IPsec X-Auth with RSA On-Demand Tokens

codyhatch — Thu, 20 Dec 2012 17:35:23 GMT

Hi, I have PAN working with RSA On-Demand tokencodes (these are SMS-based tokens) when using GlobalProtect and the management UI but cannot get it to work with IPsec X-Auth. RSA On-Demand tokens work like this:

1) User enters their username and PIN to log in

2) Firewall sends RADIUS Authentication message to RSA server which, if the PIN is valid, sends a text message to the user with their tokencode.

3) The RSA server then sends a RADIUS Challenge message to the firewall, asking for the tokencode.

4) The user receives the text message and enters their tokencode into the new login challenge field.

5) The firewall sends the tokencode to the RSA server for validation.

6) If the tokencode is legitimate, the RSA server sends a successful RADIUS message to the firewall, which then logs the user in.

Like I mentioned, this all works great with GlobalProtect and the management UI but fails when using IPsec X-Auth at steps 3-4. The user receives the text message with their tokencode but the firewall returns a failed authentication message to the user rather than challenging them for the tokencode.

Has anyone else seen this or been able to get it working?

Thanks.

Re: IPsec X-Auth with RSA On-Demand Tokens

kkeeton — Fri, 18 Jan 2013 00:02:39 GMT

I believe this would be a bug/feature request IMO

Re: IPsec X-Auth with RSA On-Demand Tokens

Retired Member — Thu, 20 Jun 2013 08:36:47 GMT

we have the same issue now.I don't know what is different when x-auth is selected.We are using Radius Auth. for OTP.

when trying from phone-xauth no auht. traffic is going to Radius server.

but with a client Pc it works.

topic Re: IPsec X-Auth with RSA On-Demand Tokens in General Topics

IPsec X-Auth with RSA On-Demand Tokens

Re: IPsec X-Auth with RSA On-Demand Tokens

Re: IPsec X-Auth with RSA On-Demand Tokens