[RADIATOR] Problems integrating with RSA Authentication Manager 7.1
Bjørn-Kåre Flister
Bjorn-Kare.Flister at atea.no
Tue Feb 3 16:15:21 CST 2009
Hi Mike
Thank you for your followup
1. Policy RSA_Password -> Access Denied -> Solved
I was testing with a ldap/AD user, and not a local/internal RSA-user
OK, when I tested with a internal RSA user using Policy RSA_Password
OK, with a AD user, using Policy LDAP_Password
2. Policy OnDemand
Radpwtst:
C:\perl\bin\perl radpwtst -noacct -interactive -timeout 30 -user test -password 1234
Radius.cfg
----------------
Foreground
LogStdout
LogDir c:/Program Files/Radiator
DbDir c:/Program Files/Radiator
Trace 4
<Client DEFAULT>
Secret mysecret
DupInterval 0
</Client>
<Realm DEFAULT>
<AuthBy RSAAM>
Host rsa-server:7002
SessionUsername CmdClient_abcdefg
SessionPassword abcDEF
NoDefault
# SOAPTrace all
Policy OnDemand
# SecurID_Native
# OnDemand
# LDAP_Password
# Security_Questions
# SecurID_Proxy
# RSA_Password
EAPType Generic-Token
</AuthBy>
AcctLogFileName %D/detail
</Realm>
-----------------
Logfile:
-----------------
Tue Feb 3 22:27:41 2009: DEBUG: Finished reading configuration file 'C:\Program Files\Radiator\radius.cfg'
Tue Feb 3 22:27:41 2009: DEBUG: Reading dictionary file 'c:/Program Files/Radiator/dictionary'
Tue Feb 3 22:27:41 2009: DEBUG: Creating authentication port 0.0.0.0:1645
Tue Feb 3 22:27:41 2009: DEBUG: Creating accounting port 0.0.0.0:1646
Tue Feb 3 22:27:41 2009: NOTICE: Server started: Radiator 4.3.1 on rsa-server (LOCKED)
Tue Feb 3 22:27:46 2009: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 2002 ....
Code: Access-Request
Identifier: 91
Authentic: i<231><188><151><167><12>6<243><186><209><142><246>{j<132><227>
Attributes:
User-Name = "test"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Identifier = "203.63.154.1"
NAS-Port = 1234
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
NAS-Port-Type = Async
User-Password = <160><143>?<215>"<30>DL<239><184><4><255><136>d<130><220>
Tue Feb 3 22:27:46 2009: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Tue Feb 3 22:27:46 2009: DEBUG: Deleting session for test, 203.63.154.1, 1234
Tue Feb 3 22:27:46 2009: DEBUG: Handling with Radius::AuthRSAAM:
Tue Feb 3 22:27:46 2009: DEBUG: Radius::AuthRSAAM looks for match with test [test]
Tue Feb 3 22:27:46 2009: DEBUG: RSA AM start https://rsa-server.net:7002/ims-ws/services/CommandServer
Tue Feb 3 22:27:46 2009: DEBUG: Calling SOAP LoginCommand
Tue Feb 3 22:27:48 2009: DEBUG: LoginCommand result in_progress, Tokencode
Tue Feb 3 22:27:48 2009: DEBUG: RSA AM continue
Tue Feb 3 22:27:48 2009: DEBUG: Radius::AuthRSAAM CHALLENGE: RSA AM data request: test [test]
Tue Feb 3 22:27:48 2009: DEBUG: AuthBy RSAAM result: CHALLENGE, RSA AM data request
Tue Feb 3 22:27:48 2009: DEBUG: Access challenged for test: RSA AM data request
Tue Feb 3 22:27:48 2009: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 2002 ....
Code: Access-Challenge
Identifier: 91
Authentic: <149><200>cx<23>h<152><21><1><16><139><17>3<127>O0
Attributes:
State = RSAAM=0
Reply-Message = "CHALLENGE=Tokencode:"
Tue Feb 3 22:28:10 2009: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 2002 ....
Code: Access-Request
Identifier: 92
Authentic: i<231><188><151><167><12>6<243><186><209><142><246>{j<132><227>
Attributes:
User-Name = "test"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Identifier = "203.63.154.1"
NAS-Port = 1234
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
NAS-Port-Type = Async
State = RSAAM=0
User-Password = <160><143>?<215><19>/w|<220><128>1<199><136>d<130><220>
Tue Feb 3 22:28:10 2009: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Tue Feb 3 22:28:10 2009: DEBUG: Deleting session for test, 203.63.154.1, 1234
Tue Feb 3 22:28:10 2009: DEBUG: Handling with Radius::AuthRSAAM:
Tue Feb 3 22:28:10 2009: DEBUG: Radius::AuthRSAAM looks for match with test [test]
Tue Feb 3 22:28:10 2009: DEBUG: RSA AM continue 123411303858
Tue Feb 3 22:28:10 2009: DEBUG: Calling SOAP LoginCommand
-----------------
Command Console message:
Can't call method "getNasId" on an undefined value at c:/perl/site/lib/Radius/AuthRSAAM.pm line 492.
...caught at c:\perl\bin\radiusd line 2.
3. Two Respones Input-boxes (I shall also check with RSA and Citrix)
-----------------
Tue Feb 3 22:45:33 2009: DEBUG: Finished reading configuration file 'C:\Program Files\Radiator\radius.cfg'
Tue Feb 3 22:45:33 2009: DEBUG: Reading dictionary file 'c:/Program Files/Radiator/dictionary'
Tue Feb 3 22:45:33 2009: DEBUG: Creating authentication port 0.0.0.0:1645
Tue Feb 3 22:45:33 2009: DEBUG: Creating accounting port 0.0.0.0:1646
Tue Feb 3 22:45:33 2009: NOTICE: Server started: Radiator 4.3.1 on rsa-server (LOCKED)
Tue Feb 3 22:46:00 2009: DEBUG: Packet dump:
*** Received from 123.123.123.3 port 32769 ....
Code: Access-Request
Identifier: 0
Authentic: @<4><10>QCE<206>H5<209>z<177><133>O<234>}
Attributes:
User-Name = "testbkf"
User-Password = <190>3<2><243>_<187>:<236><2><251><227>;l<206><219>u
NAS-IP-Address = 123.123.123.3
NAS-Port = 0
NAS-Port-Type = Async
Tue Feb 3 22:46:00 2009: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Tue Feb 3 22:46:00 2009: DEBUG: Deleting session for testbkf, 123.123.123.3, 0
Tue Feb 3 22:46:00 2009: DEBUG: Handling with Radius::AuthRSAAM:
Tue Feb 3 22:46:00 2009: DEBUG: Radius::AuthRSAAM looks for match with testbkf [testbkf]
Tue Feb 3 22:46:00 2009: DEBUG: RSA AM start https://rsa-server:7002/ims-ws/services/CommandServer
Tue Feb 3 22:46:00 2009: DEBUG: Calling SOAP LoginCommand
Tue Feb 3 22:46:01 2009: DEBUG: LoginCommand result in_progress, Tokencode
Tue Feb 3 22:46:01 2009: DEBUG: RSA AM continue
Tue Feb 3 22:46:01 2009: DEBUG: Radius::AuthRSAAM CHALLENGE: RSA AM data request: testbkf [testbkf]
Tue Feb 3 22:46:01 2009: DEBUG: AuthBy RSAAM result: CHALLENGE, RSA AM data request
Tue Feb 3 22:46:01 2009: DEBUG: Access challenged for testbkf: RSA AM data request
Tue Feb 3 22:46:01 2009: DEBUG: Packet dump:
*** Sending to 123.123.123.3 port 32769 ....
Code: Access-Challenge
Identifier: 0
Authentic: I(<248>2H<w<224><170>+<0>Zw<207><158><233>
Attributes:
State = RSAAM=0
Reply-Message = "CHALLENGE=Tokencode:"
Tue Feb 3 22:46:11 2009: DEBUG: Packet dump:
*** Received from 123.123.123.3 port 32769 ....
Code: Access-Request
Identifier: 0
Authentic: ,<228><26><185>u<20>Y<13>?<176><155><209><184>f<190>o
Attributes:
User-Name = "testbkf"
User-Password = <151><218>V1<189>2<5>K<29><169><204><201><172><211><227><19>
State = RSAAM=0
NAS-IP-Address = 123.123.123.3
NAS-Port = 0
NAS-Port-Type = Async
Tue Feb 3 22:46:11 2009: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Tue Feb 3 22:46:11 2009: DEBUG: Deleting session for testbkf, 123.123.123.3, 0
Tue Feb 3 22:46:11 2009: DEBUG: Handling with Radius::AuthRSAAM:
Tue Feb 3 22:46:11 2009: DEBUG: Radius::AuthRSAAM looks for match with testbkf [testbkf]
Tue Feb 3 22:46:11 2009: DEBUG: RSA AM continue 12341234
Tue Feb 3 22:46:11 2009: DEBUG: Calling SOAP LoginCommand
-----------------
Command Console message:
Can't call method "getNasId" on an undefined value at c:/perl/site/lib/Radius/AuthRSAAM.pm line 492.
...caught at c:\perl\bin\radiusd line 2.
Best Regards
Bjorn-Kare
-----Original Message-----
From: radiator-bounces at open.com.au [mailto:radiator-bounces at open.com.au] On Behalf Of Mike McCauley
Sent: 3. februar 2009 00:19
To: radiator at open.com.au
Cc: Bjørn-Kåre Flister
Subject: Re: [RADIATOR] Problems integrating with RSA Authentication Manager 7.1
Hello Bjørn-Kåre,
On Tuesday 03 February 2009 05:16:25 am Bjørn-Kåre Flister wrote:
> Hi
>
> I am testing Radiator integration with RSA Authentication Manager 7.1
> and got some problems/errors.
>
> 1. When using Policy RSA_Password
> RSA-server logs the following message:
>
> Access Denied: User "testUser" attempted to authenticate using
> authenticator "". The user belongs to security domain "SystemDomain"
> Reason: Missing authenticators
Probably you have not set a static password for that user in AM.
>
>
> 2: When using Policy Ondemand or Policy Security_Questions Radioator
> crash/stops with following message:
>
> DEBUG: Calling SOAP LoginCommand
> Can't call method "getNasId" on an undefined value at
> c:/perl/site/lib/Radius/AuthRSAAM.pm line 492. ...caught at
> c:\perl\bin\radiusd line 2.
>
> Tested with radpwtst -interactive
> and tested using Citrix Access Gateway standard 4.5.8 Both tests crash
> the Radiator daemon/service
We havent been able to reproduce this.
Can you send the exact radpwtst command line you used to test, along with your Radiator configuration file (no secrets) and the Radiator log file at trace level 4?
>
> 3: When testing ondemand against a Citrix Access gateway standard
> 4.5.8 I get two input-boxes: "Response" and "Verify Response"
> Is it Radiator asking for two inputs of the response?
> And if it is, is it possible to tunr off/Disable the "Verify Response"
> input-box+ The users will probably not accept having to write a
> input-box+ 11-number
> digit ondemand password twice :-)
Radiator does not independently ask to verify the input, but only does that if AM asks for it. So it sounds like AM is asking for verification. However in tests of OnDemand here, AM does not ask to verify on-demand codes.
Is it possible AM is misconfigured, or is perhaps trying to verify a new token?
A complete trace 4 log of the conversation will help you to understand whats going on with AM.
Hope that helps.
Cheers.
>
>
> My setup is:
> RSA authentication Manager and Radiator installed on same server
> Windows 2003 Server R2/SP2 Enterprise Edition RSA Authentication
> Manager 7.1 with P1 (using port 1812/1813 for Radius) ActivePerl
> 5.8.8.822 (installed and configured using setting the environment
> variable PERL5LIB=) Radiator-Locked-4.3.1.exe with
> patches-4.3.1.tar.gz, (using port 1645/11656 for Radius) configured
> with registry set:
> HKLM\SYSTEM\CurrentControlSet\Services\Radiator
> Environment REG_MULTI_SZ PERL5LIB=
>
>
> I have managed authenticate using Policy LDAP_Password
>
>
> Hope you can help me getting Radiator to play with the RSA AM 7.1
>
>
> Best Regards
> Bjorn-Kare
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
_______________________________________________
radiator mailing list
radiator at open.com.au
http://www.open.com.au/mailman/listinfo/radiator
More information about the radiator
mailing list