Skip to main content

Creating a list file to support challenge-response authentication

If you are using the RADIUS Authentication as a challenge-response back end, you must have a SQLite database list file to associate users during auto-discovery, so that users can authenticate against the target system.

You can create the file by copying it from another target such as from an Active Directory or RSA Authentication Manager target system.

For Bravura Security Fabric 12.4.0 and up, refer to Creating a list file and copying data from other targets for how to use the Copy data from these targets, separated by commas, during auto-discovery target system option to be able to copy the listing data from one or more other targets to use for the list file for the target. This also makes use of the Connector execution order auto-discovery list as well as a post psupdate script for the target that you are copying data to.

Alternatively, you can use the List Override target address option to create the list file as noted below.

The List Override target address option along with the listoverride.py sample script is used in this case to automatically copy the list file during auto-discovery from the other target to a new list file for the Radius target.

You can configure this using the following steps:

  1. Copy the listoverride.py script from samples to the <Program Files path>\Bravura Security\Bravura Security Fabric\<instance>\ script\ directory.

  2. Set the List Override target address option to one of the examples noted below.

  3. List accounts is checked for the target system settings.

  4. Set the Connector execution order for the targets.

If copying the list file from an RSA Authentication Manager target and where RSAAM is the target id or from another source where the longid is the same as the shortid and therefore doesn’t need to be replaced, set the List Override target address option to the following:

{action=copy;srcTargetId=RSAAM;}

Normally a RADIUS server lists its users from a customer’s directory (Windows AD or some other LDAP).

If copying the list file from another source such as from Active Directory, a postHook specification must be added in order to ensure that the values from the longid fields are replaced with those from shortid. The short IDs match those of users on the RADIUS Authentication target system.

In this case and where ADDN is the target id from the target that you are copying from, set the List Override target address option to the following:

{action=copy;srcTargetId=ADDN;script=listoverride.py;postHook=replaceLongIdWithShortId;}

The source target must list first during auto-discovery. Configure by clicking Maintenance > Auto discovery > Connector execution order and ensuring that the source target is added and is at a higher priority than the target that you are copying to.

The list file must contain accounts for all users who have accounts on Radius, and only those users.

  • If the RADIUS list file does not contain some accounts from the RADIUS target system, or the account does not associate to the user’s profile, then the option to use the authentication chain described in Adding RADIUS authentication to Bravura Security Fabric will not be shown to that user.

  • If the RADIUS authentication method is the only one the user can choose at any step in the authentication chain, and there is no account associated, then login will fail.

  • If the RADIUS list file contains accounts which do not exist on the RADIUS target, users who do not have accounts will be presented with that option for authentication, and if they choose it, it will fail.

See Creating a list file to support challenge-response authentication for additional information on usage of the List Override options and the values that can be used for the option's kvgroup notation.

In this section: