These days I came accross an issue related to RADIUS Challenge-Response Authentication with NetScaler ADC.
The Issue: The customer uses RSA SecurID OnDemand Authentication with external partners. For better understanding, I’d like to describe this process and its communication flow:
- The user types hers / his OnDemand PIN in the RSA Token / OTP field on NetScaler’s portal page,
- NetScaler sends this PIN together with the UserID to the RSA server,
- the RSA server verifies UserID and PIN and sends the individual one time password (OTP) by e-mail to the user’s private mail address,
- the user enters the OnDemand TokenCode received in a separate Passcode field on an explicit NetScaler page (similar to Next TokenCode scenario), and finally
- NetScaler sends the OTP to the RSA server and the user is authenticated – hopefully.
But in our case, most of this authentication attempts by OnDemand OTPs were not successful and “Access denied” is shown to the user. Surprsingly, the RSA log files show “Authenticated successfully” … so, what’s wrong?!
RSA Authentication in general worked as expected, no issues here. Another possibility to receive an OnDemand passcode is to request it by RSA Self-Service portal, wait for the e-mail and then head to the NetScaler’s logon page. In this case, the user enters hers / his OTP together with the corrext ODA PIN at the NetScaler portal and is granted access. Which worked fine. So we needed to figure out where the problem with RADIUS Challenge / Response and NetScaler ADC lies.
The Solution: Well, long story short – the solution was not that complicated. All we needed to do is to set the RADIUS authentication timeout value configured with the NetScaler’s RSA server object from 3 secs. (default) to 5 secs. The cause of this issues was simply a communication timeout issue with RADIUS challenge / response authentication as the “standard way” of RADIUS authentication was fully handled before timeout occurs but NOT the chanllenge / response things … bad luck.