The Access Challenge Rule configuration in the RADIUS Authenticator plugin defines, how replies from the RSA SecurID RADIUS server are mapped to IAM authentication result types.
In this configuration example, we describe the set of rules for a standard PIN change required use case.
Response after login with old PIN and token:
RADIUS response code: 11 (Access-Challenge) RADIUS response attributes: - 76 => No-Echo - 18 => Enter a new PIN having from 4 to 8 alphanumeric characters: - 24 => [Binary Data (length=11)] "SBR-CH 3|1"
The RADIUS server will ask the client to confirm the new PIN. This requires sending the same new PIN a second time.
To reconfirm the new PIN, it has to be re-entered. The response is:
RADIUS response code: 11 (Access-Challenge) RADIUS response attributes: - 76 => No-Echo - 18 => Please re-enter new PIN: - 24 => [Binary Data (length=11)]
In case the PINs are a identical, the response is:
RADIUS response code: 11 (Access-Challenge) RADIUS response attributes: - 76 => No-Echo - 18 => PIN Accepted. Wait for the token code to change, then enter the new passcode: - 24 => [Binary Data (length=11)]
OR
After PIN-change, the login requires the new PIN together with a new token. The response is:
RADIUS response code: 2 (Access-Accept) RADIUS response attributes: - 25 => [Binary Data (length=58)]
If a wrong token (or no token at all) has been entered, the response is:
RADIUS response code: 11 (Access-Challenge) RADIUS response attributes: - 76 => No-Echo - 18 => Access Denied - 24 => [Binary Data (length=11)]
In case entered token is wrong again, the response is:
RADIUS response code: 11 (Access-Challenge) RADIUS response attributes: - 76 => No-Echo - 18 => Please Enter Passcode - 24 => [Binary Data (length=11)]
On successful login, the response is:
RADIUS response code: 2 (Access-Accept) RADIUS response attributes: - 25 => [Binary Data (length=58)]