Firewall Wizards mailing list archives
Contivity ES1000 and SecurID
From: lemke () Research Panasonic COM (Kennedy Lemke)
Date: Thu, 18 Mar 1999 17:20:20 -0500
Hello--I apologize if this is considered a fringe topic, but I hope the discussion may help others. I am installing a VPN box--a "Contivity ES1000" from Nortel (formerly Bay Networks). I've configured the box to work in parallel with our firewall. I picked this box because it advertises that it will work with SecurID which we've been using here successfully for many years. I'm able to use username/password-only authentication but do not wish to do this for obvious reasons--I'd like this to work with our existing SecurID authentication. I'm currently running version 3.01 of aceserver on a Solaris box. I've added the contivity box as a valid client. However, when the connection program on the remote PC tries to connect, this error message is displayed: "Radius Authentication failed". On the SecurID server, *nothing at all* is displayed in the aceserver logs, but the Contivity box reports: 03/18/1999 16:53:42 0 Security [11] Radius: verified server "aceserver.ip.address" reply, result: -2, message: Non-matching id in server response. 03/18/1999 16:53:42 0 Security [12] Radius: "aceserver.ip.address" sent invalid response packet for "username". 03/18/1999 16:53:42 0 Security [13] Session: IPSEC[username]:24 authentication failed using RADIUS I'm using the latest version of the Contivity software (V02_10.06). The Nortel support representative reports that this version of their software should work fine with the version of aceserver I'm using, but I suspect I need to upgrade the aceserver software to version 3.3 for a few reasons: first, because authorization isn't working; second, because there's no mention of "RADIUS" in the 3.01 aceserver documentation, and third because this document on Security Dynamics' web server: http://www.securitydynamics.com/service/guides/nortel.html reports that this was tested with version 3.3. I have three questions regarding this: (1) Is anyone successfully using a Contivity box with SecurID authentication? If so, is it necessary to upgrade the aceserver server software to version 3.3? (2) The document mentioned in the URL above indicates as a product requirement: "ACE/Server v3.3 and later with RADIUS front-end." Is the "RADIUS front-end" a completely separate component to the software, or is it included with version 3.3? (3) Currently I use the aceserver software in conjunction with a Micro-Annex XL terminal server for SecurID authentication (this is done via the "erpcd" process that runs on the aceserver, so the only current client of the aceserver is itself, and I have not had to muck with "node secrets" so far). This Annex box is running version R10.0. Will this version of the Annex software work with version 3.3 of aceserver, or will I *also* have to upgrade the Annex software. Thanks in advance for any help/pointers you can provide. I'll summarize when this project is complete. _____ _______ _____ Kennedy Lemke | __ \__ __|_ _| Computer Systems Manager | |__) | | | | | UNIX && TCP/IP Network administrator | ___/ | | | | Postmaster && Webmaster && News administrator | | | | _| |_ Panasonic Technologies, Inc. |_| |_| |_____| 2 Research Way Work: (609) 734-7329 Princeton, New Jersey 08540-6628 Fax: (609) 987-8827 Email: lemke () Research Panasonic COM
Current thread:
- Contivity ES1000 and SecurID Kennedy Lemke (Mar 19)
- Re: Contivity ES1000 and SecurID Jeff Needle Pop (Mar 23)