Configuring Factor RADIUS_RSA (with Duo Server) and attempts to logon with MFA credentials are unsuccessful with the following timeout error in STDOUT:
-- Error with authentication request--
-- Receive timed out
TCPIP SYSTCPDA component trace including the option to see discarded packets is required to debug this issue.
Release : 2.0
Component : Advanced Authentication Mainframe
The commands below are for a TCP/IP stack name of TCPIP and Radius Server at xx.xxx.xxx.xxx using port 1234 and with the assumption that an external writer has been defined to the system PROCLIB with a name of CTWTR.
1. Enter the following commands to activate the trace:
TRACE CT,WTRSTART=CTWTR,WRAP
TRACE CT,ON,COMP=SYSTCPDA,SUB=(TCPIP)
R nn,WTR=CTWTR,END
V TCPIP,TCPIP,PKTTRACE,ON,PROT=UDP,IPADDR=xx.xxx.xxx.xxx,PORTNUM=1234,DISCARD=*
2. Once the trace is activated, recreate the problem.
3. Enter the following commands to deactivate the trace:
V TCPIP,TCPIP,PKTTRACE,OFF
TRACE CT,ON,COMP=SYSTCPDA,SUB=(TCPIP)
R nn,WTR=DISCONNECT,END
TRACE CT,WTRSTOP=CTWTR
4. To view the results of the trace, go into IPCS option 0 (Specify Defaults) and enter
DSNAME('yourhlq.TRACE.DATA') as the source.
Then go to IPCS option 6 (IPCS Subcommand Entry) and enter the following command
CTRACE COMP(SYSTCPDA) SUB((TCPIP)) LOCAL FULL
The following command can be used to validate successful activation and deactivation of the trace:
D TRACE,COMP=SYSTCPDA,SUB=(TCPIP)
The following sample JCL can be used to define an external writer for the component trace. It assumes the data set does not exist. If the data set already exists then it should be deleted or the PROC should be updated to use a new data set name.
//CTWTR PROC
//IEFPROC EXEC PGM=ITTTRCWR
//TRCOUT01 DD DSNAME=yourhlq.TRACE.DATA,UNIT=SYSDA,
// SPACE=(CYL,(500,0),,CONTIG),DISP=(NEW,CATLG),DSORG=PS