Justin_Y
Enthusiast
Enthusiast

Next Code securidnexttoken request for Radius on Push notifications

I am trying to setup Radius with our OTP that supports push notifications. The problem is currently I get a useless nextcode screen after requesting and approving my push notification. I am seeing the same issue setting it up on the UAG or the connection server and we don't have a preference currently if we can find a way to work with this next screen.

We can currently logon just wanted to see if someone found a way to disable this confusing screen. I have a ticket in with support but they are saying this is a feature request although I see third party radius OTP on my research that is showing a customized next screen or that it doesn't prompt at all.

Procedure is

1 enter username and pin

2 receive and approve push notification on my phone

3 type anything into this useless next code screen then you are passed to AD auth.

company.com/portal/webclient/index.html#/securidnexttoken

pastedImage_1.png

Looking at this site they don’t even mention the push page which I found odd if there is no way to get rid of the page

https://inwebo.atlassian.net/wiki/spaces/DOCS/pages/71565358/VMware+Unified+Access+Gateway+UAG+RADIU...

looking at this documentation it looks like they modified the text on this page If we have to have a next day we could instruct the user to type anything and click OK

https://duo.com/docs/vmwareview

Tags (2)
0 Kudos
4 Replies
BenFB
Commander
Commander

We use Duo but another team manages it. When we were initially setting it up we would see a screen similar to the one you are seeing. I believe when the user was configured to select their MFA method (device push, phone call, SMS) they would see the screen. They configured all users to only allow device push and now we no longer see the screen. Basically it comes down to the RADIUS server configuration.

0 Kudos
markbenson
VMware Employee
VMware Employee

That screen saying "Please check push notification on your mobile device" is presented because your RADIUS server has responded with an Access-Challenge instead of an Access-Accept. The text in the prompt actually comes from your RADIUS server in that Access-Challenge and not from UAG or Connection Server.

On UAG you can trace the RADIUS interactions using tcpdump as shown in this screenshot. This will show that Access-Challenge response. It will be down to the configuration of the RADIUS server.

pastedImage_0.png

0 Kudos
Justin_Y
Enthusiast
Enthusiast

Thank you both for the information. Working with the team that handles the Radius server to get the configuration changed to test.

0 Kudos
Slimp
Contributor
Contributor

The solution to this situation can be an additional increase in security with the radius protocol and its further use for generating one-time radius two factor authentication passwords using universal tokens of various levels, which makes this approach more convenient.

0 Kudos