RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
- Passcode Format Error occurred due to two reasons:
I. The user is entering the wrong format in the password field, for example:
a. RSA AM is waiting to receive for code and the user is entering the LDAP password.
b. RSA AM is waiting to receive for pin+tokencode and the user is entering tokencode only.
II. There is a shared secret mismatch (The shared secret on the RADIUS client is not the same as on the RSA RADIUS server)
Troubleshooting Steps:
1- Open the authentication activity monitor to check the authentication attempts.
2- Assign a fixed passcode to a test user - current fixed passcode: 4321.
3- Open the Self-Service console (SSC) and authenticate using this test user with the fixed passcode - The passcode will be changed example: 1234
- Now, we eliminate that the issue may be in the token (disabled/not in sync) or the user (disabled/locked).
4- Test the authentication against the RADIUS client > If it is "Error: Authentication method failed - passcode format error."
- In our case, as we eliminate the token issue the next step will be to check the shared secret.
- According to the Integration guide of SWIFT Alliance Access with RSA Authentication Manager using RADIUS protocol, the shared secret is divided into two parts (Left Security Officer [LSO] and Right Security Officer [RSO]).
- Shared secret should be at least 16 chars in LSO and 16 chars in RSO. The total no. of chars for the SWIFT app should be 32 chars.
- In old versions of the SWIFT RADIUS client, as shown below both LSO and RSO appear in the same window:
Which is not the case in new versions of SWIFT RADIUS client as the LSO user should log in to the SWIFT App to set the LSO shared secret and the RSO user should log in to the SWIFT App to set the RSO shared secret as shown below:
5- On the RSA AM side, log on to the security console -> RADIUS -> RADIUS Client -> SWIFT RADIUS Client -> In the shared secret field put LSO shared secret followed by the RSO shared secret.
For example:
- LSO Shared secret [16 chars]: SwiftRSA@201812
- RSO Shared Secret [16 chars]: QatarQatar202323
- On the RSA AM side, the shared secret should be [32 chars]: SwiftRSA@2018123QatarQatar202323
6- To make sure that the RSA AM is receiving the right Passcode, you can take a packet capture for the communication between the SWIFT RADIUS client and the RSA AM:
1- To take a packet capture from RSA AM CLI, follow the below steps:
a. SSH on the primary server
b. Execute this command: sudo tcpdump -An -vvv -s 0 host IP_RADIUS_CLIENT and port 1812 -w SWIFT.pcap
2- Using WinSCP or any file transfer protocol, you can get a SWIFT.pcap file for further troubleshooting and analysis.
3- New Shared secret: SwiftRSA@2018123QatarQatar202323. Open Wireshark and Decrypt the traffic > The packet capture should contain the fixed passcode sent from the RADIUS client, in this example, it should be: 1234.
Note: If your shared secret is correct you can see the passcode in the user password field at frame, it will display like decrypted \1345\66\316546\33465\31.
- As per this discussion: https://community.rsa.com/t5/securid-discussions/passcode-format-error-with-swift-integration/td-p/403628, it indicates that "The issue was that on the SWIFT application, there are two admin users LSO and RSO. Each of them will create a subset of the RADIUS shared key on the SWIFT application and on the RSA server you have to provide both subsets as 1 shared key in the RADIUS configuration. The reason that we were getting the error “Passcode Format Error” is that the customer provided 1 subset only from the shared key so it was not able to decrypt the password field."
- References for SWIFT RADIUS client Integration with RSA AM:
1. Passcode Format Error with SWIFT integration
2. Integration with SWIFT
3. How to integrate SWIFT Alliance Access with RSA Authentication Manager using RADIUS protocol
