AnsweredAssumed Answered

Issue with RSA Radius authentication

Question asked by Hongyu Zhang Employee on Jul 30, 2020
Latest reply on Jul 30, 2020 by Jay Guillette

Hi all,

 

I am fairly new to using the RSA Radius server which is running as part of the RSA authentication manager. While trying to configure RSA Radius authentication for my linux box, I am running into issues and couldn't authenticate at all. 

Here is the configuration I have now:

 

 

On client side:

1. I am using pam_radius_auth.so PAM module to do the authentication. Here is the /etc/pam.d/sshd config file content:

auth sufficient pam_radius_auth.so debug
account include system-auth
password include system-auth
session include system-auth

2. This is what is inside the /etc/raddb/server config file:

10.118.244.56    abc123             10

The IP and secret are all correct. 

 

 

On the server side:

1. I have created a new Radius client with the IP address of the client.

2. I have created and associated a RSA agent with the same client IP address.

3. There is a user "testuser22" in the identity usesr list. Identity source: internalDB, domain: SystemDomain

 

From what I read online, with the above setup, I should be able to log into my linux box with user "testuser22". But when I tried to login, the authentication always fails. 

 

Here is what it says on the client side:

Jul 30 00:47:42 [localhost] sshd[13641]: pam_radius_auth: Got user name testuser22
Jul 30 00:47:42 [localhost] sshd[13641]: pam_radius_auth: ignore last_pass, force_prompt set
Jul 30 00:47:42 [localhost] sshd[13641]: pam_radius_auth: Sending RADIUS request code 1
Jul 30 00:47:45 [localhost] sshd[13641]: pam_radius_auth: Got RADIUS response code 3
Jul 30 00:47:45 [localhost] sshd[13641]: pam_radius_auth: authentication failed

 

 

Here is what it says on the server side:

07/30/2020 05:23:41 -----------------------------------------------------------
07/30/2020 05:23:41 Authentication Request
07/30/2020 05:23:41 Received from: ip=10.230.131.133 port=50402
07/30/2020 05:23:41
07/30/2020 05:23:41 Raw Packet :
07/30/2020 05:23:41 000: 012b0060 87ddcf28 ac9620ac f29320f9 |.+.`...(.. ... .|
07/30/2020 05:23:41 010: 13ea6e4e 010c7465 73747573 65723232 |..nN..testuser22|
07/30/2020 05:23:41 020: 02122682 a34c6949 0db33b33 68f50f15 |..&..LiI..;3h...|
07/30/2020 05:23:41 030: d23e0406 0ae686b4 20067373 68640506 |.>...... .sshd..|
07/30/2020 05:23:41 040: 000039e4 3d060000 00050606 00000008 |..9.=...........|
07/30/2020 05:23:41 050: 1f103130 2e313939 2e313936 2e313436 |..10.199.196.146|
07/30/2020 05:23:41
07/30/2020 05:23:41 -----------------------------------------------------------
07/30/2020 05:23:41 ../radauthd.c radAuthHandleRequest() 3057 Entering
07/30/2020 05:23:41 Looking up shared secret
07/30/2020 05:23:41 Looking for RAS client 10.230.131.133 in DB
07/30/2020 05:23:41 Matched 10.230.131.133 to RAS client DD2500-55.DATADOMAIN.COM
07/30/2020 05:23:41 Parsing request
07/30/2020 05:23:41 Initializing cache entry
07/30/2020 05:23:41 Doing inventory check on request
07/30/2020 05:23:41 Getting info on requesting client
07/30/2020 05:23:41 NAS-IP-Address in request: 10.230.134.180
07/30/2020 05:23:41 Looking for RAS client 10.230.134.180 in DB
07/30/2020 05:23:41 NAS-ID in request: "sshd"
07/30/2020 05:23:41 -----------------------------------------------------------
07/30/2020 05:23:41 Authentication Request
07/30/2020 05:23:41 Received From: ip=10.230.131.133 port=50402
07/30/2020 05:23:41 Packet : Code = 0x1 ID = 0x2b
07/30/2020 05:23:41 Client Name = SSHD Dictionary Name = Radius.dct
07/30/2020 05:23:41 Vector =
07/30/2020 05:23:41 000: 87ddcf28 ac9620ac f29320f9 13ea6e4e |...(.. ... ...nN|
07/30/2020 05:23:41 Parsed Packet =
07/30/2020 05:23:41 User-Name : String Value = testuser22
07/30/2020 05:23:41 User-Password : Value =
07/30/2020 05:23:41 000: 2682a34c 69490db3 3b3368f5 0f15d23e |&..LiI..;3h....>|
07/30/2020 05:23:41 NAS-IP-Address : IPAddress = 10.230.134.180
07/30/2020 05:23:41 NAS-Identifier : String Value = sshd
07/30/2020 05:23:41 NAS-Port : Integer Value = 14820
07/30/2020 05:23:41 NAS-Port-Type : Integer Value = 5
07/30/2020 05:23:41 Service-Type : Integer Value = 8
07/30/2020 05:23:41 Calling-Station-Id : String Value = 10.199.196.146
07/30/2020 05:23:41 -----------------------------------------------------------
07/30/2020 05:23:41 Determining user class
07/30/2020 05:23:41 Authenticating user testuser22 with authentication method SecurID
07/30/2020 05:23:41 Beginning instance of SecurID authentication
07/30/2020 05:23:41 Performing SecurID user authentication for DEFAULT (testuser22)
07/30/2020 05:23:43 Terminated instance of SecurID authentication
07/30/2020 05:23:43 Unable to find user testuser22 with matching password

 

 

I am not sure whether the logging in RSA Radius is masking the User Password, but the User-Password attribute in the Authentication Request seems odd to me. 

 

Could you please kindly point me to where possible could I have done wrong? 

 

Thanks a lot in advance.

-Hongyu

Outcomes