I am trying to configure a Juniper SA 2500 to do SafeWord authentication and am having 2 issues. My configuration has “Active Directory / Windows NT” as the primary and a RADIUS server as the additional authentication server.
In general this works fine with two exceptions that I can't seem to work around.
1) The username entered is "gold" but when this name is sent to RADIUS it appears as "COLORS\gold" which doesn't match a SafeWord ID and causes a failed authentication. 'Gold' is the user, COLORS is the AD domain name. This seems to be tied to the domain field found in the AD authentication server setup. If I try to leave it blank I get "Invalid NT Domain or Active Directory" and it won't save. If I change it to 'GGG' then what gets sent to the RADIUS server is 'GGG\gold'. I would like it to just say 'gold'.
2) When the radius server is configured to have a "Custom Radius Authentication Rules" to show the defender page when it receives an Access-Challenge it does so but does NOT display the RADIUS Attribute Reply-Message which contains the asynchronous challenge. It is in this return attribute that we present the challenge string they must enter into their token to get the corresponding Passcode. Now in the RADIUS server's "Custom Radius Authentication Rules" section if instead I choose "show user login page with error" then the challenge is displayed but at the first logon screen and as an error. They have to re-enter all values. At least they know the challenge now. This isn't pretty.
Any ideas would be appreciated.
******* Incoming RADIUS packet: *******
radrecv: Packet from host 10.52.41.102, port=12001
Examining RFC 2138 Access-Request Packet:Identifier=80. Packet length=129.
01 50 00 81 33 46 0E F7 - 62 F1 5D BE B0 53 48 EC .P..3F..b.]..SH.
46 AB 95 38 20 09 4A 75 - 6E 69 70 65 72 01 0D 43 F..8 .Juniper..C
4F 4C 4F 52 53 5C 67 6F - 6C 64 02 12 AE 74 A0 FF OLORS\gold...t..
BF AE 7D 58 16 D2 DD DB - 0B 89 3A 7F 04 06 0A 34 ..}X......:....4
29 66 05 06 00 00 00 00 - 2C 39 43 4F 4C 4F 52 53 )f......,9COLORS
5C 67 6F 6C 64 28 73 61 - 66 65 77 6F 72 64 29 22 \gold(safeword)"
54 75 65 20 46 65 62 20 - 20 38 20 31 32 3A 33 37 Tue Feb 8 12:37
3A 32 32 20 32 30 31 31 - 22 53 75 37 62 67 50 2F :22 2011"Su7bgP/
78 - x
RFC 2138 Attribute=1: (User-Name) Length=11
Value=COLORS\gold
******* Outgoing RADIUS packet: *******
Examining RFC 2138 Access-Challenge Packet:Identifier=236. Packet length=54.
0B EC 00 36 B3 7C 84 03 - E4 0E 8D 08 4F AA 3A 36 ...6.|......O.:6
F0 7D 77 C2 12 1C 43 68 - 61 6C 6C 65 6E 67 65 3A .}w...Challenge:
20 35 36 37 34 20 52 65 - 73 70 6F 6E 73 65 3F 20 5674 Response?
18 06 35 36 37 34 - ..5674
Packet Authenticator=b3 7c 84 3 e4 e 8d 8 4f aa 3a 36 f0 7d 77 c2
RFC 2138 Attribute=18: (Reply-Message) Length=26
Value=Challenge: 5674 Response?
RFC 2138 Attribute=24: (State) Length=4
Value=35 36 37 34