I am trying to configure a Juniper SA 2500 to do SafeWord authentication and am having 2 issues. My configuration has “Active Directory / Windows NT” as the primary and a RADIUS server as the additional authentication server.
In general this works fine with two exceptions that I can't seem to work around.
1) The username entered is "gold" but when this name is sent to RADIUS it appears as "COLORS\gold" which doesn't match a SafeWord ID and causes a failed authentication. 'Gold' is the user, COLORS is the AD domain name. This seems to be tied to the domain field found in the AD authentication server setup. If I try to leave it blank I get "Invalid NT Domain or Active Directory" and it won't save. If I change it to 'GGG' then what gets sent to the RADIUS server is 'GGG\gold'. I would like it to just say 'gold'.
2) When the radius server is configured to have a "Custom Radius Authentication Rules" to show the defender page when it receives an Access-Challenge it does so but does NOT display the RADIUS Attribute Reply-Message which contains the asynchronous challenge. It is in this return attribute that we present the challenge string they must enter into their token to get the corresponding Passcode. Now in the RADIUS server's "Custom Radius Authentication Rules" section if instead I choose "show user login page with error" then the challenge is displayed but at the first logon screen and as an error. They have to re-enter all values. At least they know the challenge now. This isn't pretty.
Any ideas would be appreciated.
******* Incoming RADIUS packet: *******radrecv: Packet from host 10.52.41.102, port=12001Examining RFC 2138 Access-Request Packet:Identifier=80. Packet length=129.01 50 00 81 33 46 0E F7 - 62 F1 5D BE B0 53 48 EC .P..3F..b.]..SH.46 AB 95 38 20 09 4A 75 - 6E 69 70 65 72 01 0D 43 F..8 .Juniper..C4F 4C 4F 52 53 5C 67 6F - 6C 64 02 12 AE 74 A0 FF OLORS\gold...t..BF AE 7D 58 16 D2 DD DB - 0B 89 3A 7F 04 06 0A 34 ..}X......:....429 66 05 06 00 00 00 00 - 2C 39 43 4F 4C 4F 52 53 )f......,9COLORS5C 67 6F 6C 64 28 73 61 - 66 65 77 6F 72 64 29 22 \gold(safeword)"54 75 65 20 46 65 62 20 - 20 38 20 31 32 3A 33 37 Tue Feb 8 12:373A 32 32 20 32 30 31 31 - 22 53 75 37 62 67 50 2F :22 2011"Su7bgP/78 - x RFC 2138 Attribute=1: (User-Name) Length=11 Value=COLORS\gold
******* Outgoing RADIUS packet: *******Examining RFC 2138 Access-Challenge Packet:Identifier=236. Packet length=54.0B EC 00 36 B3 7C 84 03 - E4 0E 8D 08 4F AA 3A 36 ...6.|......O.:6F0 7D 77 C2 12 1C 43 68 - 61 6C 6C 65 6E 67 65 3A .}w...Challenge:20 35 36 37 34 20 52 65 - 73 70 6F 6E 73 65 3F 20 5674 Response?18 06 35 36 37 34 - ..5674Packet Authenticator=b3 7c 84 3 e4 e 8d 8 4f aa 3a 36 f0 7d 77 c2 RFC 2138 Attribute=18: (Reply-Message) Length=26 Value=Challenge: 5674 Response? RFC 2138 Attribute=24: (State) Length=4 Value=35 36 37 34
I am traveling so I don't have access to my SSL box as an administrator but I have done some two factor - So two comments from memory:
1- On the Realm setup - are you passing the username variable back to your second authentication server? If so what variable are you using. <USER> will pass the domain and name, <USERNAME> is supposed to only pass the name.
2- Following is a link to a thread that I created a while back. It might be helpful to you in regards to your second issue of getting the challenge response back.
Let me know if either of these help. Struggled with this until I got it figured out myself.
Thanks for the feedback.... Lets see Issue 1 is resolved.
Thank you, thank you, thank you. Worked like a champ!!! <USERNAME> is just what was needed.
Issue #2 is still not resolved.
My configuration for Access Challenge is identical. and I do get the Challenge/Response page, however the Challenge is blank. It does not echo what was sent in the Acces-Challenge packet's Reply-Message attribute.
Howdy - You know in my previous post I realized that I forgot to include the link to my explaination of how I got the two factor to work. So here it is:
In looking at your screen capture I see the problem. You do not have the syntax correct. You have the following:
.*) --- Shown in the page one display as (Reply Message matches the expression ".*)"
You need to have:
(.*) --- Shown in the page one display as (Reply Message matches the expression "(.*)")
This missing open parentheses is what is wrong.
I have confirmed that both issues are now resolved. The "(.*)" mentioned above fixes the challenge not displaying what is in the Reply-Message attribute.
Thanks all involved. Kudos!
Hey RB - thank you very much for coming back and updating the post. Believe it or not I actually look at my old posts pretty regularily to see if I get feeback on my answers. Appreciate hearing that it worked!
Did you ever get a working configs of 2FA for Dynamic VPN connection? I have got Radius Configs and Authentication working fine, now I need to install DUO 2FA, not finding any cmd line instructions.
We have a different 2-factor vendor but this is how we have things setup:
On the Custom Radius Rule we have:
-Response Packet Type = Access Challenge
---Radius Attribute = Reply Message
---Operand = matches the expression
---Value = (.*)
-Then take action = show Generic Logon Page