1. Give the user the last name and user ID of rsalocaltest.
    2. Create a password for the user.
    3. Uncheck the option to require user to change password at next login.
    4. Click Save.

Assign a fixed passcode to the test user

  1. From the Security Console navigate to Identity > Users > Manage Existing.
  2. Search for the rsalocaltest user.  
  3. When the results come back, click on the context arrow next to the user name and select Authentication Settings.
  4. Check the option of allow authentication with a fixed passcode.
  5. When prompted, enter then confirm the fixed passcode, such as 87654321.
  6. Click Save.

Test authentication with NTRadPing

  1.  From C:\temp, launch the ntradping.exe.
  2. For the RADIUS Server, enter the FQDN or IP address of the Authentication Manager server.
  3.  For the RADIUS port, the registered UDP port for RADIUS traffic is 1812.  Early deployments of RADIUS used 1645 UDP.  Newer deployments use 1812 UDP, so you may need to test to see which port is correct for your install.
  4. Leave the Reply timeout at 3 and change and Retries to 2.
  5. For RADIUS Secret Key, enter the secret you created when defining your new RADIUS client.
  6. For User Name, enter rsalocaltest.
  7. For Password, enter the fixed passcode created in Authentication Settings.
  8. Authentication Manager does not accept CHAP, so leave the option unchecked.
  9. Leave the Request type as Authentication Request.
  10. Leave Additional RADIUS Attributes blank.
  11. When done, click Send.
  12. Since a new fixed passcode was sent to the RADIUS server, the response we get back is an Access-Challenge, as shown here:
Sending authentication request to server <IP address of RSA RADIUS 7.1 server:port>
Transmitting packet, code=nn id=nn length=nnn
received response from the server in nnnn milliseconds
reply packet code=nn id=nn length=nnn
response: Access-Challenge
----------------------------attribute dump-----------------------------
Prompt=No-Echo
Reply-Message=\0x0d\0x0a Enter your new PIN, containing 4 to 8 c
State=SBR-CH 4|1\0x00

RADIUS Server reply:
 

Sending authentication request to server <IP address of RSA RADIUS 7.1 server:port>
Transmitting packet, code=nn id=nn length=nnn
received response from the server in nnnn milliseconds
reply packet code=nn id=nn length=nnn
response: Access-Challenge
----------------------------attribute dump-----------------------------
Prompt=No-Echo
Reply-Message=\0x0d\0x0a Enter your new PIN, containing 4 to 8 c
State=SBR-CH 4|1\0x00


Please note: NTRADPing can do New PIN Mode and the response will be Access-Challenge. See the knowledge article 000027040 entitled How to set PINs and navigate Next Tokencode Mode for RSA SecurID Tokens using NTRadPing for information on how to do this.

This is expected, and if this user was not in New PIN Mode the RADIUS Server reply would be as follows:

​Sending authentication request to server <IP address of RSA RADIUS 7.1 server:port>
Transmitting packet, code=nn id=nn length=nnn
received response from the server in nnnn milliseconds
reply packet code=nn id=nn length=nnn
response: Access-Accept
----------------------------attribute dump-----------------------------
Class=2SBRCL\0xd4\0x80\0xdd\0xad\0x94\0x8d\0x80\0xbe\oxd8\

Contact RSA Customer Support if you require further assistance with RADIUS configurations and authentication testing.

0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2023-04-21 12:31 PM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.