I want to know if we can integrate SWIFT with RSA two factor authentication?
Ed was saying you can configure your Swift Authentication to a RADIUS server, which basically needs a destination IP address and a shared RADIUS secret. On the Auth Manager side you configure the Switch server as a RADIUS client with associated Authentication Agent. Passing RADIUS attributes back through RADIUS profiles can make this more complex, but the Authentication piece is simply, Swift sends a UserID and PassCode (PIN+TokenCode) and Auth Manager either says Yes Success or No Failure.
If unfamiliar with RSA AM RADIUS, do a test with NTRadPing.exe - find it on Novell's Web Site it is a Windows executable 'RADIUS Client'
How to configure an ntradping RADIUS client.
First, you need the IP address of the PC where the NTRadPing.exe and raddict.dat files are, as this will be your RADIUS client.
Next you need to Add New under RADIUS – RADIUS Clients in the Security Console, like this:
So this is an example of adding a RADIUS client with IP address 10.100.40.205. Name resolution is not important with RADIUS Client, so you do not have to have the real DNS name or FQDN.
What’s important here is the Shared Secret. You will have to use the exact same secret on the NTRadPing screen on your PC.
Leave the Make/Model as – Standard RADIUS -, and do not check any of the boxes. Then “Save and Create Associated RSA Agent” in the lower right. You will have a RADIUS Client and an Authentication Agent Entry.
Now the Server side is done, the RSA Server knows that a RADIUS clients will be sending Authentication Requests.
Next, on your PC, start the NTRadPing.exe (raddict.dat must be in same directory). It looks like this:
Here are the things you need to fill in;
RADIUS Shared Secret – exact same as you entered for RADIUS Client above
UserID or login ID from Authentication Manager
PassCode or fixed PassCode. Cannot login with Password to Authentication Manger from agent or RADIUS client. Also New PIN or Next Token code not supported by NTRadPing, so test this user login from the Self-Server Console or another agent 1st
On the RSA Server side you’ll want to watch two places when you do this Send.
If you need to run a TCPdump, filter on either #port 1812 or 1645, and write to file;
SSH to the Virtual Appliance with the operating system account rsaadmin.
sudo su -
<same password again> This makes you root
# cd /usr/sbin
./tcpdump -i eth0 -s 1514 -Z root host 10.100.40.205 -w /tmp/JayPC.pcap This writes to a file in /tmp
./tcpdump -i eth0 -s 1514 -Z root port 1645 -w /tmp/radius.pcap
chmod 777 /tmp/ radius.pcap This grants full permissions to everyone, makes it easy to copy file off with WinSCP
You will be able to see return attributes in a RADIUS packet capture.
Swift Alliance access ? Yes it will work with SecurID, with radius. You will need to contact Swift and they will help
you set it up by configuring Swift to authenticate with Radius to the RSA server.
Depending on your actual setup and the servers running Swift, it might take some troubleshooting if it doesn't work, but the RSA server does receive valid authentication requests from Swift and send radius access-accept replies back. [In one circumstance the RSA server sent back access-accept, and the operating system running Swift had some other software on it that was molesting the radius reply packet and adding a few bytes, and when passed to the Swift app the packet length field didn't match. Easily corrected.]
Hi, Edward, I also have this question. Any configuration guide can be provided for SWIFT Alliance Access? I have had several cases about an integration of SWIFT console in financial institutions. However, we are fail in POC stage because of technical problems.
We completed successful POC integrating SWIFT with RSA, follow the below check list:
Step1: Logon with LSO -> User management -> Authentication Server Group -> Specify Name, Description, IP of RSA authentication manager, port (1812 or 1645), Local port 1024. Key left : Support!11111111 (16 characters you have to enter) SAVE and Approve,
Step2: Logon with RSO -> User management -> Authentication Server Group -> Approve.
Step1: Logon to security console -> RADIUS -> RADIUS Client -> Add new
Client Name : Name for RADIUS ClientIP Address : IP address of SWIFT serverModel : Keep default as Standard RadiusShared Secret : LSO key followed by RSO key(For Eg: LSO authentication server group password: Support!11111111,RSO authentication server group password: Support!22222222In Shared Secret you have to enter password as Support!11111111Support!22222222)
Step2: save and associated and click save and for confirmation click Yes, Save Agent
Now check the SWIFT user login (user authentication type should be : RADIUS one time password) with RSA PIN/Token/Passcode whatever you configured for the user at RSA AM.
Note : Before implementation go through the document which provide by RSA for port communication and other security related configurations.
I tired the steps that you have mentioned,but I am getting an error " Authentication Method Failed,Pass-code format Error". Let me know if you have a resolution for the same.
# Integration with SWIFT
Kindly capture the UDP packets at the RSA AM server with the following command. (change the 1812 if you are using any other port number)
sudo tcpdump -i eth0 udp port 1812 -nn -s 0 -w /tmp/logcap.cap
Step 1.) Open the logcap.cap file in wireshark
Step 2.) Right click on Access-Request (swift to RSA AM server) -> select "protocol preferences" -> click "Shared Secret"
Step 3.) Enter LSO password followed by RSO password shared secret like above Support!11111111Support!22222222.
Step 4.) Look the data packet below at RADIUS PROTOCOL -> Attribute Value Pairs -> User-Password
The user password which is display at below frame , the same will receives at the RSA AM server.
For Example :
User-Password: 1234785412(Passcode) or 785412(TOKEN Code) will authenticate, other any format of token came it will show the error as " Authentication Method Failed,Pass-code format Error"
Note : If your shared secret is correct you can see the user password at frame, else it will display like decrypted \1345\66\316546\33465\31
Chee Ho Calvin Ng, Ranjan P, Jash Upadhyay, and of course, Edward Davis and Jay Guillette,
This is what community is all about. Thank you all for your responses to help get Mohit Pankhania's device configured and authenticating. Nice work!
Retrieving data ...