Big news! The community will be moving to a new platform April 21. Read more.
Big news! The community will be moving to a new platform April 21. Read more.
Absent Member.
Absent Member.
674 views

Logger 4 - RADIUS authentication implementation is not working

I try to setup the RADIUS authentication to avoid all ArcSight users to remember another password for their ArcSight account but it is not working as I expect it to do.

I did create a rule in the firewall to allow specific RSA traffic between the Logger and the RADIUS server, in our case an RSA appliance, but I do not see a single event in the FW tracking window.

In Logger 4 GUI in System Admin - Users/Groups - Authentication menu - Authentication tab there are several fields that require to fill-in some config details. One of them is the NAS IP Address field. I suppose this is the IP address for the RSA Authentication Manager server?

When I try to login with one of the local ArcSight login accounts and the password used in Active Directory I get the following error... Remote server authentication timeout. Unable to verify credentials.

What am I doing wrong? Can anyone assist please...

Labels (1)
0 Likes
3 Replies
Absent Member.
Absent Member.

Hi Geert,

i don't know exactly, where your problem is, but here are some troubleshooting hints:

- use tcpdump or snoop to check if traffic on port UDP/1645 or UDP/1812 coming inbound to your logger-facing fw-interface.

- those ports are IMHO the defaults for RSAs radius implementation

- check also for dropped packets on your firewall. doublecheck, that your cleanup rule has the logging feature enabled

- doublecheck your radius shared secret and your radius attributes, required by logger (some colleagues told me, that there are radius client implementations on the market, requiring special attributes in the auth-answer (this does not count for ESM radius, but who knows)

- i also heard of some radius implementation where the radius server tries to reverse lookup the authenticator name (ip to dns-name of your logger). check, if this could be your problem (forward and reverse lookup entry in your dns for logger)

Also have a look to ArcSights knowledge base article with ID 2133!

This is the content i found there:


Summary:

This is a known issue.

A user can not login to the Appliance UI if the radius shared key value is not manually updated for the radius authentication section. This value is a hashed value and there is no automatic value saved for it during the Radius Authentication Configuration

Recommendations:

Contact  ArcSight Support. ArcSight Support needs  SSH access to resolve the issue.

Hope that helps you, resolving your issue...

Markus

0 Likes
Absent Member.
Absent Member.

Hallo Markus,

I've been also thinking about to add RADIUS Authentication to my Logger. Actually on Version 5.0 Patch 2.

There are 3 things for my who I don't know:

  1. Whats exactly the NAS, is it the RSA Server?
  2. Does the Problem of KB #2133 also exist on the latest Logger version?
  3. Does the admin user EVER work, like mentioned at the documentation?

Propably it would be handsome to have support involved / informed in advance when I do this change.

BR, Silvan

0 Likes
Absent Member.
Absent Member.

All,

The NAS http://en.wikipedia.org/wiki/Network_Access_Server is like a proxy (if i understand correctly). So if you are directly connecting to your RADIUS server, you do not need to specify this.

Below is my working config: (same for the connector appliance)

logger_radius_settings.JPG

No port specifed for the RADIUS server. freeradius is being used in this case.

Do not forget, you still need to define the user (same name!) locally on the logger/connapp.

Addition: When using the local password fallback, you can always get into the device, even when RADIUS is not working. So this would make it pretty safe to test your RADIUS setup.

Laters, jhs

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.