How can I do an auth test to an RSA server?
Hi, I'm trying to use radtest and radclient commands to test if some RSA servers radius authentication is working. That is, I send the user and password of a test account and expect to receive an "access-accept" from the server. However, this is not working. These are the tests and results: $radtest account password server 0 secret (...) rad_recv: Access-Challenge packet from host x.x.x.x port 1812, id-30,length=93 Prompt = No-Echo Reply-message = "\r\nEnter a new Pin having 8 alpha-numeric characters:" (...) Same result with: echo "User-Name = account, User-Password = password" | radclient - x server auth secret It seems their radius version is "6.1.7". Thanks! Ricardo Envoyé depuis mon HTC
On 17/05/2016, at 02:54, Ricardo NUNEZ <r.nunez@groupeonepoint.com> wrote:
Hi,
I'm trying to use radtest and radclient commands to test if some RSA servers radius authentication is working. That is, I send the user and password of a test account and expect to receive an "access-accept" from the server.
However, this is not working. These are the tests and results:
$radtest account password server 0 secret (...) rad_recv: Access-Challenge packet from host x.x.x.x port 1812, id-30,length=93 Prompt = No-Echo Reply-message = "\r\nEnter a new Pin having 8 alpha-numeric characters:" (…)
You’re sticking the generated RSA token number in to the password, right? Your RSA server will be configured to expect a PIN along with the number that it shows on the screen of the RSA token, and it’s trying to enrol a new token. Typically the workflow is that you auth the first time with generated number only, it asks you for a new PIN, and you have to always type that PIN before the generated number from now on, when using that token. I’ve never personally had to deal with Access-Challenge packets, so I can’t say for sure how you’d respond to that, but the RFC says you should do the exact same thing again but with that new 8 digit PIN in the password field, and any State attribute from the Access-Challenge. Good luck :-) -- Nathan Ward
participants (2)
-
Nathan Ward -
Ricardo NUNEZ