Integrating VIP with Siteminder, once the user gets the Authentication
Scheme, when the Security Code is used, user can't login and the login
prompt appears again.
"Allow Security Validation" is enabled in VIP Access Manager.
Policy Server reports "Enter your security code:"
smtracedefault.log :
[08/18/2021][11:53:53][11:53:53.599][][][][][][4676][6372]
[1112das3d15-dsadsad11-dasdas4d44-dasds44d-rsfd4441]
[][][][][][][][][Sm_Auth_Message.cpp:1794][CSm_Auth_Message::AuthenticateUser][sps]
[][/myApp/myApp.html][myAgent][myAgent][][myVIP][0][4][][myLab][]
[myUser][uid=myUser,ou=people,ou=im,ou=ca,o=com][][][][][][][][][][][][]
[Evaluating OnAuthChallenge policy...][][][][][][][][][]
[08/18/2021][11:53:53][11:53:53.600][][][][][][4676][6372][s383/r499][Login][][]
[][][][][][Sm_Auth_Message.cpp:5405][CSm_Auth_Message::FormatAttribute][sps][][]
[myAgent][myAgent][][myVIP][][][][myLab][][myUser]
[uid=myUser,ou=people,ou=myteam,ou=ca,o=com][][][][][][][][][][Enter your security code:]
[][][Send response attribute 216, data size is 25][][][][][][][][][]
[08/18/2021][11:53:53][11:53:53.600][][][][][][4676][6372][s383/r499][][][][][][][][]
[Sm_Auth_Message.cpp:4902][CSm_Auth_Message::SendReply][sps][][][myAgent]
[myAgent][][myVIP][][Enter your security code:][][myLab][][myUser]
[uid=myUser,ou=people,ou=myteam,ou=ca,o=com][][][][][][][][][][][][]
[** Status: Authentication Challenged. ]
[][][][][][][][][]
From the VIP logs it seems that the password is sent to the Radius
Server, but this one doesn't Grant the user access, and return a
timeout instead :
server-log :
INFO "2021-08-18 11:53:49.782 GMT+0530" 0.0.0.0 CA_IAM_Windows:1812
0 0 "text=Trying to fetch attribute from User Store No:- 1 whose
storeName is LAB " Thread-12676 tokenbinding.cpp
[...]
INFO "2021-08-18 11:53:52.136 GMT+0530" 0.0.0.0 CA_IAM_Windows:1812
0 0 "text=VSAuthOTPFirstFactorLDAPImpl.authenticateExt() -- User
successfully validated against user-store no. = 1" Thread-12676
VSAuthOTPFirstFactorImpl.c
INFO "2021-08-18 11:53:52.136 GMT+0530" 0.0.0.0 CA_IAM_Windows:1812
0 0 "text=[INFO_REQUEST:myUser] requestId:
9_9_0_w_10_91_6_7_302979868" Thread-12676 VSWebServiceClientImpl.cpp
INFO "2021-08-18 11:53:52.442 GMT+0530" 0.0.0.0 CA_IAM_Windows:1812
0 0 "text=Prompt user [myUser] for OTP." Thread-12676
VSAuthOTPStandardControllerImpl.cpp
AUDIT "2021-08-18 11:53:53.598 GMT+0530" 10.91.6.7
CA_IAM_Windows:1812 0 1912 "text=Access CHALLENGED 0x0: Success
,reason=0" Thread-12676 VSValidationEngine.c
And after 1 minute, the request timed out :
WARNING "2021-08-18 11:54:52.753 GMT+0530" 0.0.0.0
CA_IAM_Windows:1812 0 0 "text=_handleChallengeRequestsWorker() --
RADIUS Access-Challenge request [myUser:11588887670328730302] has
timed-out." Thread-12316 VSAuthManageChapRequests.cpp
VIP 9.9;
Policy Server 12.8SP0 on Windows 2012R2;
Policy Server JDK 1.8.0_191;
CA Access Gateway (SPS) 12.8SP0 on Windows 2012R2;
Radius Server in VIP Enterprise Gateway 9.9;
User Store on CA Directory 14.0.01;
According to documentation the Password field should look like :
passwordcode
where "password" is the password and "code" is the code. This is the
way to set the password when authentication popup appears (1).
(1)
Testing the RADIUS Server Template authentication scheme for ULO mode
In the Password field, enter the password followed by a security
code that you generate on the hardware credential or VIP Access
credential assigned to the test user.
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/vip/cloud/vip-integrations-v127046077-d2278e2955/Symantec_VIP_Integration_Guide_for_Symantec_SiteMinder_13/vip-integrate-siteminder-config-siteminder/vip-integrate-siteminder-testing-the-Integration/vip-integrate-siteminder-test-radius-auth-scheme-for-ulo-mode.html