cancel
Showing results for 
Search instead for 
Did you mean: 

Options other than EAS-GTC for SecurID authentication in SBR-EE?

New Contributor

Options other than EAS-GTC for SecurID authentication in SBR-EE?

Hey all, I was wondering if it is possible to use something other than or, in addition to, EAS-GTC when authenticating WiFi users to SecurID in Steel Belted Radius?

 

I have a customer who has it working now using EAS-GTC with iOS and Android devices, but Windows Phone 8/8.1 does not support EAS-GTC.

 

Thanks, Dave

4 REPLIES 4
Regular Contributor

Re: Options other than EAS-GTC for SecurID authentication in SBR-EE?

Hi,

 

I researched around your questions internally, and it seems RSA Secure ID is only supported with PAP and EAP-GTC token card. This is docuemnted in Admin guide Table 65: Authentication Protocols.

 

Hence can you try EAP-TTLS as outer and PAP as inner ?

 

Thanks

Ashish Paul

New Contributor

Re: Options other than EAS-GTC for SecurID authentication in SBR-EE?

Ashish, I will suggest that to them today. Can you run multiple configurations at once (support GTC for iOS 7 ANdroid and TTLS & PAP for Windows Phone)?

New Contributor

Re: Options other than EAS-GTC for SecurID authentication in SBR-EE?

I just found out PAP is not supported under WIndows Phone either...

 

Can the customer setup an alternate authentication method (say, active directory or client side certificates) and use that for the Windows Phone device but leave the existing EAP-GTC configuration for the iOS and Android devices?

 

Thanks!

Regular Contributor

Re: Options other than EAS-GTC for SecurID authentication in SBR-EE?

You should be able to do that. However it have dependency on the authetication Protocols negotiated between Client and IC. The decision of what realms are available to the user within a sign-in policy is based on two factors. First, the order of realms in the list is considered. Realms at the top of the list are attempted. Second, the authentication protocol set that you choose must be compatible with the client or supplicant.

To determine a compatible realm, the system looks for a RADIUS subprotocol that is compatible with the client or supplicantÍs available protocols, and the system automatically selects compatible realms. If the endpoint is using a UAC agent, the system presents a list of realms. Any realm with both outer and inner protocols that match the outer and inner protocols on the client is considered compatible.

 

We have a detailed docuemntaion around this topic and you can access it from http://www.juniper.net/techpubs/en_US/uac5.0/topics/concept/uac-sign-in-auth-protocols-about.html