[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewall-wizards
Subject:    Re: Contivity ES1000 and SecurID
From:       Jeff_Needle_Pop () BayNetworks ! COM (Jeff Needle Pop)
Date:       1999-03-22 16:58:49
[Download RAW message or body]

>03/18/1999 16:53:42 0 Security [11] Radius: verified server 
>"aceserver.ip.address" reply, result: -2, message: Non-matching id in server 
>response. 
>03/18/1999 16:53:42 0 Security [12] Radius: "aceserver.ip.address" sent 
>invalid response packet for "username". 
>03/18/1999 16:53:42 0 Security [13] Session: IPSEC[username]:24 
>authentication failed using RADIUS 

This indicates that something happened with the Identifier field in
transit.  We explicitly check that to
make sure the packet is part of the same transaction we think it is.  My
guess is that someone, 
probably Micro-Annex XL terminal server, isn't preserving the Identifier
field.  If you send me a sniffer 
trace from between the Contivity and the radius server, I'd be happy to
have a look and confirm that.

>(1) Is anyone successfully using a Contivity box with SecurID authentication?
>    If so, is it necessary to upgrade the aceserver server software to
>    version 3.3?

We've got lots of folks using Contivity with SecurID.  Probably the
majority.  We've tested fairly
extensively with Shiva Access Manager, Funk/BSAC, Safeword, and SDI's
Radius server.

Jeff Needle, VPN Specialist            
Nortel Networks / Extranet Access  
----------------------------------------
Jeff Needle, VPN Specialist            jneedle@nortelnetworks.com
Nortel Networks / Extranet Access           978-635-2036

[prev in list] [next in list] [prev in thread] [next in thread]