integration guide for thycotic? Does one exist?
Trying to setup radius on a Thycotic server
Keep getting passcode format errors
Bobby Vaughan |Telecommunications Manager |Virginia Lottery
600 East Main Street, Richmond, VA 23219
Ph: +1 804-692-7711
bvaughan@valottery.com<mailto:bvaughan@valottery.com>
<http://facebook.com/VALottery>
<http://twitter.com/VirginiaLottery>
Passcode format errors occur when the passcode length is invalid.
If that doesn't help I would recommend opening a support case so that we can get more details.
Thanks,
Ted
Will do.
Thanks
Bobby Vaughan |Telecommunications Manager |Virginia Lottery
600 East Main Street, Richmond, VA 23219
Ph: +1 804-692-7711
bvaughan@valottery.com<mailto:bvaughan@valottery.com>
<http://facebook.com/VALottery>
<http://twitter.com/VirginiaLottery>
As Ted said, a Passcode Format Error (aka Syntax error in AM) is because the Passcode length is not the right number of digits, so user could have mis-typed or they need a PIN or something, but if everyone is getting PassCode Format on a RADIUS client, I would double check that the RADIUS Shared Secret is configured exactly the same on both sides. Especially if you have proven the the same user and Passcode works on another agent or logon.
Are you integrating Thycotic with SecurID Authentication Manager (Security Console - RADIUS - RADIUS Clients) or with SecurID Access Manager (Identity Router, IDR)?
Does Thycotic control the Access and just wants AM to authenticate users with a 2FA Passcode?
Trying to set it up as a radius client.
The Thycotic server admin sent me the shared secret. I pasted it into the RSA client configuration.
The Thycotic server admins are the ones testing it and I really can’t tell what they are typing. Basically half the time they fail authentication to our VPN and lock out their accounts. I sent them to the self- service portal to test and 1 admin was finally able to get in.
I’m working remote from them, so I can’t see what they are doing.
I thought it was the shared secret, so I took the option for the RSA server to create the secret and I downloaded a file. I sent the file to them and they say they don’t have a way to load it to Thycotic.
Bobby Vaughan |Telecommunications Manager |Virginia Lottery
600 East Main Street, Richmond, VA 23219
Ph: +1 804-692-7711
bvaughan@valottery.com<mailto:bvaughan@valottery.com>
<http://facebook.com/VALottery>
<http://twitter.com/VirginiaLottery>
What you did there was download a [node secret]. That is not used with radius, it is used for other RSA agent functions. The radius client page (not the corresponding agent page) is where you pasted in the shared secret, and it is this value you can prove/deny with my wireshark example and packet capture.
Thanks
I don’t think they gave me the correct shared secret. The file download as an attempt to create one that the RSA server knew and could be shared with the other end. Thanks for clarifying the actual purpose of the file.
I will get them to paste in a new shared secret and I will do so on my end too.
Thanks again
Bobby
Bobby Vaughan |Telecommunications Manager |Virginia Lottery
600 East Main Street, Richmond, VA 23219
Ph: +1 804-692-7711
bvaughan@valottery.com<mailto:bvaughan@valottery.com>
<http://facebook.com/VALottery>
<http://twitter.com/VirginiaLottery>
Just wanted to update you all. I created a shared secret and sent it to the Admins configuring the Thycotic server.
They entered it on their side and authentication works now.
Thanks
Bobby
Bobby Vaughan |Telecommunications Manager |Virginia Lottery
600 East Main Street, Richmond, VA 23219
Ph: +1 804-692-7711
bvaughan@valottery.com<mailto:bvaughan@valottery.com>
<http://facebook.com/VALottery>
<http://twitter.com/VirginiaLottery>
<http://valottery.com/gameon><http://Valottery.com/GameOn>
Passcode format error when using radius is typically when the shared secret does not match.
[The fix of course is re-setting them on both ends to a known value]
You can prove/deny this using a packet capture of the attempt, load in wireshark, go to wireshark preferences, put the shared secret you think should be used in the protocols-radius section, and then examine the access-request, the numbers you typed in for the passcode will be either clear, or garbage. The garbage causes passcode format errors.
To do an easy packet capture:
-get on command line of the RSA AM server as rsaadmin,
-become root user with sudo su - (and rsaadmin password again)
-run tcpdump and make a capture file
- am-server:~ # tcpdump -i eth0 host ip.address.of.thycotic -nn -s 0 -w /tmp/thycotic.pcap
-do the test
-ctrl-c to exit tcpdump
-sftp the /tmp/thycotic.pcap off the RSA server and load into wireshark
example of correct shared secret (fixed passcode of 4 characters used)
Attribute Value Pairs
AVP: l=5 t=User-Name(1): zaz
AVP: l=18 t=User-Password(2): Decrypted: 4444
example of incorrect shared secret (same packet)
Attribute Value Pairs
AVP: l=5 t=User-Name(1): zaz
AVP: l=18 t=User-Password(2): Decrypted: &\374\323w\275\330\361g\013#\241\307d\266\326\345
Thycotic is in the RSA Ready certification queue. They've told us it works so perhaps Thycotic Customer Support can help?
Thanks for the post, Michael Wolff. Do we have an estimated date when the guide will be posted?
Regards,
Erica
Hi Bobby - looking at the RSA Ready site I don't see anything for Thycotic.
What type of integration are you looking to do?