RSA SecurID Syntax Error

andrew.goss · ‎01-04-2008

Hi, I have a Cisco RADIUS to RSA (Steel Belted) RADIUS question.

I have just added a new Dial-In service to our existing RSA /RADIUS SecurID v6.1 server. The dial-in service is hosted by a service provider and once a PPP session is established a RADIUS request is sent via the service provider's cisco device to our server for authentication. The PPP session works fine, however there is a conflict on the radius authentication request as it is rejecting the request (the account and token are known to be good). Our authentication server consists of RSA SecurID v6.1 with built in Steel Belted RADIUS.

Here are the settings on the service provider's cisco device to forward radius requests to the RSA server :

aaa group server radius radgroup

server-private 10.1.1.1 auth-port 1812 acct-port 1813 key password

server-private 10.1.1.2 auth-port 1812 acct-port 1813 key password

When a user dials-in the radius request reaches the RSA/RADIUS server ok, however the RSA SecurID server is rejecting the request saying â€œACCESS DENIED - syntax errorâ€. Here is the RADIUS request as seen by the RADIUS server :

01/03/2008 14:04:52 -----------------------------------------------------------

01/03/2008 14:04:52 Authentication Request

01/03/2008 14:04:52 Received From: ip=10.216.33.1 port=21707

01/03/2008 14:04:52 Packet : Code = 0x1 ID = 0x4c

01/03/2008 14:04:52 Client Name = <ANY> Dictionary Name = Cisco.dct

01/03/2008 14:04:52 Vector =

01/03/2008 14:04:52 000: 87d37405 631f53ca b6267d0b ad84b0e8 |..t.c.S..&}.....|

01/03/2008 14:04:52 Parsed Packet =

01/03/2008 14:04:52 Framed-Protocol : Integer Value = 1

01/03/2008 14:04:52 User-Name : String Value = x927153

01/03/2008 14:04:52 User-Password : Value =

01/03/2008 14:04:52 000: d119f0c0 16015aca 58793018 db9fbfae |......Z.Xy0.....|

01/03/2008 14:04:52 NAS-Port-Type : Integer Value = 5

01/03/2008 14:04:52 NAS-Port : Integer Value = 772347

01/03/2008 14:04:52 Calling-Station-Id : String Value = 01252300035

01/03/2008 14:04:52 Called-Station-Id : String Value = 08081400026

01/03/2008 14:04:52 Service-Type : Integer Value = 2

01/03/2008 14:04:52 NAS-IP-Address : IPAddress = 10.216.33.1

01/03/2008 14:04:52 -----------------------------------------------------------

Has anyone seen this issue before?

I think it is quite a common problem as searching the Internet there seems to be similar messages out there regarding RSA servers, and I think the solution is probably a subtle RADIUS setting on the Cisco device or a RADIUS setting on the RSA server.

cisco24x7 · ‎01-04-2008

Hi,

Are you using Juniper (aka Steelbelt) Radius

or are you using RSA SecurID with Native

Radius built-in?

Make sure you setup the agent host correctly

on the steelbelt radius correctly. Can you

setup authentication from this device via

Radius to your steelbelt radius server. If

everything works, you should see something like this:

[root@linux root]# telnet 192.168.0.5

Trying 192.168.0.5...

Connected to 192.168.0.5 (192.168.0.5).

Escape character is '^]'.

C

*****************

User Access Verification

Username: test4

Password:

Enter your new PIN, containing 4 to 8 digits,

or

to cancel the New PIN procedure:

Please re-enter new PIN:

Wait for the code on your card to change, then log in with the new PIN

Enter PASSCODE:

C2960>

Richard Burts · ‎01-05-2008

Andrew

I had an experience a while back that was similar to what you are describing. The problem turned out to be in the communication between the Radius implementation and the RSA ACE. If I remember correctly clearing the node secret was an important part of resolving this issue.

I would suggest that you look carefully at the configuration and the syncronization between Radius and ACE.

HTH

Rick

HTH

Rick