Wednesday, April 11, 2012

Connecting Vasco Identitykey 3.4 to Quest vWorkspace 7.5 Web Access

Quest vWorkspace ( can be connected to a radius server in order to accomplish two-factor authentication (2FA) . New in version 7.5 of vWorkspace is that 2FA can now also be enforced on the farm, where before version 7.5 you could only enforce 2FA on vWorkspace Web Access.

I've been setting up 2FA on vWorkspace 7.5 in a new environment this week using Vasco Identikey version 3.4. If you ever have to set up this configuration, beware of the following issue;

After setting up Identikey 3.4, importing some digipass GO tokens using .dpx files and assigning a digipass to a testuser, we're ready to configure the connection between vWorkspace and Identykey.

We setup a new client in Identkey Web Manager containing the IP address of the vWorkspace server and a shared secret. We configure the Two Factor in vWorkspace as follows.

Upon testing this in our environment I ran into a "Incorrect username or password" error while logging on to the Web Access server. Vasco Identitkey did not log anything. After some debugging, checking firewalls and running a radius client simulator I did not get any further. The TCP port 1812 was open and reachable and the client simulator even worked from the Web Access server itself!

After setting up additonal tracing on the Identikey server this error came up:

[ValidationTask::getNASLocationFromPacket] > No NAS-IP or NAS-Identifier attribute found.
[ValidationTask::routePacket] > Rejecting RADIUS request due to missing NAS Location

Which traced back to this Vasco Article:
And thisfixed it instantly!

According to Vasco is seems that:

"...IDENTIKEY Server, VACMAN Middleware 3.0 and DIGIPASS Plug-In for IAS are compliant with RFC 2865, which states that a RADIUS Access Request must contain a NAS-IP-Address or NAS-Identifier attribute. Check KB article 120026 for a detailed description:

Because some important third party products are not compliant with RFC 2865, VASCO has included in IDENTIKEY Server the hidden possibility to accept a RADIUS Access Request without the NAS-IP-Address or NAS-Identifier attribute.."

Credits also go to the Quest Support team for assisting on this case!

No comments:

Post a Comment