Issue
Older I/A Series G3 stations will not connect to an Enterprise Server that has been upgraded to a release with the 2013 security updates. Versions with the 2013 security updates include:
- 3.7.106 (AX-3.7u1)
- 3.6.406 (AX-3.6u4)
- 3.5.406 (AX-3.5u4)
- 3.8.37 (AX-3.8)
Niagara Network Fox Connections State remains "Not Connected" and the Last Failure Cause indicates ...
com.tridium.fox.session.InvalidCommandException: Expecting 'challenge', not 'rejected'
Environment
I/A Series G3, Enterprise Server, ENC, SoftJace
Cause
To increase system security, the update releases significantly modified how I/A Series G3 station password storage is maintained. Any system with an I/A Series G3 Enterprise Server that transitions to an update release for the first time has a few extra steps involving the Enterprise Server station.
Schneider Electric strongly recommends reviewing your security situation and upgrading the latest I/A Series G3 software with updated security measures.
Resolution
The following is an excerpt from the NiagaraAX 2013 Security Update document included in the docs folder for each of the 2013 security update builds. The steps detail how to modify the Legacy Authentication setting to relax security for stations operating at previous builds.
Setting Legacy Authentication within the Fox Service:
- In Workbench, open the running Supervisor station (Fox connection).
- In the Supervisor station, open the property sheet of its NiagaraNetwork - Config > Drivers > NiagaraNetwork.
- Expand the FoxService and look for a new property Legacy Authentication.
- Change Legacy Authentication from the default “Strict” to “Relaxed Until” (shown below) and then Save. For further details, see “Fox Service properties” in the NiagaraAX Drivers Guide.
This should be a temporary setting only. Reset this to “Strict” in the Enterprise Server’s FoxService after you complete upgrading I/A Series G3 in the subordinate ENC/JACE hosts (represented in the Enterprise Server’s NiagaraNetwork). Relaxed authentication in the Enterprise Server’s FoxService allows its subordinate ENC/JACEs to continue to communicate with the Enterprise Server until they have been upgraded. This is necessary to continue operations like remote alarming, archiving histories, and so on.
However, you should NOT leave the Enterprise Server in this state, as this negates much security (see Caution).
Caution: Unless set to “Strict”, either “Relaxed” option is effectively the same as setting the FoxService property Authentication Policy to “Basic”, as this is the only “common ground” authentication between a legacy Fox client (Workbench or another station) and this update release station. Thus, passwords for client connections to this station are passed in clear text. Obviously, this is not a desired operating state. For this reason, you should seldom (if ever) set the Legacy Authentication property to “Always Relaxed”.
