[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference irocz::netrider

Title:	NetRider --- Remote Network Access Conference
Notice:	Please use keywords! See Note 2 for Directory of Important Notes
Moderator:	LAVC::CAHILLON

Created:	Tue Jan 24 1995
Last Modified:	Mon Jun 02 1997
Last Successful Update:	Fri Jun 06 1997
Number of topics:	554
Total number of notes:	2264

544.0. "securid - node verification failed" by KERNEL::ANSONR () Sun May 04 1997 14:09

    Hi,
    
    Hope someone can help. 
    
    
    Customer is tring to setup secureid on a decserver90m (NAS v2.0
    BL10C-40). He is using Security Dynamics sw, on an NT platorm as the server.
     
    Master port, realm, address for authentcation server setup. Setup for
    just one  port . They get dial-in and get to the username and passcode
    prompt. They enter the details but get the error message 'authentication
    failed'. The error on the NT authentication server is :
    
    passcode accepted
    node verification failed.
    
    As the decserver uses secret key . Customer has  tried issuing 'change
    secureid realm <realmname> nodesecret' on the decserver. But still get the
    'node verification error' . Customer does say it takes a long time between
    entering 'passcode' and getting 'authentication failed, invalid login'.
    
    
    Decserver paramters are as follows:
    
    change secureid master port 5500  <-unable able to enter 'master' but
                                      accepted just secureid port 5500 on
    
                                      decserver90m
    change secureid realm europe <--where europe is the name of config
                                    profile
    
    change securid realm europe encoding proprietary
    
    change securid realm europe host donald   <--where donald is the
                                              ACE/server nodename
    
    
    
    As this is all securid is new to me has anybody got any suggestions as
    what to try, please advise if you need further information from me.
    
    Thanks
    
    Richard.

T.R	Title	User	Personal Name	Date	Lines
544.1		IROCZ::D_NELSON	Dave Nelson LKG1-3/A11 226-5358	`Mon May 05 1997 12:13`	30
	RE: .0 > change secureid master port 5500 <-unable able to enter 'master' but > accepted just secureid port 5500 on > decserver90m Hmmm... That should have worked. Worked for me on a DS900TM. Don't know any reason a DS90M would be different. > change securid realm europe encoding proprietary Uh... I've recently been told that we never actually _tested_ the non-DES encoding (because we didn't want to reinstall the ACE/Server, I'd guess). Hope this isn't the problem! Did you enter the DECserver as a client of type "comm Server" on the ACE/Server? Does the DECserver have a valid DNS name resigtration? (ACE/Server demands one.) Did you try to clear the secret on the DECserver and then set the DECserver client entry ont eh ACE/Server to "node secret not sent"? Local> change securid realm europe nosecret Regards, Dave
544.2	Anybody out there got seen it working ?	KERNEL::ANSONR		`Fri May 16 1997 08:16`	12
	Dave, Looked into your suggestions but still having problem. Its pretty hard because we havent got the full kit here to repoduce it. Is there anybody out there who has got this working in the config I explained in .0 Struggling, Rich.
544.3	Working configuration - some hints	CSC32::R_BUCK	Authenticated and assimilated	`Wed May 21 1997 20:10`	42
	We have SecurID working here with a couple of differnet DECservers and the ACE Server running on Windows NT 4.0 Version of ACE Server is 2.3 Unless changed, the default port number used by this version is 5500 Believe prior versions used 755. Have to admit that moist of the DECserver setup was done using Access Server Manager. Looks like the commands for a basic setup would be: SET SECURID MASTER PORT 5500 SET SECURID DEFAULT REALM realm_name SET SECURID REALM realm_name PRIMARY HOST host_name_or_ip_address SET SECURID REALM realm_name ENCODING DES SET SECURID REALM realm_name ACCESS LOCAL (or whatever default access type is desired) SET SECURID REALM realm_name PERMISSIONS (NODIALBACK DIALOUT LAT TELNET SLIP PPP NOPRIV) There are a few other commands that could be used to futher qualify the SecurID settings. Main thing is that the ACCESS and PERMISSIONS are configured properly so you get the expected results once authenticated. SecurID is basically just going to give a yes or no response. With DRAS, (RADIUS), you can add a set of attributes to the Yes response which control what capabilities the user has. On the ACE server, the DECserver has to be regestered as a Communication Server. Registration requires a DNS name, so the Windows NT box must either have DNS configured or have a HOSTS file entry for the DECserver. Do not use a secret! It might work, but I have not been able to make it behave yet. Recommend configuring the DECserver to do authentication at the Port level. This means the dial-up user must open a terminal window and respond to the prompts. Must do this in order to get the PIN number the first time. Can create a pretty simple script to automate the whole thing one they have a proper PIN. Randall Buck MCS - Network Support By the way: We are documenting as much of this as possible and sharing it with the people at Security Dynamics so that both of us can help the customer through the configuration issues.