How can I do an auth test to an RSA server?
Nathan Ward
lists+freeradius at daork.net
Mon May 16 17:15:00 CEST 2016
> On 17/05/2016, at 02:54, Ricardo NUNEZ <r.nunez at groupeonepoint.com> wrote:
>
> Hi,
>
> I'm trying to use radtest and radclient commands to test if some RSA servers radius authentication is working. That is, I send the user and password of a test account and expect to receive an "access-accept" from the server.
>
> However, this is not working. These are the tests and results:
>
> $radtest account password server 0 secret
> (...)
> rad_recv: Access-Challenge packet from host x.x.x.x port 1812, id-30,length=93
> Prompt = No-Echo
> Reply-message = "\r\nEnter a new Pin having 8 alpha-numeric characters:"
> (…)
You’re sticking the generated RSA token number in to the password, right?
Your RSA server will be configured to expect a PIN along with the number that it shows on the screen of the RSA token, and it’s trying to enrol a new token. Typically the workflow is that you auth the first time with generated number only, it asks you for a new PIN, and you have to always type that PIN before the generated number from now on, when using that token.
I’ve never personally had to deal with Access-Challenge packets, so I can’t say for sure how you’d respond to that, but the RFC says you should do the exact same thing again but with that new 8 digit PIN in the password field, and any State attribute from the Access-Challenge.
Good luck :-)
--
Nathan Ward
More information about the Freeradius-Users
mailing list