Error : Siteminder returns "Enter your security code:" when integrated with VIP

book

Article ID: 222709

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

 

Integrating VIP with Siteminder, once the user gets the Authentication
Scheme, when the Security Code is used, user can't login and the login
prompt appears again.

"Allow Security Validation" is enabled in VIP Access Manager.

 

Cause

 

Policy Server reports "Enter your security code:"

smtracedefault.log :

  [08/18/2021][11:53:53][11:53:53.599][][][][][][4676][6372]
  [1112das3d15-dsadsad11-dasdas4d44-dasds44d-rsfd4441]
  [][][][][][][][][Sm_Auth_Message.cpp:1794][CSm_Auth_Message::AuthenticateUser][sps]
  [][/myApp/myApp.html][myAgent][myAgent][][myVIP][0][4][][myLab][]
  [myUser][uid=myUser,ou=people,ou=im,ou=ca,o=com][][][][][][][][][][][][]
  [Evaluating OnAuthChallenge policy...][][][][][][][][][]

  [08/18/2021][11:53:53][11:53:53.600][][][][][][4676][6372][s383/r499][Login][][]
  [][][][][][Sm_Auth_Message.cpp:5405][CSm_Auth_Message::FormatAttribute][sps][][]
  [myAgent][myAgent][][myVIP][][][][myLab][][myUser]
  [uid=myUser,ou=people,ou=myteam,ou=ca,o=com][][][][][][][][][][Enter your security code:]
  [][][Send response attribute 216, data size is 25][][][][][][][][][]

  [08/18/2021][11:53:53][11:53:53.600][][][][][][4676][6372][s383/r499][][][][][][][][]
  [Sm_Auth_Message.cpp:4902][CSm_Auth_Message::SendReply][sps][][][myAgent]
  [myAgent][][myVIP][][Enter your security code:][][myLab][][myUser]
  [uid=myUser,ou=people,ou=myteam,ou=ca,o=com][][][][][][][][][][][][]
  [** Status: Authentication Challenged. ]
  [][][][][][][][][]

From the VIP logs it seems that the password is sent to the Radius
Server, but this one doesn't Grant the user access, and return a
timeout instead :
  
server-log :

  INFO "2021-08-18 11:53:49.782 GMT+0530" 0.0.0.0 CA_IAM_Windows:1812
  0 0 "text=Trying to fetch attribute from User Store No:- 1 whose
  storeName is LAB " Thread-12676 tokenbinding.cpp
  
  [...]
  
  INFO "2021-08-18 11:53:52.136 GMT+0530" 0.0.0.0 CA_IAM_Windows:1812
  0 0 "text=VSAuthOTPFirstFactorLDAPImpl.authenticateExt() -- User
  successfully validated against user-store no. = 1" Thread-12676
  VSAuthOTPFirstFactorImpl.c
  
  INFO "2021-08-18 11:53:52.136 GMT+0530" 0.0.0.0 CA_IAM_Windows:1812
  0 0 "text=[INFO_REQUEST:myUser] requestId:
  9_9_0_w_10_91_6_7_302979868" Thread-12676 VSWebServiceClientImpl.cpp
  
  INFO "2021-08-18 11:53:52.442 GMT+0530" 0.0.0.0 CA_IAM_Windows:1812
  0 0 "text=Prompt user [myUser] for OTP." Thread-12676
  VSAuthOTPStandardControllerImpl.cpp
  
  AUDIT "2021-08-18 11:53:53.598 GMT+0530" 10.91.6.7
  CA_IAM_Windows:1812 0 1912 "text=Access CHALLENGED 0x0: Success
  ,reason=0" Thread-12676 VSValidationEngine.c
And after 1 minute, the request timed out :
  
  WARNING "2021-08-18 11:54:52.753 GMT+0530" 0.0.0.0
  CA_IAM_Windows:1812 0 0 "text=_handleChallengeRequestsWorker() --
  RADIUS Access-Challenge request [myUser:11588887670328730302] has
  timed-out." Thread-12316 VSAuthManageChapRequests.cpp

 

Environment

 

  VIP 9.9;
  Policy Server 12.8SP0 on Windows 2012R2;
    Policy Server JDK 1.8.0_191;
  CA Access Gateway (SPS) 12.8SP0 on Windows 2012R2;
  Radius Server in VIP Enterprise Gateway 9.9;
  User Store on CA Directory 14.0.01;

 

Resolution

 

According to documentation the Password field should look like :

  passwordcode

where "password" is the password and "code" is the code. This is the
way to set the password when authentication popup appears (1).

 

Additional Information

 

(1)

    Testing the RADIUS Server Template authentication scheme for ULO mode

      In the Password field, enter the password followed by a security
      code that you generate on the hardware credential or VIP Access
      credential assigned to the test user.

    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/vip/cloud/vip-integrations-v127046077-d2278e2955/Symantec_VIP_Integration_Guide_for_Symantec_SiteMinder_13/vip-integrate-siteminder-config-siteminder/vip-integrate-siteminder-testing-the-Integration/vip-integrate-siteminder-test-radius-auth-scheme-for-ulo-mode.html