ScreenOS Firewalls (NOT SRX)
Reply
Visitor
rgar
Posts: 1
Registered: ‎10-04-2011
0

Having an issue with RSA SecurID Auth

I am trying to authenticate admin users using an RSA SecurID server. I have configured the server on the firewall itself, and configured teh login procedure to use the RSA server, however when I try to authenticate I get the error:

 

"Admin user User1 has been rejected via the SecurID server at 0.0.0.0." (User1 can authenticate to other things using our RSA server)

 

set auth-server "rsa" id 2
set auth-server "rsa" server-name "x.x.x.x"
set auth-server "rsa" account-type admin
set auth-server "rsa" type securid
set auth-server "rsa" securid encr 0

set auth-server "rsa" src-interface "vlan1" (this is a Layer 2 firewall set up, but I have also tried leaving src-interface blank)

set admin auth server "rsa"

set admin auth remote primary

set admin privilege read-write

 

This is a testing box, so my policies are ALLOW: ALL for all the zones.
 

Anyone run into this before?

 

Thanks! 

Distinguished Expert
firewall72
Posts: 825
Registered: ‎05-04-2008
0

Re: Having an issue with RSA SecurID Auth

Hi,

 

It's been a while since I've configured RSA, but I recall needing a Host Agent which matches the IP of the ScreenOS box.  Has that been setup?

John Judge
JNCIS-SEC, JNCIS-ENT,

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.
Recognized Expert
NateK
Posts: 234
Registered: ‎02-03-2009
0

Re: Having an issue with RSA SecurID Auth

IIRC the 0.0.0.0 bit means that the agent host is not setup on RSA and it may also mean that the node_secret is off.

 

Attached is a Word export of a write-up we have on our internal network wiki based on a project that we did with SSG, RSA, and Netscreen-Remote.

 

PDF export was doing some weird stuff to the formatting so I had to stick with MS Word

 

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.