Error : Siteminder returns "Enter your security code:" when integrated with VIP


Article ID: 222709


Updated On:





Integrating VIP with Siteminder, once the user gets the Authentication
Scheme, when the Security Code is used, user can't login and the login
prompt appears again.

"Allow Security Validation" is enabled in VIP Access Manager.




Policy Server reports "Enter your security code:"

smtracedefault.log :

  [Evaluating OnAuthChallenge policy...][][][][][][][][][]

  [uid=myUser,ou=people,ou=myteam,ou=ca,o=com][][][][][][][][][][Enter your security code:]
  [][][Send response attribute 216, data size is 25][][][][][][][][][]

  [myAgent][][myVIP][][Enter your security code:][][myLab][][myUser]
  [** Status: Authentication Challenged. ]

From the VIP logs it seems that the password is sent to the Radius
Server, but this one doesn't Grant the user access, and return a
timeout instead :
server-log :

  INFO "2021-08-18 11:53:49.782 GMT+0530" CA_IAM_Windows:1812
  0 0 "text=Trying to fetch attribute from User Store No:- 1 whose
  storeName is LAB " Thread-12676 tokenbinding.cpp
  INFO "2021-08-18 11:53:52.136 GMT+0530" CA_IAM_Windows:1812
  0 0 "text=VSAuthOTPFirstFactorLDAPImpl.authenticateExt() -- User
  successfully validated against user-store no. = 1" Thread-12676
  INFO "2021-08-18 11:53:52.136 GMT+0530" CA_IAM_Windows:1812
  0 0 "text=[INFO_REQUEST:myUser] requestId:
  9_9_0_w_10_91_6_7_302979868" Thread-12676 VSWebServiceClientImpl.cpp
  INFO "2021-08-18 11:53:52.442 GMT+0530" CA_IAM_Windows:1812
  0 0 "text=Prompt user [myUser] for OTP." Thread-12676
  AUDIT "2021-08-18 11:53:53.598 GMT+0530"
  CA_IAM_Windows:1812 0 1912 "text=Access CHALLENGED 0x0: Success
  ,reason=0" Thread-12676 VSValidationEngine.c
And after 1 minute, the request timed out :
  WARNING "2021-08-18 11:54:52.753 GMT+0530"
  CA_IAM_Windows:1812 0 0 "text=_handleChallengeRequestsWorker() --
  RADIUS Access-Challenge request [myUser:11588887670328730302] has
  timed-out." Thread-12316 VSAuthManageChapRequests.cpp




  VIP 9.9;
  Policy Server 12.8SP0 on Windows 2012R2;
    Policy Server JDK 1.8.0_191;
  CA Access Gateway (SPS) 12.8SP0 on Windows 2012R2;
  Radius Server in VIP Enterprise Gateway 9.9;
  User Store on CA Directory 14.0.01;




According to documentation the Password field should look like :


where "password" is the password and "code" is the code. This is the
way to set the password when authentication popup appears (1).


Additional Information



    Testing the RADIUS Server Template authentication scheme for ULO mode

      In the Password field, enter the password followed by a security
      code that you generate on the hardware credential or VIP Access
      credential assigned to the test user.