Announcements

SecurID® Prime

Error when setting up the new PIN over VPN

FabPell980
Beginner
Beginner
0 1 578

Hello,

we are trying to setup the PIN authentication on RSA Authentication Manager 8.6

Authentication via username/password works but when PIN authentication is enabled, clients are not able to set the PIN via VPN.
VPN client is SonicWall NetExtender and when the client is prompted to setup the new PIN the client displays the error "Login failed/Incorrect username/password" while the RADIUS logs shows "Login incorrect".

FabPell980_4-1644307534732.pngFabPell980_5-1644307543432.png

FabPell980_3-1644307413112.png

Now, we made a packet capture of the traffic between the firewall and the radius server:
- radius sends the packet to ask the client to create the new PIN
FabPell980_0-1644307292497.png
the answer to that packet is

FabPell980_1-1644307320642.png

and then the radius server sends the authentication failure.

FabPell980_2-1644307386953.png

The State field is used to assign the RADIUS transactions and must match the State field of the previous access challenge exactly for the 2nd access request: https://community.rsa.com/t5/securid-access-knowledge-base/how-to-set-pins-and-navigate-next-tokencode-mode-for-rsa-securid/ta-p/7280 This is not the case with us, apparently the VPN client cuts off here after 66 bytes.

My question is: when the new PIN is set what the Radius server excepts to receive from the client?
I have already addressed the issue to SonicWall but I would like to know what Radius needs when the new PIN is set.
Also, is there a way to get more logs from the radius server regarding this issue?

Thank you.

Fab

 



Tags (2)
1 Comment