Post your working Vasco - NMAS - RADIUS configurations

[Daniel Warne]

I've been trying to come up with a solution that works for a while now.
I'm constantly getting a Miscellaneous Error -1676 on the Radius
Authentication screen when using the latest Digipass Method.

Environment is:

Netware 6.5 sp6
eDirectory 8.8 sp1 (tried 8.7.3.7 also)
Radius.nlm 4.14 (tried 4.15)
DAS Client Configuration: Generic Radius
DAP Configuration: Novell-eDirectory-Name (value=FDN)
Login policy rule sequence = digipass (enforcement=mandatory)
Security Services 2.04 ( ss204_nw )
Vasco Digipass NMAS Method: 3.31 (latest on website)
DGPLSM.NLM Version 2.00 (20 December 2005)
DGPLCM.NLM Version 2.00 (20 December 2005)
NMAS.NLM 3.1.3 (19 Feb 2007)

I've tested with Access Manager, NTRADPING & Vasco Radius Client Simulator
and keep getting the above error.

It would help greatly if anyone that has a working configuration could
post their configuration details and version so I can work out whats going
wrong.

thanks in advance.

[Craig Johnson]

If you use a regular RADIUS method, does it work then? Trying to
isolate the issue.

I'll be trying a Vasco token config for BMgr VPN login soon, and
perhaps could help once I get into this and understand better how it
works.

Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com ***

[Daniel Warne]

Yep, if I change the Login Policy Rule to use the NDS sequence
(containing the default NDS method) authentication works successfully via
radius.

[Craig Johnson]

I'm not finding much info on that error.

Let me ask Novell on it.

Have you tried contacting Vasco on this one?

I'm wondering if there is an issue with the NMAS configuration, or if
there is just some limitation in the NetWare RADIUS being able to use
that method?

[Daniel Warne]

Vasco support have been looking at it also for a couple of weeks, and haven't had any luck so far. I wouldn't think this was an isolated case, *someone* out there must have a working set of software versions and configuration ?

 

>>> Craig Johnson<cra...@ix.netcom.com> 06/28/07 1:28 am >>>

[Craig Johnson]

In article <46838BB2.715C.0000.0@_comunet.com.au>, Daniel Warne wrote:
> Vasco support have been looking at it also for a couple of weeks,
> and haven't had any luck so far. I wouldn't think this was an
> isolated case, *someone* out there must have a working set of
> software versions and configuration ?
>

My Novell contact is asking around.

Tried any NMASMON debugging?

[Daniel Warne]

Yep tried NMASMON and Dstrace with the NMAS flags turned on.

 

Neither of these shows any activity, which leads me to believe this is failing before, and actually a software compatibility issue between the RADIUS NLM and the DIGIPASS Methods NLMS.

>>> Craig Johnson<cra...@ix.netcom.com> 06/28/07 2:04 pm >>>

[Craig Johnson]

In article <4683F02F.715C.0000.0@_comunet.com.au>, Daniel Warne wrote:
> Neither of these shows any activity, which leads me to believe this
> is failing before, and actually a software compatibility issue
> between the RADIUS NLM and the DIGIPASS Methods NLMS.
>

Did you see this tid?

3987489

Perhaps there is some issue with the settings of the LCM?

[Daniel Warne]

Yep, I've had a look at that one, its pretty much the only TID that has
any reference to that error code.

There isn't any configuration that I'm aware of for the LCM module. It
does load ok, however it doesn't load from c:NWSERVER and doesn't appear
to be on the disk anywhere.

I've tried backrevving to an earlier version, however this NLM doesn't get
downgraded, even though I delete the method and sequence, is there a way
of clearing this?

Regardless, I believe I've pretty much exhausted Novell Knowledgebase and
Google, so this is why I'm asking if anyone has got a working
configuration so I determine what the differences are.

[Craig Johnson]

In article <cWXgi.891$8i6...@prv-forum2.provo.novell.com>, Daniel Warne
wrote:

> Regardless, I believe I've pretty much exhausted Novell Knowledgebase and
> Google, so this is why I'm asking if anyone has got a working
> configuration so I determine what the differences are.
>

I've still not got an answer from Novell engineering.

Makes me a bit nervous as I was about to try to get a Vasco token working
for C2S VPN.

[Muzza]

Hiya

I have a working system using an Aventail SSL/VPN, Vasco tokens and NW
Radius

My config: (pretty similiar to yours)

Netware 6.5 sp6
eDirectory 8.7.3.9
Radius.nlm 4.14

DAS Client Configuration: Generic Radius
DAP Configuration: Novell-eDirectory-Name (value=FDN)
Login policy rule sequence = digipass (enforcement=mandatory)

Security Services (could not see this in my nw product list?)
Vasco Digipass NMAS Method: 3.2

DGPLSM.NLM Version 2.00 (20 December 2005)
DGPLCM.NLM Version 2.00 (20 December 2005)

NMAS.NLM 3.1.2.0 (14 Oct 2006)

That error you get -1676 is pretty generic and you will also receive it
when authentication fails from a user typo - ie/ wrong NW password
and/or wrong token number.

Am not too sure as to what to ask you, as its been a while since I set
it up.

1. I assume you have a "digipass" entry as an "Authorized Login Method"?
2. "secret" password is set correctly (under DAS)
3. the "Security Policy" "Read Label" is set correctly? eg = biometric &
password & token, or whatever to suit you

Hopefully the above may help in starting to move forwards....

[Craig Johnson]

My Novell sources don't know what to think of this, and suggest you
open an incident.