Hello! Is anyone here familiar with using rsa eap client for vpn second factor?
I am trying to construct a new TMG array to replace our current ISA 2006 production servers but I can not get clients to authenticate with their rsa tokens. Clients upon connection attempts receive error 691. A typical error we would get when an invalid token was entered.
Our setup is TMG Enterprise, 2008 R2 64bit Enterprise on a two server array with a new configuration storage server.
I have successfully setup rsa on the ISA 2006 array by installing the rsa eap client, and selecting RSA secure Eap from within the ras access policy. Obviously this was after allowing the rsa servers to accept authentication from these servers and testing successfully from the local rsa test utility.
So now I attempt the exact same within TMG, except using the NPS policy instead of ras policy. I installed the new 7.1 software, setup rsa servers to accept the new tmg servers. It can pass the authentications test from the local RSA utility. Next I go into NPS and change out default certificates for the RSA secure eap (similar to what I did when I setup ISA). The RSA eap clients do show up and I can select them within the NPS the policy, but it does not work. I can connect vpn clients with mschap-v2/psk so I know vpn is setup right. But I cant use RSA/psk which is what we need.
I have verified network service account has access to HKLM\Software\SDTI\ACECLIENT, and access to sdconf.rec. I have also verified the system policy has the RSA servers in the "to" column.
I am stumped. If you have any insight I would greatly appreciate your comments!
-Frank
< Message edited by fstevens -- 15.Apr.2012 1:10:46 PM >
I personally was unsuccessful in the exact same scenario, the reason for this is that as is stands RSA have no EAP provider for 2008 R2/NPS.
In the same way everything looked promising, the SDTest test authentcations were successful etc; VPN authentication just would not work. After some digging I found no existing support for 2008 R2.
I also found an article here after a google search.
Posts: 8
Joined: 2.Sep.2002
From: Clarkston, MI
Status: offline
My company has also run into this issue: I just installed a new Server 2008 R2 box, loaded TMG 2010, was able to run the SDTest utility successfully and create the node secret, and clients will not connect. In my case, the error is (from an XP client):
"812: The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error."
I'm using RSA Authentication Mgr v6.1 patch 3/Authentication Agent 6.1 and 7.1 (for Win 7 x64 users).
The issue is that RSA does not have the Remote Authentication Server/RSA EAP components available for Server 2008. I have contacted RSA support, my supervisor requested escalation from RSA, and we are basically getting nowhere - the RSA folks say that they only have 5 customers (including us) reporting this issue, so it is low priority to them.
The bottom line is that you can use RSA SecurID under Server 2008/TMG to authenticate websites (e.g. OWA) but no dice on a VPN. Mine being a small company, I'm looking into the AuthLite product as as replacement...
< Message edited by jlnugent -- 23.Jun.2012 10:20:02 AM >
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [Forefront Unified Access Gateway 2010] >> General >> TMG VPN with RSA eap client 
TMG VPN with RSA eap client - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread