How to set a new PIN for RSA SecurID Tokens in RSA Authentication Manager 8.6 or later using NTRadPing Utility
SecurID Authentication Manager 8.6 uses FreeRADIUS as the basis for the SecurID RADIUS server, instead of Steel-Belted RADIUS (SBR) which has reached end-of-life and required replacement. This article explains how to use NTRadPing, a third-party RADIUS test utility, to set a New PIN in new Authentication Manager 8.6 or later.
This solution uses NTRadPing 1.5 with tokens or fixed passcodes that are in New PIN Mode and set PINs through the NTRadPing interface. NOTE: The Access-Challenge STATE values shown below may be different when you use NTRadPing.
Pre-requites: 1. Download, install NTRadPing 1.5 and test authentications. - Please refer a KB article 000014905 for details 2. Create a RADIUS client. - Please review Online Help Topic, "Add a RADIUS Client"
Steps to set in a new PIN in New PIN Mode with NTRadPing 1. Launch the NTRadPing executable. 2. For the RADIUS Server, enter the FQDN or IP address of the Authentication Manager server and for the RADIUS port, enter 1812 3. For RADIUS Secret Key, enter the Shared Secret you created when defining your new RADIUS client. 4. For User Name, enter the user ID of a test user. 5. For Password, enter the tokencode of your test token. Note: This token should be in New PIN Mode. 6. When done, click Send. Since the token is in New PIN Mode, the response we get is Access-Challenge, as shown here: Image description 7. Copy the string and add it to State string similar to below:
Image description 8. Enter a new PIN in Password field and click Send. The response will be to re-enter new PIN. Image description 9. Remove the 1st State string by highlighting it and clicking the Remove button. 10. Copy the New string and add it to the State string similar to below:
11. Re-enter a new PIN in Password field and click Send. The response will be, "PIN Accepted. Wait for the token code to change, then enter the new passcode:" Image description 12. Remove the 2nd State string by highlighting it and clicking the Remove button. 13. Copy the New string and add it to the State string similar to below:
14. Enter a PIN+Tokencode or Passcode in the Password field and click Send. The response will be, "Access-Accept" for successful authentication. Image description
To avoid any type error, administrators may want to turn debugging on and copy the Challenge String .. or may use tcpdump as described in KB 000016395 to copy the State String from a SSH Session. See details of how to turn on debugging in Online Help Topic, "RADIUS Server Log Files" Note the string in the example below: Image description