RADIUS ChangePIN
Contents
Overview
This document covers the RADIUS ChangePIN whereby a user makes an authentication attempt using RADIUS authentication and if they are required to change their PIN Swivel responds with a changepin challenge. The access device can then redirect the user to a ChangePIN page.
Prerequisites
Swivel 3.x
Access device which supports ChangePIN
RADIUS ChangePIN requires the use of PAP authentication and will not work with CHAP or MSCHAP as these require the OTC to be sent from the Swivel server to the Access device to verify if it is correct.
Enabling RADIUS ChangePIN
On the Swivel Administration console select RADIUS/NAS, then select the RADIUS NAS entry for which ChangePIN is required. Set the Change PIN warning: to Yes.
ChangePIN on the Access device
The access device must support RADIUS ChangePIN, and it may be required to modify the request that is sent to the Swivel server.
The Swivel server is expecting a RADIUS response from the Access device in the following format:
cp1=<oldotc>cp2=<newotc>
where <oldotc> is a One Time Code from the security string (Single Channel, SMS, SMTP, Mobile Phone applet)
and <newotc> is the One Time Code from the security string based on what the new PIN is meant to be.
Note: Remember the PIN is never entered, only One Time Codes.
Example: cp1=8593cp2=8791
Example: Juniper
To configure the Juniper to use change pin via RADIUS you need to
- Set a new RADIUS rule on the Authentication server being used, If received packet is Radius-Challenge, action is Show New PIN page.
- Create a customer new New Pin page (NewPin.thtml) that includes the Swivel functionality. Like this Example
Testing
Test an authentication with a user for which a ChangePIN is required, such as ChangePIN on first login or ChangePIN after an admin reset.
Known Issues
Troubleshooting
RADIUS: <0> Access-Request(1) LEN=73 192.168.0.1:52392 Access-Request by null Failed: AccessRejectException: AGENT_ERROR_NO_USER_DATA
INFO Netscaler:Login failed for user: null, error: No data for the user was found.
Check to see if the user exists and the username is correct, if so, on the Swivel Administration console select RADIUS server and set Allow Empty Attributes to Yes.
RADIUS: <15> Access-Challenge(11) LEN=65 192.168.1.100:25292 Access-Request by graham resulted in Access-Challenge.
The Swivel server has returned an Access Challenge response to the Access device. This is expected for ChangePIN.
INFO 192.168.1.100 VPN:User must change their PIN before they can authenticate via Radius: graham.
The user must change their PIN before being allowed to login, this is expected for ChangePIN.
RADIUS: <16> Access-Request(1) LEN=65 192.168.1.100:25292 Access-Request by graham Failed: AccessRejectException: AGENT_ERROR_PIN_NOT_CHANGED
and
INFO 192.168.1.100 VPN:Login failed for user: graham, error: The user was required to change their PIN before this authentication.
User was required to change their PIN but did not, so the next login attempt fails and locks the user account.
WARN 192.168.1.100 VPN:User "graham" has been locked, reason: The user was required to change their PIN before this authentication.
User was required to change their PIN but did not, so the next login attempt has failed and locked the user account.
Users not able to change their PIN
On the Swivel server under RADIUS/Server Try increasing the Session TTL to a higher value and verify that a ChangePIN can be carried out.
