RADIUS Access-Challenge Response Issue
Hi,
I'm trying to configure the APM functionality on a BigIP running 13.1.02 to support the "Change PIN" request of the Swivel Secure PINsafe authentication; but I seem to be hitting a more fundamental issue with the BigIP's RADIUS Access-Challenge support.
Normal RADIUS authentication against the Swivel authentication server is working fine.
The user logs in; with their credentials submitted over HTTP to the F5 and from there via a RADIUS Access-Request to the Swivel server:
RADIUS Protocol
Code: Access-Request (1)
Packet identifier: 0xf2 (242)
Length: 103
Authenticator: f25**********************aa92
[The response to this request is in frame 3]
Attribute Value Pairs
AVP: t=User-Name(1) l=10 val=XXXXXXXXX
AVP: t=User-Password(2) l=18 val=Decrypted: 3407
Type: 2
Length: 18
User-Password: 3407
AVP: t=NAS-IP-Address(4) l=6 val=10.XXX.XXX.XXX
AVP: t=NAS-Identifier(32) l=21 val=XXXXXXXXXXXXX
AVP: t=Service-Type(6) l=6 val=Authenticate-Only(8)
AVP: t=Tunnel-Client-Endpoint(66) l=16 val=192.168.86.142
AVP: t=NAS-Port(5) l=6 val=0
If the user requires that their PIN be changed; the Swivel authentication server responds with a RADIUS Access-Challenge:
RADIUS Protocol
Code: Access-Challenge (11)
Packet identifier: 0xf2 (242)
Length: 31
Authenticator: f034de3****************586dd5
[This is a response to a request in frame 2]
[Time from request: 0.021004000 seconds]
Attribute Value Pairs
AVP: t=Reply-Message(18) l=11 val=changepin
Type: 18
Length: 11
Reply-Message: changepin
The F5 successfully detects this Access-Challenge request and presents the user with a further login page containing the Reply-Message as the header (so "changepin" in this case); followed by a single input element (id of "input_1" and name of "_F5_challenge") into which the user can respond.
With the user's response typed into the single input element and the new form submitted; I can see in the HTTP request from the web browser to the F5 the form variable of "_F5_challenge" correctly set to the value typed into the input element.
Looks good so far...
From the RADIUS RFC 2865:
"If the client receives an Access-Challenge and supports challenge/response it MAY display the text message, if any, to the user, and then prompt the user for a response. The client then re-submits its original Access-Request with a new request ID, with the User-Password Attribute replaced by the response (encrypted), and including the State Attribute from the Access-Challenge, if any."
I would therefore expect that the F5 would use value it received in _F5_challenge HTTP form parameter as the new User-Password value within the RADIUS Access-Request that responds to the Access-Challenge.
This is not what I see – if I capture and decode this RADIUS Access-Request I can see that User-Password is the same value as from the original RADIUS Access-Request from the initial logon page:
RADIUS Protocol
Code: Access-Request (1)
Packet identifier: 0xaa (170)
Length: 105
Authenticator: aaf*********************3075
[The response to this request is in frame 5]
Attribute Value Pairs
AVP: t=User-Name(1) l=10 val=XXXXXXXXXX
AVP: t=User-Password(2) l=18 val=Decrypted: 3407
Type: 2
Length: 18
User-Password: 3407
AVP: t=NAS-IP-Address(4) l=6 val=10.XXX.XXX.XX
AVP: t=NAS-Identifier(32) l=21 val=XXXXXXXXXXXXXXX
AVP: t=Service-Type(6) l=6 val=Authenticate-Only(8)
AVP: t=Tunnel-Client-Endpoint(66) l=16 val=192.168.86.142
AVP: t=NAS-Port(5) l=6 val=0
AVP: t=State(24) l=2 val=
Type: 24
Length: 2
State: <MISSING>
Of course; the original password (PIN in this case) is not valid for the replacement PIN within the Swivel server and therefore the PIN change process fails.
The fundamental issue seems to be that I'm unable to control the User-Password element of the F5's reply to the Access-Challenge based on that HTML input element.
Any idea what could be wrong here?
Many thanks
aid