RADIUS with multiple security strings
Problems using RADIUS with multiple security strings
You can have problems authenticating to PINsafe via RADIUS under the following circumstances:
- You are using a delivery method that provides multiple security strings (see note)
- You are using a RADIUS protocol other than PAP
To ensure authentication works in these circumstances, you should observe the following procedures:
- Always use ALL available strings, in the correct order. Do not skip strings.
- If you are having problems, request a new set of strings. This will invalidate old strings.
For those of you who insist on knowing why this happens, it is due to the way these protocols work. The PAP protocol sends the entered one-time code directly to PINsafe, so it is possible for PINsafe to interpret the code index and validate it correctly. Hence any one of the security strings not yet used can give correct results. Other protocols work by asking PINsafe for the correct one-time code for the user, and the NAS compares values itself. In these circumstances, there can only be one right answer, which must therefore be the next string that PINsafe has not already seen.
NOTE: delivery methods that provide multiple security strings include Dual Channel (if the number of strings is > 1), Mobile Phone Client, Swivlet, Swivel.Net (Swivlet for Windows Mobile) and PINsafe iClient (Swivlet for iPhone).