New to LinOTP (several questions)
1,038 views
Skip to first unread message
ShawnW
Jun 5, 2015, 1:30:13 PM6/5/15
to lin...@googlegroups.com
Hello, Im brand new to this software but have had success so far and love the features it offers. My current setup is LinOTP and freeradius running on top of Debian Wheezy. I normally run Red hat but I'm sure the authors choose Debian as the OS for the appliance for a reason. I've run int a few problems that I can't resolve.
The first problem i ran into deals with the admin web page. I can go to the /manage webpage and authenticate with the username and password I generated with httpasswd but when I try to log into the /admin page I receive the following error.
{
"version": "LinOTP 2.7.2",
"jsonrpc": "2.0",
"result": {
"status": false,
"error": {
"message": "You have no valid session!",
"code": -311
}
},
"id": 1
}
My second problem deals with Policy. I believe I have set the policy to disallow users from creating more than one mOTP token however I am able to create multiple mOTP tokens with my username. Have I set something up incorrectly or maybe it's allowing it because I am the admin?
[Limit_Token_per_user]
realm = *
active = True
client = *
user = *
time = *
action = maxtoken=1
scope = enrollment
[self_enrollGoogle]
realm = *
active = True
client = ""
user = *
time = ""
action = "reset, resync, disable, enrollMOTP, setMOTPPIN, otp_pin_maxlength=6, otp_pin_minlength=4, otp_pin_contents=n"
scope = selfservice
My third question. I am trying to connect enable two factor authentication with my Juniper SSL VPN. Users are stored in Windows AD and I am using mOTP as the second factor. When a user attempts to log into the Juniper SSL VPN I want them to be able to enter their Windows AD username and mOTP passcode as the password. Currently the only way I have been able to make the setup work is to use a two stage process. First the user authenticates with Windows AD Username and password, they are then redirected to a second login page that requests their windows AD username their mOTP passcode. I do not want the user to be forced to enter their username and AD password and then go to a second login screen and be asked to enter their username and mOTP code. My first attempt to fix this I configured Juniper to pass the username to the second login request so the user would only be required to enter the mOTP passcode. When the username was forwarded to the second login page I see in the logs that extra // were added to the name which made the attempt fail.
Enter username and AD password: JonSmith
AD Password: Password123
The FreeRADIUS passes the following as the username DOMAIN//JonSmith
I attempted to fix this by telling freeRADIUS to remove the domain info by adding the word "suffix" to the FreeRADIUS config. The domain was removed and what now passes is /JonSmith. The additional "/" that is not removed makes the lookup fail.
Any suggestions on how to fix this? Id really like to allow the users to authenticate with only username and mOTP passcode. When configuring the Juniper to authenticate with LinOTP do I want to configure it as authenticate to my Windows AD and then secondary auth to LinOTP. LinOTP is being configured as "freeradius in LinOTP"
Thanks in advance for any assistance you can give me.
The information contained in or attached to this email is strictly confidential. If you are not the intended recipient, please notify us immediately by telephone and return the message to us.
Kay Winkler
Jun 7, 2015, 8:54:53 PM6/7/15
to lin...@googlegroups.com
Dear ShawnW,
first - I will try to split up your requests into 3 different one
so we could better develop the answers.
see my first answer below
Best regards,
Kay
Am 05.06.2015 um 19:30 schrieb ShawnW:
> Hello, Im brand new to this software but have had success so far and
> love the features it offers. My current setup is LinOTP and freeradius
> running on top of Debian Wheezy. I normally run Red hat but I'm sure the
> authors choose Debian as the OS for the appliance for a reason. I've run
> int a few problems that I can't resolve.
>
>
> The first problem i ran into deals with the admin web page. I can go to
> the /manage webpage and authenticate with the username and password I
> generated with httpasswd but when I try to log into the /admin page I
> receive the following error.
>
> {
> "version": "LinOTP 2.7.2",
> "jsonrpc": "2.0",
> "result": {
> "status": false,
> "error": {
> "message": "You have no valid session!",
> "code": -311
> }
> },
> "id": 1
> }
>
which gives you a random string - which is intended to prevent CSSR
For the proceeding request you have to put this session as
+ additional request parameter AND
+ you have to put this in the admin_session HTTP Coockie.
>
> My second problem deals with Policy. I believe I have set the policy to
> disallow users from creating more than one mOTP token however I am able
> to create multiple mOTP tokens with my username. Have I set something
> up incorrectly or maybe it's allowing it because I am the admin?
>
> [Limit_Token_per_user]
> realm = *
> active = True
> client = *
> user = *
> time = *
> confidential. If you are not the intended recipient, please notify us
> immediately by telephone and return the message to us./
>
> --
> You received this message because you are subscribed to the Google
> Groups "LinOTP" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to linotp+un...@googlegroups.com
> <mailto:linotp+un...@googlegroups.com>.
> Visit this group at http://groups.google.com/group/linotp.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/linotp/b045e39a-f464-4478-9aed-4bc797ef317b%40googlegroups.com
> <https://groups.google.com/d/msgid/linotp/b045e39a-f464-4478-9aed-4bc797ef317b%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.
--
Kay Winkler (Software Development) <Kay.W...@lsexperts.de>
Mobil: +49 1751 874 258, Phone: +49 6151 860 86 262, Fax: 299
LSE Leading Security Experts GmbH, Postfach 100121, 64201 Darmstadt
Geschäftsführer: Oliver Michel, Sven Walther, http://www.lsexperts.de
Unternehmenssitz: Weiterstadt, Amtsgericht Darmstadt: HRB8649
Kay Winkler
Jun 7, 2015, 8:58:29 PM6/7/15
to lin...@googlegroups.com
Dear ShawnW,
the 'maxtoken' in the policies is intended to
restrict the number of maxtokens per realm.
And sorry, there is currently no policy like
'user_max_token' though I will put this idea
into our backlog for good ideas to implement.
Best regards,
Kay
Am 05.06.2015 um 19:30 schrieb ShawnW:
> /The information contained in or attached to this email is strictly
the 'maxtoken' in the policies is intended to
restrict the number of maxtokens per realm.
And sorry, there is currently no policy like
'user_max_token' though I will put this idea
into our backlog for good ideas to implement.
Best regards,
Kay
Am 05.06.2015 um 19:30 schrieb ShawnW:
> Hello, Im brand new to this software but have had success so far and
...
>
> My second problem deals with Policy. I believe I have set the policy to
> disallow users from creating more than one mOTP token however I am able
> to create multiple mOTP tokens with my username. Have I set something
> up incorrectly or maybe it's allowing it because I am the admin?
>
> [Limit_Token_per_user]
> realm = *
> active = True
> client = *
> user = *
> time = *
> *action = maxtoken=1*
> My second problem deals with Policy. I believe I have set the policy to
> disallow users from creating more than one mOTP token however I am able
> to create multiple mOTP tokens with my username. Have I set something
> up incorrectly or maybe it's allowing it because I am the admin?
>
> [Limit_Token_per_user]
> realm = *
> active = True
> client = *
> user = *
> time = *
> confidential. If you are not the intended recipient, please notify us
Kay Winkler
Jun 7, 2015, 9:10:38 PM6/7/15
to lin...@googlegroups.com
Dear ShawnW,
your 3. question is one out of my scope -
but probably someone else would have an idea how
to solve this by configuration.
As I'm a developer, I would take the true power
of open source and would look in the python code
at the linotp/controllers/validate.py
for the method simplecheck
and would add an
user.strip('/')
at the corresponding place.
BUT this is not recomended, as this change will get lost
with the next update. Though you can ask for support and
subscription to make this permanent ;-)
Best regards,
Kay
Am 05.06.2015 um 19:30 schrieb ShawnW:
> /The information contained in or attached to this email is strictly
your 3. question is one out of my scope -
but probably someone else would have an idea how
to solve this by configuration.
As I'm a developer, I would take the true power
of open source and would look in the python code
at the linotp/controllers/validate.py
for the method simplecheck
and would add an
user.strip('/')
at the corresponding place.
BUT this is not recomended, as this change will get lost
with the next update. Though you can ask for support and
subscription to make this permanent ;-)
Best regards,
Kay
Am 05.06.2015 um 19:30 schrieb ShawnW:
> Hello, Im brand new to this software but have had success so far and
...
> confidential. If you are not the intended recipient, please notify us
Shawn Wiley.ext
Jun 8, 2015, 11:01:48 AM6/8/15
to Kay.W...@lsexperts.de, lin...@googlegroups.com
Hi Kay. Thank you so much for the reply. I am new to Apache and want to make sure I understand what you are saying.
I need to set a cookie to prevent x-site scripting attacks. It looks like I need to add two values to the web page configuration file " /sites-enabled/linotp" but I am not sure what the two lines should say.
additional request parameter (How do I do this?)
you have to put this in the admin_session HTTP Cookie (How do I do this? If its very basic please suggest where I can read up and learn how to do this.)
Can you paste an example or point me to the portion of the user manual that explains how to do these two lines.
Thanks,
Shawn
Shawn Wiley.ext
Jun 8, 2015, 11:02:37 AM6/8/15
to Kay.W...@lsexperts.de, lin...@googlegroups.com
Thank you. I misunderstood the purpose.
You received this message because you are subscribed to a topic in the Google Groups "LinOTP" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/linotp/r8_Zf8vSgkY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to linotp+un...@googlegroups.com.
Visit this group at http://groups.google.com/group/linotp.
To view this discussion on the web visit https://groups.google.com/d/msgid/linotp/5574E8B3.8020207%40lsexperts.de.
For more options, visit https://groups.google.com/d/optout.
Shawn Wiley | Production Information Security Engineer| ULLINK | T: +1 646 565 6603 | M: +1 347 759 1750
|F: +1 212 883 9440| 11 Times Square, 31st fl. | New York, NY 10036 | shawn.w...@ullink.com | http://www.ullink.com
Kay Winkler
Jun 8, 2015, 11:12:02 AM6/8/15
to lin...@googlegroups.com
Dear Shawn,
the /admin + /sytem interfaces are the administrative interfaces
and require this session, while the std authentication with
/validate/check does not.
So lets do one step back - and let me ask, what you want to do
on these administrative interfaces?
+ adminstrative tasks could be done by calling the /manage to show
the Manage WebUI
So if you need an dmin client, there are already some:
+ the CLI client and
+ the GUI client
Or do you want to create / integrate LinOTP administration interface?
If so, this highly depends on your programming language though.
Best regards,
Kay
> >*_...@ullink.com_*<mailto:shawn.w...@ullink.com> | _____http://www.ullink.com_
> <http://www.ullink.com/>
>
>
> /The information contained in or attached to this email is strictly
> <https://groups.google.com/d/msgid/linotp/CAGzQy2xZquDcYPiK32kpa6%2BN0e7FGTqWAscVqJGaKXPL1%3DoRvQ%40mail.gmail.com?utm_medium=email&utm_source=footer>.
the /admin + /sytem interfaces are the administrative interfaces
and require this session, while the std authentication with
/validate/check does not.
So lets do one step back - and let me ask, what you want to do
on these administrative interfaces?
+ adminstrative tasks could be done by calling the /manage to show
the Manage WebUI
So if you need an dmin client, there are already some:
+ the CLI client and
+ the GUI client
Or do you want to create / integrate LinOTP administration interface?
If so, this highly depends on your programming language though.
Best regards,
Kay
> <http://www.ullink.com/>
>
>
> /The information contained in or attached to this email is strictly
> confidential. If you are not the intended recipient, please notify us
> immediately by telephone and return the message to us./
>
> --
> You received this message because you are subscribed to the Google
> Groups "LinOTP" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to linotp+un...@googlegroups.com
> <mailto:linotp+un...@googlegroups.com>.
> Visit this group at http://groups.google.com/group/linotp.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/linotp/CAGzQy2xZquDcYPiK32kpa6%2BN0e7FGTqWAscVqJGaKXPL1%3DoRvQ%40mail.gmail.com
>
> --
> You received this message because you are subscribed to the Google
> Groups "LinOTP" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to linotp+un...@googlegroups.com
> <mailto:linotp+un...@googlegroups.com>.
> Visit this group at http://groups.google.com/group/linotp.
> To view this discussion on the web visit
> <https://groups.google.com/d/msgid/linotp/CAGzQy2xZquDcYPiK32kpa6%2BN0e7FGTqWAscVqJGaKXPL1%3DoRvQ%40mail.gmail.com?utm_medium=email&utm_source=footer>.
Shawn Wiley.ext
Jun 8, 2015, 11:13:50 AM6/8/15
to Kay.W...@lsexperts.de, lin...@googlegroups.com
I thought the /admin interface was necessary. Are you saying I do not need it and all configuration can be done via the /manage interface?
You received this message because you are subscribed to a topic in the Google Groups "LinOTP" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/linotp/r8_Zf8vSgkY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to linotp+un...@googlegroups.com.
Visit this group at http://groups.google.com/group/linotp.
To view this discussion on the web visit https://groups.google.com/d/msgid/linotp/5575B0C0.2000106%40lsexperts.de.
For more options, visit https://groups.google.com/d/optout.
Shawn Wiley | Production Information Security Engineer| ULLINK | T: +1 646 565 6603 | M: +1 347 759 1750
|F: +1 212 883 9440| 11 Times Square, 31st fl. | New York, NY 10036 | shawn.w...@ullink.com | http://www.ullink.com
ShawnW
Jun 8, 2015, 1:12:16 PM6/8/15
to lin...@googlegroups.com
Maybe it's best if I take a step back and explain my requirements. Please let me know if this is possible and please recommend the best way to accomplish my requirement.
USER self create/register a phone based token
1. User logs into the https://linotpselfservice.com (Authenticates with their Windows AD credentials)
2. User registers an mOTP token (ios,or android)
From home user logs into ssl VPN for remote access
3. user goes to www.remoteoffice.com (Juniper SA6500)
4. enter userID and mOTP passcode
5. AUTHENTICATED :)
I chose mOTP because it seemed to be documented better than Google authenticator
I was able to get the current solution working by breaking the process into two parts.
First the user logs into the SSLVPN with UserID and Windows AD credential
Second the User logs in with USERID and mOTP passcode
This is great that it works but I am getting a lot of complaints about having to do a double login. Can I simplify this into a single login Username plus OTP?
Thanks,
Shawn
Rainer Endres
Jun 8, 2015, 2:08:00 PM6/8/15
to lin...@googlegroups.com
Hi,
all management tasks can be done in the /manage interface. Some
functions in the management GUI can even be combinations of /admin
functions. The lost token scenario comes to mind.
But also the other way around, if you want to, for example, integrate
LinOTP in your application, you can use the Web API available at the
/admin and /system controllers to provide a subset or all functionality
provided by the /management interface.
Best Regards
Rainer
LSE Leading Security Experts GmbH, http://www.lsexperts.de
Postfach 100121, 64201 Darmstadt, Germany
Unternehmenssitz: Weiterstadt Amtsgericht Darmstadt: HRB8649
Geschäftsführer: Oliver Michel, Sven Walther
rtyou...@gmail.com
Aug 26, 2015, 1:41:02 PM8/26/15
to LinOTP
Shawn,
Not sure if this is too late just came across this post and thought I could help you with the Juniper SA portion of this. To perform to factor and role mapping in the juniper appliance you must first enter AD Username & AD Password, once Role mapping is completed we move on to 2 factor. You can get rid of the second username by using $username in the password field under authentication sources.
Alternatively If you only want to use Username + Pin (Less Secure) you will need to return radius attributes to perform role mapping since you will not be performing an LDAP Lookuo.
Best,
Ryan
Not sure if this is too late just came across this post and thought I could help you with the Juniper SA portion of this. To perform to factor and role mapping in the juniper appliance you must first enter AD Username & AD Password, once Role mapping is completed we move on to 2 factor. You can get rid of the second username by using $username in the password field under authentication sources.
Alternatively If you only want to use Username + Pin (Less Secure) you will need to return radius attributes to perform role mapping since you will not be performing an LDAP Lookuo.
Best,
Ryan
Reply all
Reply to author
Forward
0 new messages