How can I do an auth test to an RSA server?

Nathan Ward lists+freeradius at
Mon May 16 17:15:00 CEST 2016

> On 17/05/2016, at 02:54, Ricardo NUNEZ <r.nunez at> wrote:
> Hi,
> I'm trying to use radtest and radclient commands to test if some RSA servers radius authentication is working.  That is,  I send the user and password of a test account and expect to receive an "access-accept" from the server.
> However,  this is not working. These are the tests and results:
> $radtest account password server 0 secret
> (...)
> rad_recv: Access-Challenge packet from host x.x.x.x port 1812,  id-30,length=93
> Prompt = No-Echo
> Reply-message = "\r\nEnter a new Pin having 8 alpha-numeric characters:"
> (…)

You’re sticking the generated RSA token number in to the password, right?
Your RSA server will be configured to expect a PIN along with the number that it shows on the screen of the RSA token, and it’s trying to enrol a new token. Typically the workflow is that you auth the first time with generated number only, it asks you for a new PIN, and you have to always type that PIN before the generated number from now on, when using that token.

I’ve never personally had to deal with Access-Challenge packets, so I can’t say for sure how you’d respond to that, but the RFC says you should do the exact same thing again but with that new 8 digit PIN in the password field, and any State attribute from the Access-Challenge.

Good luck :-)

Nathan Ward

More information about the Freeradius-Users mailing list