newbie: TOTP authentication works from radclient but not from external Radius client (Cisco ASA)
558 views
Skip to first unread message
Dave Baddorf
Jul 21, 2016, 4:04:57 PM7/21/16
to privacyidea
Hello!
- rlm_perl: privacyIDEA request failed: 400 BAD REQUEST
- rlm_perl: Added pair Reply-Message = ERR905: Missing parameter: 'pass'
I've also attached the PrivacyIDEA Debug file. Also a 2nd Debug file from the radclient test which is successful.
As a newbie I'd certainly appreciate any help! I'm really impressed with what I've seen so far with PrivacyIDEA - now I just have to get it connected to my ASA [which I've connected to FreeRADIUS & Google Authenticator open-source in the past]...
Thanks again!
Cornelius Kölbel
Jul 21, 2016, 4:29:07 PM7/21/16
to priva...@googlegroups.com
Hello Dave,
you did right to check with the radclient tool.
The Reply-Message "Missing parameter" is directly from privacyIDEA.
It states, that it does not get the parameter pass.
So obviously the RADIUS protocol contains an empty password or no
password?!?
You can verify this e.g. with wireshark.
And I can not help you WHY the RADIUS client does not send the
User-Password parameter.
You might have configurd CHAP or MSCHAP!
You need to configure PAP.
Kind regards
Cornelius
Am Donnerstag, den 21.07.2016, 13:04 -0700 schrieb Dave Baddorf:
> Hello!
>
>
> I can't get the RADIUS authentication to FreePBX (with PrivacyIDEA
> backend to work). I have a TOTP token which authenticates using the
> following command: "echo "User-Name=user, User-Password=pin245734" |
> radclient -sx localhost auth testing123". Yet when my Cisco ASA
> attempts to authenticate this same user I get the following errors in
> the FreeRADIUS log (the full log is attached):
> * rlm_perl: privacyIDEA request failed: 400 BAD REQUEST
> * rlm_perl: Added pair Reply-Message = ERR905: Missing
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/a404c1d6-159e-40a5-bb6e-2254b5225c80%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
you did right to check with the radclient tool.
The Reply-Message "Missing parameter" is directly from privacyIDEA.
It states, that it does not get the parameter pass.
So obviously the RADIUS protocol contains an empty password or no
password?!?
You can verify this e.g. with wireshark.
And I can not help you WHY the RADIUS client does not send the
User-Password parameter.
You might have configurd CHAP or MSCHAP!
You need to configure PAP.
Kind regards
Cornelius
Am Donnerstag, den 21.07.2016, 13:04 -0700 schrieb Dave Baddorf:
> Hello!
>
>
> I can't get the RADIUS authentication to FreePBX (with PrivacyIDEA
> backend to work). I have a TOTP token which authenticates using the
> following command: "echo "User-Name=user, User-Password=pin245734" |
> radclient -sx localhost auth testing123". Yet when my Cisco ASA
> attempts to authenticate this same user I get the following errors in
> the FreeRADIUS log (the full log is attached):
> * rlm_perl: Added pair Reply-Message = ERR905: Missing
> parameter: 'pass'
> I've also attached the PrivacyIDEA Debug file. Also a 2nd Debug file
> from the radclient test which is successful.
> As a newbie I'd certainly appreciate any help! I'm really impressed
> with what I've seen so far with PrivacyIDEA - now I just have to get
> it connected to my ASA [which I've connected to FreeRADIUS & Google
> Authenticator open-source in the past]...
> Thanks again!
> P.S. I
> followed https://privacyidea.readthedocs.io/en/latest/installation/ubuntu.html for my setup.
>
>
> --
> I've also attached the PrivacyIDEA Debug file. Also a 2nd Debug file
> from the radclient test which is successful.
> As a newbie I'd certainly appreciate any help! I'm really impressed
> with what I've seen so far with PrivacyIDEA - now I just have to get
> it connected to my ASA [which I've connected to FreeRADIUS & Google
> Authenticator open-source in the past]...
> Thanks again!
> P.S. I
> followed https://privacyidea.readthedocs.io/en/latest/installation/ubuntu.html for my setup.
>
>
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/a404c1d6-159e-40a5-bb6e-2254b5225c80%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
Dave Baddorf
Jul 25, 2016, 10:31:08 AM7/25/16
to privacyidea
Cornelius,
Thanks for your help! After troubleshooting this further I found out that on the Cisco ASA when the command "password-management" is used then the RADIUS requests to FreeRADIUS must be using MS-CHAP instead of PAP. Once I removed that "password-management" command I was able to use two-factor authentication for the ASA VPN's, through FreeRADIUS to PrivacyIDEA.
I appreciate your great product!
Dave
cornelius.koelbel
Jul 25, 2016, 10:44:40 AM7/25/16
to Dave Baddorf, privacyidea
Hi Dave ,
Thanks a lot for your feedback.
Glad to hear, that it works out for you.
Kind regards
Cornelius
Cornelius Kölbel
+49 151 2960 1417
-------- Ursprüngliche Nachricht --------
Von: Dave Baddorf <dbad...@icepts.com>
Datum: 25.07.16 16:31 (GMT+01:00)
An: privacyidea <priva...@googlegroups.com>
Betreff: Re: [privacyidea] newbie: TOTP authentication works from radclient but not from external Radius client (Cisco ASA)
To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/35aa8cab-cf7f-4bd5-8608-2c84bcd514de%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages