TOTP not wokring "wrong otp value" after running ubuntu update
182 views
Skip to first unread message
Itaios
Jul 4, 2016, 11:32:25 AM7/4/16
to privacyidea
Hi
I managed to configure TOTP to run with LDAP authentication (MS Active Directory in my case)
Everything worked perfectly until yesterday when I did Ubuntu updates, and now TOTP tokens are not working anymore, i'm getting
"Wrong otp value".
"Wrong otp value".
In the past, I installed NTP daemon and it solved my problem but now, though ntp is installed and I can't get
my totp tokens to work.
any idea what changed in the last version of PrivacyIDEA that can break TOTP functionality?
partial log:
rlm_perl: Added pair Auth-Type = Perl
++[perl] returns reject
Failed to authenticate the user.
Sending Access-Reject of id 249 to 192.168.0.1 port 41078
Reply-Message = "wrong otp value"
Thanks
Cornelius Kölbel
Jul 4, 2016, 11:59:29 AM7/4/16
to priva...@googlegroups.com
We really try to avoid breaking changes.
privacyIDEA is running over 700 unit tests on each commit with ~4500
assert.
The totp token is tested here:
https://github.com/privacyidea/privacyidea/blob/master/tests/test_lib_tokens_totp.py
with 27 tests.
The only thing added - not changed - was the autoresync.
https://github.com/privacyidea/privacyidea/commits/master/privacyidea/lib/tokens/totptoken.py
If you would provide more information about your TOTP token settings,
which kind of tokens you are using etc.
...you might even get your enlightenment during the time of writing.
At least this often happens to me, when I start to write a question and
I really go into detail, the answer will pop infront of my inner eye
even before hitting the button send.
You should try it ;-)
...if not, it is great if you provide more information.
> --
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/2b717752-40a2-466f-9e9b-cc8873afca47%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
privacyIDEA is running over 700 unit tests on each commit with ~4500
assert.
The totp token is tested here:
https://github.com/privacyidea/privacyidea/blob/master/tests/test_lib_tokens_totp.py
with 27 tests.
The only thing added - not changed - was the autoresync.
https://github.com/privacyidea/privacyidea/commits/master/privacyidea/lib/tokens/totptoken.py
If you would provide more information about your TOTP token settings,
which kind of tokens you are using etc.
...you might even get your enlightenment during the time of writing.
At least this often happens to me, when I start to write a question and
I really go into detail, the answer will pop infront of my inner eye
even before hitting the button send.
You should try it ;-)
...if not, it is great if you provide more information.
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/2b717752-40a2-466f-9e9b-cc8873afca47%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
Itaios
Jul 5, 2016, 8:36:37 AM7/5/16
to privacyidea
Hi Cornelius,
After changing tokens from 60 to 30 seconds as you recommended,
I'm now able to use them again, with Active directory and Cisco FW.
Thank you!
Cornelius Kölbel
Jul 5, 2016, 8:45:43 AM7/5/16
to priva...@googlegroups.com
Thanks for the feedback.
Really strange. Did you really enroll the tokens with 60 secs?
Did you update from 2.12 to 2.13?
Anyway. Good that it is working again.
Kind regards
Cornelius
> https://groups.google.com/d/msgid/privacyidea/1ff0d6f5-b167-4268-bb5f-307ed08bf19d%40googlegroups.com.
Really strange. Did you really enroll the tokens with 60 secs?
Did you update from 2.12 to 2.13?
Anyway. Good that it is working again.
Kind regards
Cornelius
Reply all
Reply to author
Forward
0 new messages