I'm implementing RADIUS authentication procedure on a client in a java application.
The RADIUS Server uses RSA SecurID to authenticate the users. As known RSA SecurID uses a token. When a user forgets his pin for the token, the token can be set to a special new pin mode on the server which forces the user to set a new pin on the next login attempt.
As fas as I know the communication workflow with the server would look like the following:
For step 2, 3, 4 and 5 I do not know how the package structure looks like and therefore cannot implement any logic on the client. Has anyone knowledge about the Server communication with a token is in new pin mode?
Cheers Simon
The tokens used look like this. To create a valid passcode you need to first type your PIN and hit the diamond key below the 7:
(source: comprosec.ch)
It turns out you need to look at the 'Reply-Message' (Type 18) attribute sent within the RADIUS packet from the server. It's very hacky, but it's the official solution since the RADIUS protocol doesn't support such states (see RFC 2865). Talk to your RSA contact, they can provide you with a test server and 2 test tokens to test your parsing code.
Here is what I have found out so far:
Reply-Message contains "Enter a new PIN having from 4 to 6 digits:"
Reply-Message contains "Please re-enter new PIN:"
Reply-Message contains "PIN Accepted"
Reply-Message contains "enter the new tokencode"