I have an RSA v6.1 server running SecurID and Steel Belted RADIUS. This is performing authentication requests, via RADIUS, to a Cisco router at an ISP which hosts a PPP dial in service over PSTN.
Currently I can dial successfully into the system using the standard windows ppp dialer over PSTN using my username and RSA pin+tokencode. However when the token is set to 'New Pin mode' or 'Next Token code' the connection fails to connect as it isn't prompting me for a new pin.
The RSA website says in order to support Next Token mode & New Pin Mode require the RADIUS client to
work in terminal mode before initiating ppp negotiation.
Does this problem ring any bells with anyone out there? What command to use on the cisco device to forward new pin mode requests to the dialer?
Andrew's question indicates that he is looking for some router solution to this issue. But I believe that it is not a router issue but is a PC/Windows issue. If the PC is configured for the typical Windows dialer in which you input your ID and password before the PC begins to dial, then there is no opportunity for the router to send the additional prompt about new pin mode or next token mode. But if the PC is configured with the option for post dial terminal window (as illustrated in this post) do that the PC dials and connects and then the router sends the prompt then there is an opportunity for the router to send the additional prompt for new pin mode or next token mode.
For new pin mode to work, you will need to enable interactive AKA exec logins. To do this you need to have following configuration.
ip unnumbered Loopback0
async mode interactive ! watch for framed and exec connections
peer default ip address pool dialin_pool
ppp authentication pap ! clear ok for one time pass
group-range 1/00 1/59
line x/x 1/x
login authentication default ! default command doesn't show in config
autocommand ppp neg ! start ppp before giving exec prompt
To explain. SecureID users will enable a post terminal dial window in DialUp Networking config. When they connect, they will be prompted for user/token and pin if configured for that. If the Exec authentication an
authorization succeeds. The AS5350 will execute the ppp negotiate command,
which starts PPP for the session. The user may see garbage text in terminal depending on what version of DialUp Networking or client software they are using. They will need to click on the close/done/continue button.
The PC and AS5350 will then proceed with PPP.
However, we are going to by pass ppp authentication because we have already
authenticated for exec and we don't want the token to time out and cause a failure. PPP authorization should proceed as normal using the credentials provided for exec login.
Please use CHAP as PAP does not work for interactive authentication.
JG gave a very good explanation. But he got reversed about which one does not work to authenticate with SecurID. PAP does work (and is supported in Steel Belted Radius - as you show) and CHAP is the one that does not work.
I happen to like ACS. But I do not believe that you really need to put in ACS. Just configure PAP and you should be able to process New Pin or Next Token modes.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :