IPsec X-Auth with RSA On-Demand Tokens

cancel
Showing results for 
Search instead for 
Did you mean: 

IPsec X-Auth with RSA On-Demand Tokens

L0 Member

Hi, I have PAN working with RSA On-Demand tokencodes (these are SMS-based tokens) when using GlobalProtect and the management UI but cannot get it to work with IPsec X-Auth. RSA On-Demand tokens work like this:

1) User enters their username and PIN to log in

2) Firewall sends RADIUS Authentication message to RSA server which, if the PIN is valid, sends a text message to the user with their tokencode.

3) The RSA server then sends a RADIUS Challenge message to the firewall, asking for the tokencode.

4) The user receives the text message and enters their tokencode into the new login challenge field.

5) The firewall sends the tokencode to the RSA server for validation.

6) If the tokencode is legitimate, the RSA server sends a successful RADIUS message to the firewall, which then logs the user in.

Like I mentioned, this all works great with GlobalProtect and the management UI but fails when using IPsec X-Auth at steps 3-4. The user receives the text message with their tokencode but the firewall returns a failed authentication message to the user rather than challenging them for the tokencode.

Has anyone else seen this or been able to get it working?

Thanks.

2 REPLIES 2

L2 Linker

I believe this would be a bug/feature request IMO

L6 Presenter

we have the same issue now.I don't know what is different when x-auth is selected.We are using Radius Auth. for OTP.

when trying from phone-xauth no auht. traffic is going to Radius server.

but with a client Pc it works.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!