The Access Challenge Rule configuration in the RADIUS Authenticator plugin defines, how replies from the RSA SecurID RADIUS server are mapped to IAM authentication result types.
In this configuration example, we describe the set of rules for a standard PIN change required use case.
Step 1 - After login with old credentials: Enter a new PIN
Response after login with old PIN and token:
RADIUS response code: 11 (Access-Challenge) RADIUS response attributes: - 76 => No-Echo - 18 => Enter a new PIN having from 4 to 8 alphanumeric characters: - 24 => [Binary Data (length=11)] "SBR-CH 3|1"
- This requires a Reply Message Access Challenge Rule with:
- ●Pattern: Enter a new PIN
- ●Authentication Result: New PIN required
The RADIUS server will ask the client to confirm the new PIN. This requires sending the same new PIN a second time.
Step 2 - PIN change mode after first response: Re-enter new PIN
To reconfirm the new PIN, it has to be re-entered. The response is:
RADIUS response code: 11 (Access-Challenge) RADIUS response attributes: - 76 => No-Echo - 18 => Please re-enter new PIN: - 24 => [Binary Data (length=11)]
- This requires a Reply Message Access Challenge Rule with:
- ●Pattern: Please re-enter new PIN
- ●Authentication Result: New PIN required
Step 3 - PINs are identical: PIN Accepted
In case the PINs are a identical, the response is:
RADIUS response code: 11 (Access-Challenge) RADIUS response attributes: - 76 => No-Echo - 18 => PIN Accepted. Wait for the token code to change, then enter the new passcode: - 24 => [Binary Data (length=11)]
- This requires a Reply Message Access Challenge Rule with one of the following:
- ●Pattern: PIN Accepted
- ●Authentication Result:Next token required
- ●Pattern: PIN Accepted
- ●Authentication Result: Authentication successful
OR
Step 4 - Login with PIN and token (passcode)
After PIN-change, the login requires the new PIN together with a new token. The response is:
RADIUS response code: 2 (Access-Accept) RADIUS response attributes: - 25 => [Binary Data (length=58)]
Login failed - Wrong token (passcode) entered
If a wrong token (or no token at all) has been entered, the response is:
RADIUS response code: 11 (Access-Challenge) RADIUS response attributes: - 76 => No-Echo - 18 => Access Denied - 24 => [Binary Data (length=11)]
- This will requires a Reply Message Access Challenge Rule with:
- ●Pattern: Access Denied
- ●Authenticationr Result: Wrong token, try again
In case entered token is wrong again, the response is:
RADIUS response code: 11 (Access-Challenge) RADIUS response attributes: - 76 => No-Echo - 18 => Please Enter Passcode - 24 => [Binary Data (length=11)]
Login successful
On successful login, the response is:
RADIUS response code: 2 (Access-Accept) RADIUS response attributes: - 25 => [Binary Data (length=58)]