Soft-deleted Mobile AOTP Credential doesn't trigger Credential Not Found in RADIUS Proxy
search cancel

Soft-deleted Mobile AOTP Credential doesn't trigger Credential Not Found in RADIUS Proxy

book

Article ID: 260052

calendar_today

Updated On:

Products

CA Strong Authentication CA Advanced Authentication CA Advanced Authentication - Strong Authentication (AuthMinder / WebFort)

Issue/Introduction

If Mobile Arcot OTP Credential is deleted directly from  ARWFARCOTOTP table , an existing user triggers Credential Not Found and forwarded to RADIUS Proxy

02/13/23 16:06:09.067 INFO  RADIUS       00108538 SVRMASTR - Connection: [SERVER_CB_ACCEPT] ip [x.x.x.x] port [1812] wf-protocol [RADIUS] fd [13] stream [0x7f2788001260], fd-transport [0xa07180]
02/13/23 16:06:09.071 INFO  RADIUS       00108568 00056516 - Txn-Begin : TxnID=56516 | ClientTxnID=[] | Protocol=6 (RADIUS) | ReqSize=56 | TST=2023-02-13 21:06:09:0 (DB)
02/13/23 16:06:09.071 INFO  RADIUS       00108568 00056516 - RADIUS Protocol[requestIP=142.113.121.117]. RadiusClientAuthType : 2 (INBAND_PASSWORD).
02/13/23 16:06:09.071 INFO  RADIUS       00108568 00056516 - Using Configuration [VerifyArcotOTP-OATH]'s CredRes to resolve the Credential Type
02/13/23 16:06:09.286 INFO  RADIUS       00108568 00056516 - [UDS] UDS Log : Successfully retrieved the user [testuser] for organization [ADPROD]
02/13/23 16:06:09.288 INFO  RADIUS       00108568 00056516 - Current Response Code ( ResponseCode : 5800 (CREDENTIAL_NOT_FOUND) ) met the AdProcCondition.
02/13/23 16:06:09.288 INFO  RADIUS       00108568 00056516 - Turing On the AdProc.
02/13/23 16:06:09.288 INFO  RADIUS       00108568 00056516 - Additional Processing is about to start.
02/13/23 16:06:09.288 INFO  RADIUS       00108568 00056516 - RADIUS proxy configuration is enabled.
02/13/23 16:06:09.288 INFO  RADIUS       00108568 00056516 - Using Global level RADIUS proxy configuration.
02/13/23 16:06:09.288 INFO  RADIUS       00108568 00056516 - Global RADIUS proxy configuration is enabled.
02/13/23 16:06:09.288 INFO  RADIUS       00108568 00056516 - Found [2] RADIUS proxy server configurations.
02/13/23 16:06:09.288 INFO  RADIUS       00108568 00056516 - Sending authentication request to [x.x.x.x], [1645]
02/13/23 16:06:10.401 INFO  RADIUS       00108568 00056516 - Successfully parsed RADIUS response packet.
02/13/23 16:06:10.401 INFO  RADIUS       00108568 00056516 - Successfully got response from proxy server [x.x.x.x].

If Mobile Arcot OTP Credential is deleted through SDK or Admin UI, an existing user doesn't trigger Credential Not Found and is not forwarded to RADIUS Proxy. 

02/13/23 16:20:50.603 INFO  RADIUS       00108538 SVRMASTR - Connection: [SERVER_CB_ACCEPT] ip [x.x.x.x] port [1812] wf-protocol [RADIUS] fd [13] stream [0x7f2788000d40], fd-transport [0xa07180]
02/13/23 16:20:50.606 INFO  RADIUS       00108568 00056531 - Txn-Begin : TxnID=56531 | ClientTxnID=[] | Protocol=6 (RADIUS) | ReqSize=56 | TST=2023-02-13 21:20:50:0 (DB)
02/13/23 16:20:50.606 INFO  RADIUS       00108568 00056531 - RADIUS Protocol[requestIP=142.113.121.117]. RadiusClientAuthType : 2 (INBAND_PASSWORD).
02/13/23 16:20:50.606 INFO  RADIUS       00108568 00056531 - Using Configuration [VerifyArcotOTP-OATH]'s CredRes to resolve the Credential Type
02/13/23 16:20:50.701 INFO  RADIUS       00108568 00056531 - [UDS] UDS Log : Successfully retrieved the user [testuser] for organization [ADPROD]
02/13/23 16:20:50.702 INFO  RADIUS       00108568 00056531 - HandleTOTP::ReferenceCounter : 55877441, Auth Window: [55877437, 55877451], Sync Window : [55877437, 55877541]
02/13/23 16:20:50.702 INFO  RADIUS       00108568 00056531 - VerifyOTP Result : INVALID_OTP
02/13/23 16:20:50.703 INFO  RADIUS       00108568 00056531 - AuthTxnPolicy::Marking the status of credential as not found  since it is deleted. Setting response code as CREDENTIAL_NOT_FOUND
02/13/23 16:20:50.703 INFO  RADIUS       00108568 00056531 - RADIUS Protocol[requestIP=142.113.121.117]: Authentication Failed [5800].
02/13/23 16:20:50.736 INFO  RADIUS       00108568 00056531 - Txn-End : TxnID=56531 | ClientTxnID=[] | Processor=17 (AUTH_ARCOT_OTP) | Operation=1070 (AUTH_ARCOT_OTP_VERIFY) | Response=5800 (CREDENTIAL_NOT_FOUND) | Reason=0 (UNDEFINED) | RespSize=20 | Time=344 | DBT=93 | NQ=3 | ExtEvents={ NONE } | AddInfo=[NONE] | LTB=01562 | LNL=0009/0009 | LML=191
02/13/23 16:20:50.736 INFO  RADIUS       00108568 00056531 - Txn-Begin : TxnID= | ClientTxnID=[<NA>] | Protocol=6 (RADIUS) | ReqSize=0 | TST=1971-01-01 00:00:00:0 ()
02/13/23 16:20:50.736 INFO  RADIUS       00108568 00056531 - Empty response payload is detected. Attempting to generate appropriate response.
02/13/23 16:20:50.736 INFO  RADIUS       00108568 00000000 - The request could not be processed by the protocol!.
02/13/23 16:20:50.736 INFO  RADIUS       00108568 00000000 - Response is empty. Connection would be dropped
02/13/23 16:20:50.736 INFO  RADIUS       00108568 00000000 - Protocol module could not process the input. Connection will be closed
02/13/23 16:20:50.737 INFO  RADIUS       00108568 SVRMASTR - Connection: [SERVER_CB_CLOSE] ip [x.x.x.x] port [1812] wf-protocol [RADIUS] fd [13] stream [0x7f2788000d40], fd-transport [0xa07180]

 

Environment

Release : 9.1.x

Product: CA Strong Authentication

Resolution

Tested this with the 9.1SP3 ( 9.1.03) version of the CA Strong Authentication product and it is working as expected. In customer environment it was at 9.1SP1 and a fix was provided later to address this. If Radius proxy is configured and response for the credential is CREDENTIAL_NOT_FOUND, it should trigger the Radius proxy.

02/14/23 23:12:11.998 INFO  RADIUS       00006380 00032051 - RADIUS Protocol[requestIP=10.253.37.196]. RadiusClientAuthType : 2 (INBAND_PASSWORD).
02/14/23 23:12:11.998 INFO  RADIUS       00006380 00032051 - Using Configuration [VerifyArcotOTP-OATH]'s CredRes to resolve the Credential Type
02/14/23 23:12:12.013 INFO  RADIUS       00004464 00032050 - [UDS] UDS Log : Successfully retrieved the user [TESTUSER1] for organization [ADORG]
02/14/23 23:12:12.013 INFO  RADIUS       00004464 00032050 - HandleHOTP::FirstUse? : 0, Auth Window: [3, 12], Sync Window : [3, 102]
02/14/23 23:12:12.013 INFO  RADIUS       00004464 00032050 - VerifyOTP Result : INVALID_OTP
02/14/23 23:12:12.029 INFO  RADIUS       00004464 00032050 - AuthTxnPolicy::Marking the status of credential as not found  since it is deleted. Setting response code as CREDENTIAL_NOT_FOUND
02/14/23 23:12:12.029 INFO  RADIUS       00004464 00032050 - Current Response Code ( ResponseCode : 5800 (CREDENTIAL_NOT_FOUND) ) met the AdProcCondition.
02/14/23 23:12:12.029 INFO  RADIUS       00004464 00032050 - Turing On the AdProc.
02/14/23 23:12:12.029 INFO  RADIUS       00004464 00032050 - Additional Processing is about to start.
02/14/23 23:12:12.029 INFO  RADIUS       00004464 00032050 - RADIUS proxy configuration is enabled.
02/14/23 23:12:12.029 INFO  RADIUS       00004464 00032050 - Found [1] RADIUS proxy server configurations.
02/14/23 23:12:12.029 INFO  RADIUS       00004464 00032050 - Sending authentication request to [x.x.x.x], [1812]

Powered by Wolken Software