Unable to Multilink Using Third-Party Authentication Schemes (201339)

SYMPTOMS

It is not possible to bundle multiple channels using Routing and Remote Access Service (RRAS), Remote Authentication Dial-In User Service (RADIUS), and third-party "one time password" authentication schemes, such as Security Dynamic's SecurID.

Even if credentials are accepted for the first channel, the second channel fails authentication and does not come up. Upon failure, the first channel remains connected.

CAUSE

Windows NT is designed to always sends the same set of credentials for every channel on a multilink connection. SecurID is designed never to accept the same set of credentials twice. By design, they are incompatible.

RESOLUTION

To work around this problem, you can do either of the following:

If "one time password" is mandatory due to security issues, disable multilink at the client.
If multilinking is desired, use Windows NT/Radius authentication.

MORE INFORMATION

The RRAS Radius client is designed to always send the same set of credentials for links bonded in a multilink connection, and it will always send one Access Request for each link to the RADIUS server independent of the media or authentication used. This assumes a static value for ID and password, which is typical of Windows NT authentication.

SecurID generates a unique password every 60 seconds, and it will not accept the same set of credentials more than once.

Therefore, if Windows NT is designed to always sends the same set of credentials, and SecurID is designed never to accept the same set of credentials twice, these products will not work together by design.

The third-party products that are discussed in this article are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.