RADIUS Access-Challenge Response Issue

Hi,

I'm trying to configure the APM functionality on a BigIP running 13.1.02 to support the "Change PIN" request of the Swivel Secure PINsafe authentication; but I seem to be hitting a more fundamental issue with the BigIP's RADIUS Access-Challenge support.

Normal RADIUS authentication against the Swivel authentication server is working fine.

The user logs in; with their credentials submitted over HTTP to the F5 and from there via a RADIUS Access-Request to the Swivel server:

RADIUS Protocol

 Code: Access-Request (1)

 Packet identifier: 0xf2 (242)

 Length: 103

 Authenticator: f25**********************aa92

 [The response to this request is in frame 3]

 Attribute Value Pairs

  AVP: t=User-Name(1) l=10 val=XXXXXXXXX

  AVP: t=User-Password(2) l=18 val=Decrypted: 3407

   Type: 2

   Length: 18

   User-Password: 3407

  AVP: t=NAS-IP-Address(4) l=6 val=10.XXX.XXX.XXX

  AVP: t=NAS-Identifier(32) l=21 val=XXXXXXXXXXXXX

  AVP: t=Service-Type(6) l=6 val=Authenticate-Only(8)

  AVP: t=Tunnel-Client-Endpoint(66) l=16 val=192.168.86.142

  AVP: t=NAS-Port(5) l=6 val=0

 If the user requires that their PIN be changed; the Swivel authentication server responds with a RADIUS Access-Challenge:

RADIUS Protocol

 Code: Access-Challenge (11)

 Packet identifier: 0xf2 (242)

 Length: 31

 Authenticator: f034de3****************586dd5

 [This is a response to a request in frame 2]

 [Time from request: 0.021004000 seconds]

 Attribute Value Pairs

  AVP: t=Reply-Message(18) l=11 val=changepin

   Type: 18

   Length: 11

   Reply-Message: changepin

The F5 successfully detects this Access-Challenge request and presents the user with a further login page containing the Reply-Message as the header (so "changepin" in this case); followed by a single input element (id of "input_1" and name of "_F5_challenge") into which the user can respond.

With the user's response typed into the single input element and the new form submitted; I can see in the HTTP request from the web browser to the F5 the form variable of "_F5_challenge" correctly set to the value typed into the input element.

Looks good so far...

From the RADIUS RFC 2865:

"If the client receives an Access-Challenge and supports challenge/response it MAY display the text message, if any, to the user, and then prompt the user for a response. The client then re-submits its original Access-Request with a new request ID, with the User-Password Attribute replaced by the response (encrypted), and including the State Attribute from the Access-Challenge, if any."

I would therefore expect that the F5 would use value it received in _F5_challenge HTTP form parameter as the new User-Password value within the RADIUS Access-Request that responds to the Access-Challenge. 

This is not what I see – if I capture and decode this RADIUS Access-Request I can see that User-Password is the same value as from the original RADIUS Access-Request from the initial logon page:

RADIUS Protocol

 Code: Access-Request (1)

 Packet identifier: 0xaa (170)

 Length: 105

 Authenticator: aaf*********************3075

 [The response to this request is in frame 5]

 Attribute Value Pairs

  AVP: t=User-Name(1) l=10 val=XXXXXXXXXX

  AVP: t=User-Password(2) l=18 val=Decrypted: 3407

   Type: 2

   Length: 18

   User-Password: 3407

  AVP: t=NAS-IP-Address(4) l=6 val=10.XXX.XXX.XX

  AVP: t=NAS-Identifier(32) l=21 val=XXXXXXXXXXXXXXX

  AVP: t=Service-Type(6) l=6 val=Authenticate-Only(8)

  AVP: t=Tunnel-Client-Endpoint(66) l=16 val=192.168.86.142

  AVP: t=NAS-Port(5) l=6 val=0

  AVP: t=State(24) l=2 val=

   Type: 24

   Length: 2

   State: <MISSING>

Of course; the original password (PIN in this case) is not valid for the replacement PIN within the Swivel server and therefore the PIN change process fails.

The fundamental issue seems to be that I'm unable to control the User-Password element of the F5's reply to the Access-Challenge based on that HTML input element.

Any idea what could be wrong here?

Many thanks

aid