Authentication with RSA



  • Hello,

    i have a prob with authentication with RSA. The “debug auth all” on my ISG2000 give me this:

    nsisg2000-> get dbuf stream
    ## 2007-06-06 15:43:32 : auth_ext: QUEUE NEW entry (0x24fe4634), as_ptr 0x1bab869c, vsys 0xd4a9150, type 2, app_data_ptr 0x3a5f82c
    ## 2007-06-06 15:43:32 : send_auth_mail: id 1 ptr 0x24fe4634
    ## 2007-06-06 15:43:32 : auth_mail_handler: received mail id 1, ptr 0x24fe4634
    ## 2007-06-06 15:43:32 : get_auth_server_primary_ip: as_ptr 0x1bab869c DNS name IP_RSA to --> ip IP_RSA
    ## 2007-06-06 15:43:32 : get_auth_server_backup1_ip: as_ptr 0x1bab869c DNS name  to --> ip 0.0.0.0
    ## 2007-06-06 15:43:32 : get_auth_server_backup2_ip: as_ptr 0x1bab869c DNS name  to --> ip 0.0.0.0
    CreateSocket: socket 2060, port 2783, net_addr 0.0.0.0 (ok), Created and bound
     --> wait init, acm_server[0] IP_RSA, acm_server[1] 0.0.0.0
    BuildPacket:pvSys 0xd4a9150, auth 0x24fe4634, auth->as_ptr->server_ip IP_RSA
    ## 2007-06-06 15:43:32 : get_node_secret_vsys: ifp 0x1cb1f730, name ethernet1/2, ip_addr IP_ETH1/2_ISG2k. app specified src ifp
    ## 2007-06-06 15:43:32 : get_node_secret_vsys: Trying to get node secret for pvSys 0xd4a9150, (ifp's) vid 0,
    ## 2007-06-06 15:43:32 : uiAceServerIP IP_RSA, ipaddr IP_ETH1/2_ISG2k
    ## 2007-06-06 15:43:32 : fill_node_secret_info: getting secret from file flash:node_secret.ace
    ## 2007-06-06 15:43:32 : read 24576 bytes from file: flash:node_secret.ace
    ## 2007-06-06 15:43:32 : Entry [0]: vid 0, ip IP_ETH1/2_ISG2k, secret e6:e3:c2:5:72:ab:4e:a4:eb:49:3b:eb:9a:10:1b:c3
    ## 2007-06-06 15:43:32 : get_node_secret_vsys: ALREADY HAVE node_secret: vid 0, ip IP_ETH1/2_ISG2k
    ## 2007-06-06 15:43:32 : secret: e6:e3:c2:5:72:ab:4e:a4:eb:49:3b:eb:9a:10:1b:c3, entry 0
    BuildPacket: case ACM_XXX: RETRY_ANOTHER_SERVER
    Ace - SendPacket: calling sendto:
            sock: 2060
            destaddr: IP_RSA
             auth 0x24fe4634, server_idx 0
    Ace - SendPacket: sento succeded, acmmaxservers 1, retry_type = 0x3
    ## 2007-06-06 15:43:32 : CheckResponse: decrypt ok!, sock 2060, net_addr IP_ETH1/2_ISG2k
    callback: flag(5)
     CB--> init done
    ## 2007-06-06 15:43:32 : process_securid_response: received aq_ent 0x24fe4634, flag 6
    ## 2007-06-06 15:43:32 : SecurIDRecv: SECURID_INIT_DONE
    AceSetUsername: hAsynUser (24d5e34, 0)
    AceSetPasscode: hAsynUser (24d5e34, 0)
     -->before send to ace server, name=USERNAME, passwd=1234311061
    AceCheck: hAsynUser (24d5e34,0)
     --> wait auth ret
    BuildPacket:pvSys 0xd4a9150, auth 0x24fe4634, auth->as_ptr->server_ip IP_RSA
    ## 2007-06-06 15:43:32 : get_node_secret_vsys: ifp 0x1cb1f730, name ethernet1/2, ip_addr IP_ETH1/2_ISG2k. app specified src ifp
    ## 2007-06-06 15:43:32 : get_node_secret_vsys: Trying to get node secret for pvSys 0xd4a9150, (ifp's) vid 0,
    ## 2007-06-06 15:43:32 : uiAceServerIP IP_RSA, ipaddr IP_ETH1/2_ISG2k
    ## 2007-06-06 15:43:32 : fill_node_secret_info: getting secret from file flash:node_secret.ace
    ## 2007-06-06 15:43:32 : read 24576 bytes from file: flash:node_secret.ace
    ## 2007-06-06 15:43:32 : Entry [0]: vid 0, ip IP_ETH1/2_ISG2k, secret e6:e3:c2:5:72:ab:4e:a4:eb:49:3b:eb:9a:10:1b:c3
    ## 2007-06-06 15:43:32 : get_node_secret_vsys: ALREADY HAVE node_secret: vid 0, ip IP_ETH1/2_ISG2k
    ## 2007-06-06 15:43:32 : secret: e6:e3:c2:5:72:ab:4e:a4:eb:49:3b:eb:9a:10:1b:c3, entry 0
    BuildPacket: Have node secret, RETRY_ANOTHER_SERVER
    Ace - SendPacket: calling sendto:
            sock: 2060
            destaddr: IP_RSA
             auth 0x24fe4634, server_idx 0
    Ace - SendPacket: sento succeded, acmmaxservers 1, retry_type = 0x3
    ## 2007-06-06 15:43:34 : CheckResponse: decrypt ok!, sock 2060, net_addr IP_ETH1/2_ISG2k
    compareMAC:pvSys 0xd4a9150, auth 0x24fe4634, server_ip IP_RSA
    ## 2007-06-06 15:43:34 : get_node_secret_vsys: ifp 0x1cb1f730, name ethernet1/2, ip_addr IP_ETH1/2_ISG2k. app specified src ifp
    ## 2007-06-06 15:43:34 : get_node_secret_vsys: Trying to get node secret for pvSys 0xd4a9150, (ifp's) vid 0,
    ## 2007-06-06 15:43:34 : uiAceServerIP IP_RSA, ipaddr IP_ETH1/2_ISG2k
    ## 2007-06-06 15:43:34 : fill_node_secret_info: getting secret from file flash:node_secret.ace
    ## 2007-06-06 15:43:34 : read 24576 bytes from file: flash:node_secret.ace
    ## 2007-06-06 15:43:34 : Entry [0]: vid 0, ip IP_ETH1/2_ISG2k, secret e6:e3:c2:5:72:ab:4e:a4:eb:49:3b:eb:9a:10:1b:c3
    ## 2007-06-06 15:43:34 : get_node_secret_vsys: ALREADY HAVE node_secret: vid 0, ip IP_ETH1/2_ISG2k
    ## 2007-06-06 15:43:34 : secret: e6:e3:c2:5:72:ab:4e:a4:eb:49:3b:eb:9a:10:1b:c3, entry 0
    callback: flag(3)
    securid_callback; AceCheck completed
     CB--> accepted
    ## 2007-06-06 15:43:34 : process_securid_response: received aq_ent 0x24fe4634, flag 10
     ACCEPTED !!!
    AceClose: SdiHandle (74707af8, 1169132969)
     --> Close Accept init
    callback: flag(40)
     CB--> final accept
    ## 2007-06-06 15:43:34 : process_securid_response: received aq_ent 0x24fe4634, flag 42
     FINAL ACCEPT!!!
    ## 2007-06-06 15:43:34 : handle_auth_result: auth->auth_type 2, result 1, Calling callback fn 0x5e7a8c
    ## 2007-06-06 15:43:34 : cmp_xauth_cookies: Cookies doesn't match
    ## 2007-06-06 15:43:34 : handle_auth_result: auth->auth_type 2, result 1,free aq_ent 0x24fe4634, total 1
    ## 2007-06-06 15:43:34 : free_delink_auth_queue: entered for auth_q 0x24fe4634, total 1
    
    

    I want connect with NetScreen Remote an get after one minute a “User Authentication failed.” In the event i get:

    2007-06-06 15:45:31	info	IKE <ip_client>Phase 1: Aborted negotiations because the time limit has elapsed. (0000/278337583)
    2007-06-06 15:45:31	info	IKE<ip_client>: XAuth login failed for gateway <gw_remote>, username <username>, retry: 0, timeout: 1.
    2007-06-06 15:43:25	info	IKE<ip_client>: Received initial contact notification and removed Phase 1 SAs.
    2007-06-06 15:43:25	info	IKE <ip_client>Phase 1: Completed Aggressive mode negotiations with a <28800>-second lifetime.
    2007-06-06 15:43:25	info	IKE <ip_client>Phase 1: Completed for user <username>.
    2007-06-06 15:43:25	info	IKE<ip_client>: Received initial contact notification and removed Phase 2 SAs.
    2007-06-06 15:43:25	info	IKE<ip_client>: Received a notification message for DOI <1> <24578> <initial-contact>.
    2007-06-06 15:43:25	info	IKE<ip_client>: Received a notification message for DOI <1> <24577> <replay-status>.
    2007-06-06 15:43:25	info	IKE <ip_client>Phase 1: Responder starts AGGRESSIVE mode negotiations.</ip_client></replay-status></ip_client></initial-contact></ip_client></ip_client></username></ip_client></ip_client></ip_client></username></gw_remote></ip_client></ip_client>
    

    It’s a ISG2000 with 5.4.0r1.0 and two interfaces. The NetScreen Remote conntect to eth1/1 and RSA ist connected with eth1/2. XAuth without RSA with a local authentication works fine.

    Have anybody an idea?
    Thank you.
    Schramme



  • Hi.

    I resolved the problem. It’s a bug in firmware 5.4.0r1.0. I installed the new 6.0.0r1.0 and the XAuth authentication with RSA run.

    Bye
    Schramme


 

27
Online

38.4k
Users

12.7k
Topics

44.5k
Posts