I'm implementing RADIUS authentication procedure on a client in a java application.
The RADIUS Server uses RSA Secur ID to authenticate the users. As known RSA Secur ID uses a token. When a user forgets his pin for the token, the token can be set to a special new pin mode on the server which forces the user to set a new pin on the next login attempt.
As fas as I know the communication workflow with the server would look like the following:
- Client: Send Access-Request Package to the Server with the usual attributes.
- Server: Reply with a package indicating the special new pin mode
- Client: Display an Interface to the user to enter a new pin. Send a package to the server containing the new pin.
- Server: Reply with a Package saying that the pin has been successfully set.
- Client: Display a confirmation message and ask the user for a new passcode which he created using the new pin on his token. I assume this is basically the same package as in step 1.
- Server: Reply with an Access-Accept package if OK or and Access-Reject if Not-OK
For step 2, 3, 4 and 5 I do not know how the package structure looks like and therefore cannot implement any logic on the client. Has anyone knowledge about the Server communication with a token is in new pin mode?
The tokens used look like this. To create a valid passcode you need to first type your PIN and hit the diamond key below the 7:
preguntado el 31 de julio de 12 a las 11:07
It turns out you need to look at the 'Reply-Message' (Type 18) attribute sent within the RADIUS packet from the server. It's very hacky, but it's the official solution since the RADIUS protocol doesn't support such states (see RFC 2865). Talk to your RSA contact, they can provide you with a test server and 2 test tokens to test your parsing code.
Here is what I have found out so far:
- New-PIN-mode entry
Reply-Message contains "Enter a new PIN having from 4 to 6 digits:"
- New-PIN-mode request confirmation PIN
Reply-Message contains "Please re-enter new PIN:"
- New-PIN-mode success
Reply-Message contains "PIN Accepted"
- Next-tokencode-mode start
Reply-Message contains "enter the new tokencode"