Access Challenge example for New PIN
10.2.11.1.1. Access Challenge example for New PIN Mode

The Access Challenge Rule configuration in the RADIUS Authenticator plugin defines, how replies from the RSA SecurID RADIUS server are mapped to IAM authentication result types.

In this configuration example, we describe the set of rules for a standard PIN change required use case.

Step 1 - After login with old credentials: Enter a new PIN

Response after login with old PIN and token:

RADIUS response code: 11 (Access-Challenge) 
RADIUS response attributes: 
   - 76 => No-Echo 
   - 18 => Enter a new PIN having from 4 to 8 alphanumeric characters: 
   - 24 => [Binary Data (length=11)] "SBR-CH 3|1"
  • This requires a Reply Message Access Challenge Rule with:
  • Pattern: Enter a new PIN
  • Authentication Result: New PIN required

The RADIUS server will ask the client to confirm the new PIN. This requires sending the same new PIN a second time.

Step 2 - PIN change mode after first response: Re-enter new PIN

To reconfirm the new PIN, it has to be re-entered. The response is:

RADIUS response code: 11 (Access-Challenge) 
RADIUS response attributes: 
   - 76 => No-Echo 
   - 18 => Please re-enter new PIN: 
   - 24 => [Binary Data (length=11)]
  • This requires a Reply Message Access Challenge Rule with:
  • Pattern: Please re-enter new PIN
  • Authentication Result: New PIN required

Step 3 - PINs are identical: PIN Accepted

In case the PINs are a identical, the response is:

RADIUS response code: 11 (Access-Challenge) 
RADIUS response attributes: 
   - 76 => No-Echo 
   - 18 => PIN Accepted. 
Wait for the token code to change, 
then enter the new passcode: 
   - 24 => [Binary Data (length=11)]
  • This requires a Reply Message Access Challenge Rule with one of the following:
  • Pattern: PIN Accepted
  • Authentication Result:Next token required
  • OR

  • Pattern: PIN Accepted
  • Authentication Result: Authentication successful

Step 4 - Login with PIN and token (passcode)

After PIN-change, the login requires the new PIN together with a new token. The response is:

RADIUS response code: 2 (Access-Accept) 
RADIUS response attributes: 
   - 25 => [Binary Data (length=58)]

Login failed - Wrong token (passcode) entered

If a wrong token (or no token at all) has been entered, the response is:

RADIUS response code: 11 (Access-Challenge) 
RADIUS response attributes: 
   - 76 => No-Echo 
   - 18 => Access Denied 
   - 24 => [Binary Data (length=11)]
  • This will requires a Reply Message Access Challenge Rule with:
  • Pattern: Access Denied
  • Authenticationr Result: Wrong token, try again

In case entered token is wrong again, the response is:

RADIUS response code: 11 (Access-Challenge) 
RADIUS response attributes: 
   - 76 => No-Echo 
   - 18 => Please Enter Passcode 
   - 24 => [Binary Data (length=11)]

Login successful

On successful login, the response is:

RADIUS response code: 2 (Access-Accept) 
RADIUS response attributes: 
   - 25 => [Binary Data (length=58)]