Logger 4 - RADIUS authentication implementation is not working
I try to setup the RADIUS authentication to avoid all ArcSight users to remember another password for their ArcSight account but it is not working as I expect it to do.
I did create a rule in the firewall to allow specific RSA traffic between the Logger and the RADIUS server, in our case an RSA appliance, but I do not see a single event in the FW tracking window.
In Logger 4 GUI in System Admin - Users/Groups - Authentication menu - Authentication tab there are several fields that require to fill-in some config details. One of them is the NAS IP Address field. I suppose this is the IP address for the RSA Authentication Manager server?
When I try to login with one of the local ArcSight login accounts and the password used in Active Directory I get the following error... Remote server authentication timeout. Unable to verify credentials.
What am I doing wrong? Can anyone assist please...
i don't know exactly, where your problem is, but here are some troubleshooting hints:
- use tcpdump or snoop to check if traffic on port UDP/1645 or UDP/1812 coming inbound to your logger-facing fw-interface.
- those ports are IMHO the defaults for RSAs radius implementation
- check also for dropped packets on your firewall. doublecheck, that your cleanup rule has the logging feature enabled
- doublecheck your radius shared secret and your radius attributes, required by logger (some colleagues told me, that there are radius client implementations on the market, requiring special attributes in the auth-answer (this does not count for ESM radius, but who knows)
- i also heard of some radius implementation where the radius server tries to reverse lookup the authenticator name (ip to dns-name of your logger). check, if this could be your problem (forward and reverse lookup entry in your dns for logger)
Also have a look to ArcSights knowledge base article with ID 2133!
This is the content i found there:
This is a known issue.
A user can not login to the Appliance UI if the radius shared key value is not manually updated for the radius authentication section. This value is a hashed value and there is no automatic value saved for it during the Radius Authentication Configuration
Contact ArcSight Support. ArcSight Support needs SSH access to resolve the issue.
Hope that helps you, resolving your issue...
I've been also thinking about to add RADIUS Authentication to my Logger. Actually on Version 5.0 Patch 2.
There are 3 things for my who I don't know:
- Whats exactly the NAS, is it the RSA Server?
- Does the Problem of KB #2133 also exist on the latest Logger version?
- Does the admin user EVER work, like mentioned at the documentation?
Propably it would be handsome to have support involved / informed in advance when I do this change.
The NAS http://en.wikipedia.org/wiki/Network_Access_Server is like a proxy (if i understand correctly). So if you are directly connecting to your RADIUS server, you do not need to specify this.
Below is my working config: (same for the connector appliance)
No port specifed for the RADIUS server. freeradius is being used in this case.
Do not forget, you still need to define the user (same name!) locally on the logger/connapp.
Addition: When using the local password fallback, you can always get into the device, even when RADIUS is not working. So this would make it pretty safe to test your RADIUS setup.