Hi, i am trying to use the RADIUS server for MFA authentication. My problem is that if I test it with radclient, everything works fine. However, when I try to connect using a client service that should interact with the RADIUS server, I encounter the following error on the verify server:

Error:
The system failed to authenticate user "ehoffmann" because of "INVALID_CREDS"

What am I doing wrong? Below are the requests I sent from the RADIUS server, shown with dummy values and not the real ones:

Example RADIUS IP: 1.1.1.1
Example Client IP: 2.2.2.2

Logs:
with radclient:

IA: 0x678a5904: 0x7f99bcd2f640: Client for packet = 'Forcepoint-SMC' from ::ffff:1.1.1.1
IA: 0x678a5904: 0x7f99bcd2f640: Incoming Radius Packet AccessRequest I=0x71 L=0x43
IA: 0x678a5904: 0x7f99bcd2f640:    'Message-Authenticator'='b0bb5d11e29bfd4cf8aab918ea40b502'
IA: 0x678a5904: 0x7f99bcd2f640:    'User-Name'='test'
IA: 0x678a5904: 0x7f99bcd2f640:    'User-Password'='********'
IA: 0x678a5904: 0x7f99bcd2f640: ibm_auth_hdl_acquire(lang=(null)): Enter

with Client software:

IA: 0x678a5a8d: 0x7fcdd5336640: Client for packet = 'Forcepoint-SMC' from ::ffff:2.2.2.2
IA: 0x678a5a8d: 0x7fcdd5336640: Incoming Radius Packet AccessRequest I=0x58 L=0x4f
IA: 0x678a5a8d: 0x7fcdd5336640:    'NAS-IP-Address'='2.2.2.2'
IA: 0x678a5a8d: 0x7fcdd5336640:    'NAS-Port'='0x1'
IA: 0x678a5a8d: 0x7fcdd5336640:    'User-Name'='test'
IA: 0x678a5a8d: 0x7fcdd5336640:    'User-Password'='********'
IA: 0x678a5a8d: 0x7fcdd5336640:    'Message-Authenticator'='53f02c2bf8d81c174ee9a783dc8d

------------------------------
Eric Hoffmann
------------------------------

Hi Eric,

I'm assuming you're setup is using the IBM Security Gateway for RADIUS and integrates with Verify Access, right?

Please share details on your configuration, specifically on how authentication is configured for that RADIUS client. See this link: https://www.ibm.com/docs/en/security-verify?topic=radius-configuring-security-verify-gateway-server

Please isolate the problem e.g. with a setting of auth_method to "password" (i.e. password only).

Also mind the configuration of use-local-pwd-check if you're running the Gateway on Windows.

The Gateway for RADIUS was originally only supported for Verify SaaS, the support for Verify Access that came later on. But the documentation on www.ibm.com/docs on the Gateway's config is not up to date with that ISVA integration.

Just to make sure: did you carefully follow the steps as described over here: https://www.ibm.com/docs/en/sva/11.0.0?topic=configuring-verify-identity-gateway. This is needed to make ISVA understand what the Gateway is sending. What do you see at ISVA's end looking at the runtime trace file?

Hope this helps,

Peter.

------------------------------
Peter Volckaert
Technical Subject Matter Expert
Authentication and Access
IBM Security

Original Message:
Sent: Fri January 17, 2025 09:27 AM
From: Eric Hoffmann
Subject: Ibm radius server

Hi, i am trying to use the RADIUS server for MFA authentication. My problem is that if I test it with radclient, everything works fine. However, when I try to connect using a client service that should interact with the RADIUS server, I encounter the following error on the verify server:

Error:
The system failed to authenticate user "test" because of "INVALID_CREDS"

What am I doing wrong? Below are the requests I sent from the RADIUS server, shown with dummy values and not the real ones:

Example RADIUS IP: 1.1.1.1
Example Client IP: 2.2.2.2

Logs:
with radclient:

IA: 0x678a5904: 0x7f99bcd2f640: Client for packet = 'Forcepoint-SMC' from ::ffff:1.1.1.1
IA: 0x678a5904: 0x7f99bcd2f640: Incoming Radius Packet AccessRequest I=0x71 L=0x43
IA: 0x678a5904: 0x7f99bcd2f640:    'Message-Authenticator'='b0bb5d11e29bfd4cf8aab918ea40b502'
IA: 0x678a5904: 0x7f99bcd2f640:    'User-Name'='test'
IA: 0x678a5904: 0x7f99bcd2f640:    'User-Password'='********'
IA: 0x678a5904: 0x7f99bcd2f640: ibm_auth_hdl_acquire(lang=(null)): Enter

with Client software:

IA: 0x678a5a8d: 0x7fcdd5336640: Client for packet = 'Forcepoint-SMC' from ::ffff:2.2.2.2
IA: 0x678a5a8d: 0x7fcdd5336640: Incoming Radius Packet AccessRequest I=0x58 L=0x4f
IA: 0x678a5a8d: 0x7fcdd5336640:    'NAS-IP-Address'='2.2.2.2'
IA: 0x678a5a8d: 0x7fcdd5336640:    'NAS-Port'='0x1'
IA: 0x678a5a8d: 0x7fcdd5336640:    'User-Name'='test'
IA: 0x678a5a8d: 0x7fcdd5336640:    'User-Password'='********'
IA: 0x678a5a8d: 0x7fcdd5336640:    'Message-Authenticator'='53f02c2bf8d81c174ee9a783dc8d

------------------------------
Eric Hoffmann
------------------------------

Hi Peter,

Thank you for your answer and help. Here is my configuration file:

{
    "address": "::",
    "port": 1812,

    "trace-file": "/tmp/ibm-auth-api.log",
    "trace-rollover": 12697600,

    "ibm-auth-api": {
        "client-id": "********",
        "obf-client-secret": "**********", /* See IbmRadius -obf "the-secret" */
        "protocol": "https",
        "host": "*****.verify.ibm.com",
        "port": 443,
        "max-handles": 16
    },
    "clients": [
        {
            "name": "Forcepoint-SMC",
            "address": "2.2.2.2",
            "secret": "Passw0rd",
            "auth-method": "password",
            "use-external-ldap": false,
            "reject-on-missing-auth-method": true,
            "device-prompt": "A push notification has been sent to your device: [%D].",
            "poll-device": true,
            "poll-timeout": 60
        }
    ]
}

I still have the same error with only password set.

I am trying to set it up with Verify SaaS as you did in your guide. First, thank you for the amazing tutorial and video recording on YouTube-it really helped.

I installed the Gateway on Linux using the Docker containers.

However, I didn't complete the last step you mentioned, and I don't really understand it exactly. Can you please tell me where the Wizards are located?

On the Gateway server, I am running the following command:

echo "User-Name = test, User-Password = example-password" | radclient -x -s 1.1.1.1:1812 auth Passw0rd

(Here, 1.1.1.1 is the example IP for the Gateway server.) When I run this with the configuration and switch to 2.2.2.2 for 1.1.1.1, it works. However, if I set it up with 2.2.2.2 (example for the Client server IP), it does not work anymore.

I configured PHP as the protocol for communication, as it seems to be the only supported one, as far as I know.

Thanks for your help.

------------------------------
Eric Hoffmann

Original Message:
Sent: Mon January 20, 2025 03:14 AM
From: Peter Volckaert
Subject: Ibm radius server

Hi Eric,

I'm assuming you're setup is using the IBM Security Gateway for RADIUS and integrates with Verify Access, right?

Please share details on your configuration, specifically on how authentication is configured for that RADIUS client. See this link: https://www.ibm.com/docs/en/security-verify?topic=radius-configuring-security-verify-gateway-server

Please isolate the problem e.g. with a setting of auth_method to "password" (i.e. password only).

Also mind the configuration of use-local-pwd-check if you're running the Gateway on Windows.

The Gateway for RADIUS was originally only supported for Verify SaaS, the support for Verify Access that came later on. But the documentation on www.ibm.com/docs on the Gateway's config is not up to date with that ISVA integration.

Just to make sure: did you carefully follow the steps as described over here: https://www.ibm.com/docs/en/sva/11.0.0?topic=configuring-verify-identity-gateway. This is needed to make ISVA understand what the Gateway is sending. What do you see at ISVA's end looking at the runtime trace file?

Hope this helps,

Peter.

------------------------------
Peter Volckaert
Technical Subject Matter Expert
Authentication and Access
IBM Security

Original Message:
Sent: Fri January 17, 2025 09:27 AM
From: Eric Hoffmann
Subject: Ibm radius server

Hi, i am trying to use the RADIUS server for MFA authentication. My problem is that if I test it with radclient, everything works fine. However, when I try to connect using a client service that should interact with the RADIUS server, I encounter the following error on the verify server:

Error:
The system failed to authenticate user "test" because of "INVALID_CREDS"

What am I doing wrong? Below are the requests I sent from the RADIUS server, shown with dummy values and not the real ones:

Example RADIUS IP: 1.1.1.1
Example Client IP: 2.2.2.2

Logs:
with radclient:

IA: 0x678a5904: 0x7f99bcd2f640: Client for packet = 'Forcepoint-SMC' from ::ffff:1.1.1.1
IA: 0x678a5904: 0x7f99bcd2f640: Incoming Radius Packet AccessRequest I=0x71 L=0x43
IA: 0x678a5904: 0x7f99bcd2f640:    'Message-Authenticator'='b0bb5d11e29bfd4cf8aab918ea40b502'
IA: 0x678a5904: 0x7f99bcd2f640:    'User-Name'='test'
IA: 0x678a5904: 0x7f99bcd2f640:    'User-Password'='********'
IA: 0x678a5904: 0x7f99bcd2f640: ibm_auth_hdl_acquire(lang=(null)): Enter

with Client software:

IA: 0x678a5a8d: 0x7fcdd5336640: Client for packet = 'Forcepoint-SMC' from ::ffff:2.2.2.2
IA: 0x678a5a8d: 0x7fcdd5336640: Incoming Radius Packet AccessRequest I=0x58 L=0x4f
IA: 0x678a5a8d: 0x7fcdd5336640:    'NAS-IP-Address'='2.2.2.2'
IA: 0x678a5a8d: 0x7fcdd5336640:    'NAS-Port'='0x1'
IA: 0x678a5a8d: 0x7fcdd5336640:    'User-Name'='test'
IA: 0x678a5a8d: 0x7fcdd5336640:    'User-Password'='********'
IA: 0x678a5a8d: 0x7fcdd5336640:    'Message-Authenticator'='53f02c2bf8d81c174ee9a783dc8d

------------------------------
Eric Hoffmann
------------------------------