Hi, I have PAN working with RSA On-Demand tokencodes (these are SMS-based tokens) when using GlobalProtect and the management UI but cannot get it to work with IPsec X-Auth. RSA On-Demand tokens work like this:
1) User enters their username and PIN to log in
2) Firewall sends RADIUS Authentication message to RSA server which, if the PIN is valid, sends a text message to the user with their tokencode.
3) The RSA server then sends a RADIUS Challenge message to the firewall, asking for the tokencode.
4) The user receives the text message and enters their tokencode into the new login challenge field.
5) The firewall sends the tokencode to the RSA server for validation.
6) If the tokencode is legitimate, the RSA server sends a successful RADIUS message to the firewall, which then logs the user in.
Like I mentioned, this all works great with GlobalProtect and the management UI but fails when using IPsec X-Auth at steps 3-4. The user receives the text message with their tokencode but the firewall returns a failed authentication message to the user rather than challenging them for the tokencode.
Has anyone else seen this or been able to get it working?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!