Hi meh

Did you configure the Challenge/Response part with custom radius attributes in the Auth.Server?

Regards

T.

Are you using async - where the user is supposed to see a token value that they key in and then enter the return value into the SA box for login?

If so - take a look at this string from about a year ago - I went through a pretty steep learning curve on tokens and the SA box and security in general when I first implemented them. Read the string and let me know if it helps or if I could maybe answer any other questions.

The title is Using SSL VPN with radius challenge and response hard token (asynchronous) and this URL should take you there:

http://forums.juniper.net/jnet/board/message?board.id=SSL_VPN&message.id=2079&query.id=362816#M2079

Thanks for the response. I haven't read through the url you have attached but yes, it is asynchronous. Basically at the first logon screen the user logs on using their username, ldap password, and PIN number. Then the second login screen is a Challenge Response screen and the user enters another code which they will have received via a test message to their mobile cell phone.

The whole process works well except the wording on that second login screen is very confusing. I'm not sure if I've done something wrong when I created the Radius auth server.

I've attached a screen shot of my radius configuration with the custom authentication rules. Maybe this is where I've gone wrong.

---

@muttbarker wrote:
I would suggest that you use the "next token" page instead of Defender - you may find that the message is more appropriate for your users.

---

Thanks I'll give it a go. So these messages aren't customisable at all?

Yes, the pages are certainly customizable. I was simply offering you the "path of least resistance" The message prompt on the page I suggested was more understandable to your end users. You will of course find the various pages in the "sample" thtml file.

There are several different pages that can be called depending on what you select as next page. Also in some instances the message shown at the top is passed on from your auth server and simply displayed. In other instances it comes from the SA box. So in your screen shot the message "Challenge: CHALLENGE=Tokencode is displayed as a result of the page you selected as the excpection is that the SA box will be displaying the prompt value to the user (instead of it coming on the cell phone).

Sorry for the long response. Hope this makes some sense.

Well I finally got around to testing this. I selected the "next token" page and this is perfect. The wording is exactly what I'm after. My problem now is when I use this page, the user no longer gets prompted to change their PIN number when RSA is configured for the user to change their PIN at next logon. It simply brings up the screen awaiting the SMS token code, which will never arrive as the PIN needs to be changed. If I leave it on the "Generic Login" page the PIN change screen appears as expected.

Any idea why this would be the case and how can use the "next token" page and also ensure PIN changes can occur?

Thanks

Just to add to this, I see there is no Radius attribute for PIN Change. I'm thinking if this option was available then I can select the New PIN Page.