Symantec VIP PUSH Number Challenge with RADIUS requires the user to click OK
Article ID: 280366
Updated On:
Products
Issue/Introduction
Authentication requires the end-user to click NEXT or OK after entering the number into the PUSH during a PUSH + Number Challenge authentication.
Environment
VIP Enterprise Gateway
Cause
VIP Enterprise Gateway 9.10.2 and later supports PUSH Number Challenge with RADIUS as the Access Challenge method. This feature is used to verify that the user is physically present during authentication by requiring them to enter a uniquely generated, two-digit number from the authentication screen into the PUSH notification on their mobile app. During this flow, the Validation Server adds a custom attribute (# 92) to the Access-Challenge response as an indicator for the client to suppress the input box. If the client can't interpret this custom attribute, the end-user sees an extra box or input field after the two-digit number is successfully entered into the VIP Mobile app. This is working by design to accommodate PUSH+Number Challenge through the RADIUS flow.
Resolution
Clicking OK after the two-digit number is successfully entered into the VIP Mobile app may complete the authentication (check with your vendor)
- If Enable Number Challenge is set to No, upgrade to VIP EG 9.11 and apply the hotfix found here.
- Add a label to the field or a message to the login page to remind users that no input is needed.
- VIP JavaScript integration can be implemented into the login page if your application supports it.
- Work with your application vendor to recognize RADIUS custom attribute value 92 (type: ACCESS_CHALLENGE_FOR_NUMBER_CHALLENGE_PUSH) as an indicator to suppress the input field.
Additional Information
Custom Access-Challenge attribute in the RADIUS response:
Feedback
