Server communication of RSA new pin mode using RADIUS

StackOverflow https://stackoverflow.com/questions/11737850

Question

I'm implementing RADIUS authentication procedure on a client in a java application.

The RADIUS Server uses RSA SecurID to authenticate the users. As known RSA SecurID uses a token. When a user forgets his pin for the token, the token can be set to a special new pin mode on the server which forces the user to set a new pin on the next login attempt.

As fas as I know the communication workflow with the server would look like the following:

  1. Client: Send Access-Request Package to the Server with the usual attributes.
  2. Server: Reply with a package indicating the special new pin mode
  3. Client: Display an Interface to the user to enter a new pin. Send a package to the server containing the new pin.
  4. Server: Reply with a Package saying that the pin has been successfully set.
  5. Client: Display a confirmation message and ask the user for a new passcode which he created using the new pin on his token. I assume this is basically the same package as in step 1.
  6. Server: Reply with an Access-Accept package if OK or and Access-Reject if Not-OK

For step 2, 3, 4 and 5 I do not know how the package structure looks like and therefore cannot implement any logic on the client. Has anyone knowledge about the Server communication with a token is in new pin mode?

Cheers Simon

The tokens used look like this. To create a valid passcode you need to first type your PIN and hit the diamond key below the 7:

this
(source: comprosec.ch)

Was it helpful?

Solution

It turns out you need to look at the 'Reply-Message' (Type 18) attribute sent within the RADIUS packet from the server. It's very hacky, but it's the official solution since the RADIUS protocol doesn't support such states (see RFC 2865). Talk to your RSA contact, they can provide you with a test server and 2 test tokens to test your parsing code.

Here is what I have found out so far:

  • New-PIN-mode entry

Reply-Message contains "Enter a new PIN having from 4 to 6 digits:"

  • New-PIN-mode request confirmation PIN

Reply-Message contains "Please re-enter new PIN:"

  • New-PIN-mode success

Reply-Message contains "PIN Accepted"

  • Next-tokencode-mode start

Reply-Message contains "enter the new tokencode"

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top