Re: Vasco OTP on IAS and SA 2000

ssltest_ · ‎12-03-2008

Hi,

I need assistant to complete Juniper SSL VPN setup with Vasco IAS Digest and GO3 cards. The customer yard contain a single Windows 2003 domain and a single domainController that function as IAS/Vasco server. The client request to use three layer authentication: User from Active DirectoryPassword from Active DirectoryPassword of the OTP card without unique PIN code. I tried to setup the system as required but the authentication failed.The same issue isnÕt exits if we are using RSA radius server with SecureIDOTP.

Can you provide a guidelines how to setup the Vasco to support this scanrio?

IVE: 6.3.2

Thanx Yuval

keith_ · ‎12-05-2008

You need to configure a number of steps to get Vasco authentication over Juniper working. When you say RSA worked, did you configure RSA over Juniper? If so, it's a good starting point, and allows you to copy a number of the settings.

With RADIUS servers, the first things I check are:

- shared secret - overwrite it again at both ends

- token - use the Vasco RADIUS Test tool to check the token works, without involving Juniper at all. If it's not working, then it clearly won't work on Juniper

Are you sure you've got Vasco set up correctly?

Keith

ssltest_ · ‎12-05-2008

Hi,

I attached bellow the Vasco settings.

For unknown reason the Vasco raduis dont answer to: user / OTP password.

However, its answer to user / active directory password.

This test was be done by using Radius ping and Vaxman simulator.

Any clue what can cuase to this effect? (I open a support ticket in Vasco, but until now I

didnt got some reslution to this issue)

2008/12/05 19:05:01, Info, 0x6148105A44D8D8E830C42E8656262AB9, RADIUS, Digipass Plug-In for IAS, I-006001, "A RADIUS Access-Request has been received.", Source Location ["10.0.0.1"], Password Protocol ["PAP"], Request ID ["4"], Client Location ["127.0.0.1:5871"], Action ["Process"], Input Details ["User-Name:username, NAS-IP-Address:10.0.0.1, NAS-Identifier:Vasco Radius Simulator, User-Password:******"]
2008/12/05 19:05:01, Info, 0xBE4351E68769FAC29E350C4608D806EF, Authentication, Digipass Plug-In for IAS, I-010001, "User authentication was not handled.", Policy ID ["Base Policy"], User ID ["username"], Domain ["10.0.0.1-JR.local"], Input Details ["Password:******, Password Format:0, Policy ID:Base Policy, User ID:username, Protocol ID:0"], Output Details ["Status Message:Neither local nor back-end authentication was done due to policy and/or user settings"]
2008/12/05 19:05:01, Info, 0x6EA58347987531A0E3BF60E82CEEE221, RADIUS, Digipass Plug-In for IAS, I-007003, "A RADIUS Access-Reject has been issued.", Source Location ["10.0.0.1"], Password Protocol ["PAP"], Request ID ["4"], Client Location ["127.0.0.1:5871"], Reason ["Rejected by IAS"], Output Details [""]

Effective Policy Settings
[Local/Back-End Authentication] :
Local Authentication : Digipass Only
Back-End Authentication : None
Back-End Protocol :
:
[User Accounts] :
Dynamic User Registration : No
Password Autolearn : No
Stored Password Proxy : No
Default Domain :
User Lock Threshold : 0
:
[Windows Group Check] :
Group Check Option : Passthrough
Group List : Allow_VPN_Access
:
[Digipass Assignment] :
Assignment Mode : Neither
Grace Period (days) : 0
Serial No. Separator :
Search up Organizational Unit Hierarchy : Yes
:
[Digipass Settings] :
Application Names : GO3DEFAULT
Application Type : No Restriction
Digipass Types : DPGO3
PIN Changed Allowed : No
:
[1-Step Challenge Response] :
Enabled : No
Challenge Length : 0
Challenge Check Digit : No
:
[2-Step Challenge Response] :
Request Method : None
Request Keyword :
:
[Primary Virtual Digipass] :
Request Method : None
Request Keyword :
:
[Backup Virtual Digipass] :
Enabled : No
Maximum Days : 0
Maximum Uses : 0
Request Method : None
Request Keyword :
:
[Digipass Control Parameters] :
Identification Time Window : 100
Signature Time Window : 24
Event Window : 100
Initial Time Window : 6
Identification Threshold : 0
Signature Threshold : 0
Check Challenge Flag : 1
Level of Online Signature : 0
Allowed Inactive Days : 0

Thanx

ssltest_ · ‎12-06-2008

Hi,

As I know, the Vascoo issue resloved. However, the Juniper SSL Produce the following error:

nfo PTR22834 2008/12/07 01:03:36 - [10.0.0.1] - yusername(Users)[] - Radius Server Vasco_Server: Login failed for usernamebecause host 10.0.0.1:1812 is unreachable.
Info PTR23334 2008/12/07 01:03:36 - [10.0.0.1] - username(Users)[] - Sign-in rejected using auth server Vasco_Server (Radius Server). Reason: Failed

Any idea?

keith_ · ‎12-08-2008

Well, it says that your Vasco server, 10.0.0.1, is unreachable from your IVE. Are they on the same subnet? Is there a firewall in-between? Have you also checked that both Juniper & Vasco are using the same RADIUS ports?

ssltest_ · ‎12-08-2008

The SA is using two ports to connect DMZ + LAN.

The Vasco server is also a DC that use for LDAP Active Directory authentication.

However, even using only IAS provided the same error log.

The DC + SA reside in the same VLAN and I tried also to use another IAS server.

The IAS policy is very basic (I even tried to use Juniper doc for IAS setup) and from remote

I can use Radius ping/Vasco simulator so it seems that the IAS is working.

Thanx

ssltest_ · ‎12-08-2008

Hi,

Currently is look like a software bug. I review this issue with the support team and
this may lead to a conclusion.

keith_ · ‎12-09-2008

Did you get anywhere with Vasco Tech Support?

ssltest_ · ‎12-09-2008

Hi,

I contact Vasco support via email. The support level of Vasco provides some basic instructions and said "its should be work".

However, using basic tools like Radius ping provide information that this issue occur also with IAS without Vasco.

keith_ · ‎12-10-2008

Are you saying ping doesn't work from either the IAS server or the IVE to your Vasco server? If that's the case, I would check your firewall settings