[RADIATOR] Problems integrating with RSA Authentication Manager 7.1

Mike McCauley mikem at open.com.au
Tue Feb 3 19:00:16 CST 2009


On Wednesday 04 February 2009 08:15:21 am Bjørn-Kåre Flister wrote:
> Hi Mike
> Thank you for your followup
>
> 1. Policy RSA_Password -> Access Denied -> Solved
> I was testing with a ldap/AD user, and not a local/internal RSA-user
> OK, when I tested with a internal RSA user using Policy RSA_Password
> OK, with a AD user, using Policy LDAP_Password

OK.

>
>
> 2. Policy OnDemand
> Radpwtst:
> C:\perl\bin\perl radpwtst -noacct -interactive -timeout 30 -user test
> -password 1234

Thanks for the data. This crash was caused by a recently introduced problem in 
the patch set. We have now updated the Radiator patch set to fix this 
problem. You should download and unpack the latest patch set. 

Thanks for reporting this problem.

FYI, the default configuration of OnDemand tokencodes in AM does not require 
the OnDemand token to be verified. You users should only have to enter their 
on-demand code once.

Cheers.


>
> Radius.cfg
> ----------------
> Foreground
> LogStdout
> LogDir	       c:/Program Files/Radiator
> DbDir         c:/Program Files/Radiator
>
> Trace 		4
>
> <Client DEFAULT>
> 	Secret	mysecret
> 	DupInterval 0
> </Client>
>
> <Realm DEFAULT>
> 	<AuthBy RSAAM>
> 		Host rsa-server:7002
> 		SessionUsername CmdClient_abcdefg
> 		SessionPassword abcDEF
> 		NoDefault
> #		SOAPTrace all
> 		Policy OnDemand
> 		#  SecurID_Native
> 		#  OnDemand
> 		#  LDAP_Password
> 		#  Security_Questions
> 		#  SecurID_Proxy
> 		#  RSA_Password
> 		EAPType Generic-Token
> 	</AuthBy>
>
> 	AcctLogFileName	%D/detail
> </Realm>
> -----------------
>
> Logfile:
> -----------------
> Tue Feb  3 22:27:41 2009: DEBUG: Finished reading configuration file
> 'C:\Program Files\Radiator\radius.cfg' Tue Feb  3 22:27:41 2009: DEBUG:
> Reading dictionary file 'c:/Program Files/Radiator/dictionary' Tue Feb  3
> 22:27:41 2009: DEBUG: Creating authentication port 0.0.0.0:1645 Tue Feb  3
> 22:27:41 2009: DEBUG: Creating accounting port 0.0.0.0:1646 Tue Feb  3
> 22:27:41 2009: NOTICE: Server started: Radiator 4.3.1 on rsa-server
> (LOCKED) Tue Feb  3 22:27:46 2009: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 2002 ....
> Code:       Access-Request
> Identifier: 91
> Authentic:  i<231><188><151><167><12>6<243><186><209><142><246>{j<132><227>
> Attributes:
> 	User-Name = "test"
> 	Service-Type = Framed-User
> 	NAS-IP-Address = 203.63.154.1
> 	NAS-Identifier = "203.63.154.1"
> 	NAS-Port = 1234
> 	Called-Station-Id = "123456789"
> 	Calling-Station-Id = "987654321"
> 	NAS-Port-Type = Async
> 	User-Password = <160><143>?<215>"<30>DL<239><184><4><255><136>d<130><220>
>
> Tue Feb  3 22:27:46 2009: DEBUG: Handling request with Handler
> 'Realm=DEFAULT' Tue Feb  3 22:27:46 2009: DEBUG:  Deleting session for
> test, 203.63.154.1, 1234 Tue Feb  3 22:27:46 2009: DEBUG: Handling with
> Radius::AuthRSAAM:
> Tue Feb  3 22:27:46 2009: DEBUG: Radius::AuthRSAAM looks for match with
> test [test] Tue Feb  3 22:27:46 2009: DEBUG: RSA AM start
> https://rsa-server.net:7002/ims-ws/services/CommandServer Tue Feb  3
> 22:27:46 2009: DEBUG: Calling SOAP LoginCommand
> Tue Feb  3 22:27:48 2009: DEBUG: LoginCommand result in_progress, Tokencode
> Tue Feb  3 22:27:48 2009: DEBUG: RSA AM continue
> Tue Feb  3 22:27:48 2009: DEBUG: Radius::AuthRSAAM CHALLENGE: RSA AM data
> request: test [test] Tue Feb  3 22:27:48 2009: DEBUG: AuthBy RSAAM result:
> CHALLENGE, RSA AM data request Tue Feb  3 22:27:48 2009: DEBUG: Access
> challenged for test: RSA AM data request Tue Feb  3 22:27:48 2009: DEBUG:
> Packet dump:
> *** Sending to 127.0.0.1 port 2002 ....
> Code:       Access-Challenge
> Identifier: 91
> Authentic:  <149><200>cx<23>h<152><21><1><16><139><17>3<127>O0
> Attributes:
> 	State = RSAAM=0
> 	Reply-Message = "CHALLENGE=Tokencode:"
>
> Tue Feb  3 22:28:10 2009: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 2002 ....
> Code:       Access-Request
> Identifier: 92
> Authentic:  i<231><188><151><167><12>6<243><186><209><142><246>{j<132><227>
> Attributes:
> 	User-Name = "test"
> 	Service-Type = Framed-User
> 	NAS-IP-Address = 203.63.154.1
> 	NAS-Identifier = "203.63.154.1"
> 	NAS-Port = 1234
> 	Called-Station-Id = "123456789"
> 	Calling-Station-Id = "987654321"
> 	NAS-Port-Type = Async
> 	State = RSAAM=0
> 	User-Password = <160><143>?<215><19>/w|<220><128>1<199><136>d<130><220>
>
> Tue Feb  3 22:28:10 2009: DEBUG: Handling request with Handler
> 'Realm=DEFAULT' Tue Feb  3 22:28:10 2009: DEBUG:  Deleting session for
> test, 203.63.154.1, 1234 Tue Feb  3 22:28:10 2009: DEBUG: Handling with
> Radius::AuthRSAAM:
> Tue Feb  3 22:28:10 2009: DEBUG: Radius::AuthRSAAM looks for match with
> test [test] Tue Feb  3 22:28:10 2009: DEBUG: RSA AM continue 123411303858
> Tue Feb  3 22:28:10 2009: DEBUG: Calling SOAP LoginCommand
> -----------------
> Command Console message:
> Can't call method "getNasId" on an undefined value at
> c:/perl/site/lib/Radius/AuthRSAAM.pm line 492. ...caught at
> c:\perl\bin\radiusd line 2.
>
>
>
>
> 3. Two Respones Input-boxes (I shall also check with RSA and Citrix)
> -----------------
> Tue Feb  3 22:45:33 2009: DEBUG: Finished reading configuration file
> 'C:\Program Files\Radiator\radius.cfg' Tue Feb  3 22:45:33 2009: DEBUG:
> Reading dictionary file 'c:/Program Files/Radiator/dictionary' Tue Feb  3
> 22:45:33 2009: DEBUG: Creating authentication port 0.0.0.0:1645 Tue Feb  3
> 22:45:33 2009: DEBUG: Creating accounting port 0.0.0.0:1646 Tue Feb  3
> 22:45:33 2009: NOTICE: Server started: Radiator 4.3.1 on rsa-server
> (LOCKED) Tue Feb  3 22:46:00 2009: DEBUG: Packet dump:
> *** Received from 123.123.123.3 port 32769 ....
> Code:       Access-Request
> Identifier: 0
> Authentic:  @<4><10>QCE<206>H5<209>z<177><133>O<234>}
> Attributes:
> 	User-Name = "testbkf"
> 	User-Password = <190>3<2><243>_<187>:<236><2><251><227>;l<206><219>u
> 	NAS-IP-Address = 123.123.123.3
> 	NAS-Port = 0
> 	NAS-Port-Type = Async
>
> Tue Feb  3 22:46:00 2009: DEBUG: Handling request with Handler
> 'Realm=DEFAULT' Tue Feb  3 22:46:00 2009: DEBUG:  Deleting session for
> testbkf, 123.123.123.3, 0 Tue Feb  3 22:46:00 2009: DEBUG: Handling with
> Radius::AuthRSAAM:
> Tue Feb  3 22:46:00 2009: DEBUG: Radius::AuthRSAAM looks for match with
> testbkf [testbkf] Tue Feb  3 22:46:00 2009: DEBUG: RSA AM start
> https://rsa-server:7002/ims-ws/services/CommandServer Tue Feb  3 22:46:00
> 2009: DEBUG: Calling SOAP LoginCommand
> Tue Feb  3 22:46:01 2009: DEBUG: LoginCommand result in_progress, Tokencode
> Tue Feb  3 22:46:01 2009: DEBUG: RSA AM continue
> Tue Feb  3 22:46:01 2009: DEBUG: Radius::AuthRSAAM CHALLENGE: RSA AM data
> request: testbkf [testbkf] Tue Feb  3 22:46:01 2009: DEBUG: AuthBy RSAAM
> result: CHALLENGE, RSA AM data request Tue Feb  3 22:46:01 2009: DEBUG:
> Access challenged for testbkf: RSA AM data request Tue Feb  3 22:46:01
> 2009: DEBUG: Packet dump:
> *** Sending to 123.123.123.3 port 32769 ....
> Code:       Access-Challenge
> Identifier: 0
> Authentic:  I(<248>2H<w<224><170>+<0>Zw<207><158><233>
> Attributes:
> 	State = RSAAM=0
> 	Reply-Message = "CHALLENGE=Tokencode:"
>
> Tue Feb  3 22:46:11 2009: DEBUG: Packet dump:
> *** Received from 123.123.123.3 port 32769 ....
> Code:       Access-Request
> Identifier: 0
> Authentic:  ,<228><26><185>u<20>Y<13>?<176><155><209><184>f<190>o
> Attributes:
> 	User-Name = "testbkf"
> 	User-Password =
> <151><218>V1<189>2<5>K<29><169><204><201><172><211><227><19> State =
> RSAAM=0
> 	NAS-IP-Address = 123.123.123.3
> 	NAS-Port = 0
> 	NAS-Port-Type = Async
>
> Tue Feb  3 22:46:11 2009: DEBUG: Handling request with Handler
> 'Realm=DEFAULT' Tue Feb  3 22:46:11 2009: DEBUG:  Deleting session for
> testbkf, 123.123.123.3, 0 Tue Feb  3 22:46:11 2009: DEBUG: Handling with
> Radius::AuthRSAAM:
> Tue Feb  3 22:46:11 2009: DEBUG: Radius::AuthRSAAM looks for match with
> testbkf [testbkf] Tue Feb  3 22:46:11 2009: DEBUG: RSA AM continue 12341234
> Tue Feb  3 22:46:11 2009: DEBUG: Calling SOAP LoginCommand
> -----------------
> Command Console message:
> Can't call method "getNasId" on an undefined value at
> c:/perl/site/lib/Radius/AuthRSAAM.pm line 492. ...caught at
> c:\perl\bin\radiusd line 2.
>
>
>
> Best Regards
> Bjorn-Kare
>
> -----Original Message-----
> From: radiator-bounces at open.com.au [mailto:radiator-bounces at open.com.au] On
> Behalf Of Mike McCauley Sent: 3. februar 2009 00:19
> To: radiator at open.com.au
> Cc: Bjørn-Kåre Flister
> Subject: Re: [RADIATOR] Problems integrating with RSA Authentication
> Manager 7.1
>
> Hello Bjørn-Kåre,
>
> On Tuesday 03 February 2009 05:16:25 am Bjørn-Kåre Flister wrote:
> > Hi
> >
> > I am testing Radiator integration with RSA Authentication Manager 7.1
> > and got some problems/errors.
> >
> > 1. When using Policy RSA_Password
> >     RSA-server logs the following message:
> >
> > Access Denied: User "testUser" attempted to authenticate using
> > authenticator "". The user belongs to security domain "SystemDomain"
> > Reason: Missing authenticators
>
> Probably you have not set a static password for that user in AM.
>
> > 2: When using Policy Ondemand or Policy Security_Questions Radioator
> > crash/stops with following message:
> >
> > DEBUG: Calling SOAP LoginCommand
> > Can't call method "getNasId" on an undefined value at
> > c:/perl/site/lib/Radius/AuthRSAAM.pm line 492. ...caught at
> > c:\perl\bin\radiusd line 2.
> >
> > Tested with radpwtst -interactive
> > and tested using Citrix Access Gateway standard 4.5.8 Both tests crash
> > the Radiator daemon/service
>
> We havent been able to reproduce this.
> Can you send the exact radpwtst command line you used to test, along with
> your Radiator configuration file (no secrets) and the Radiator log file at
> trace level 4?
>
> > 3: When testing ondemand against a Citrix Access gateway standard
> > 4.5.8 I get two input-boxes: "Response" and "Verify Response"
> > Is it Radiator asking for two inputs of the response?
> > And if it is, is it possible to tunr off/Disable the "Verify Response"
> > input-box+ The users will probably not accept having to write a
> > input-box+ 11-number
> > digit ondemand password twice :-)
>
> Radiator does not independently ask to verify the input, but only does that
> if AM asks for it. So it sounds like AM is asking for verification. However
> in tests of OnDemand here, AM does not ask to verify on-demand codes.
>
> Is it possible AM is misconfigured, or is perhaps trying to verify a new
> token?
>
> A complete trace 4 log of the conversation will help you to understand
> whats going on with AM.
>
> Hope that helps.
>
> Cheers.
>
> > My setup is:
> > RSA authentication Manager and Radiator installed on same server
> > Windows 2003 Server R2/SP2 Enterprise Edition RSA Authentication
> > Manager 7.1 with P1 (using port 1812/1813 for Radius) ActivePerl
> > 5.8.8.822 (installed and configured using setting the environment
> > variable PERL5LIB=) Radiator-Locked-4.3.1.exe with
> > patches-4.3.1.tar.gz,  (using port 1645/11656 for Radius) configured
> > with registry set:
> > HKLM\SYSTEM\CurrentControlSet\Services\Radiator
> > Environment REG_MULTI_SZ PERL5LIB=
> >
> >
> > I have managed authenticate using Policy LDAP_Password
> >
> >
> > Hope you can help me getting Radiator to play with the RSA AM 7.1
> >
> >
> > Best Regards
> > Bjorn-Kare



-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, DIAMETER etc. Full source
on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.



More information about the radiator mailing list