anyconnect EAP-GTC with radiusbridge, challenge mode disabled when using LDAPOTP loginmode

[Alexandr Tselobenok]

Hello!

 

I'm testing Cisco Anyconnect client with default Webadm,OpenOTP,RadiusBridge installation.

When I use LDAP loginmode - it works fine and vpn connection is being established.

But if I switch to LDAPOTP login mode it treats the request as "EAP-GTC Wifi access request" and disables OpenOTP challenge mode.

(rlm_openotp: Found EAP-GTC Wifi access request (disabing OpenOTP challenge mode) message at radius debug log. No request for OTP is beeing sent to client)

What I'm missing out ? Please help.

webadm.log:

[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] New openotpSimpleLogin SOAP request

[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] > Username: testuser

[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] > Password: xxxxxxxx

[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] > Client ID: 212.XX.XXX.XX

[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] > Source IP: 212.XXX.XXX.XX

[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] > Retry ID: 1F678E1A6881A7B396C419B0692CC596A9BA2715

[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] > Settings: OpenOTP.ChallengeMode=No

[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] > Options: RADIUS,-U2F

[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] Enforcing client policy: anyconnect (matched client ID)

[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] Registered openotpSimpleLogin request

[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] Resolved LDAP user: cn=testuser,dc=Clients,dc=WebADM

[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] Resolved source location: BY

[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] Started transaction lock for user

[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] Found user fullname: testuser

[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] Found user language: EN

[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] Found 1 user mobiles: +XXX XXXXXXXX

[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] Found 1 user emails: xx...@xxxxx.xxx

[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] Found 46 user settings: LoginMode=LDAPOTP,OTPType=TOKEN,ChallengeMode=Yes,ChallengeTimeout=90,OTPLength=6,MobileTimeout=30,EnableLogin=Yes,HOTPLookAheadWindow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,OCRASuite=OCRA-1:HOTP-SHA1-6:QN06-T1M,DeviceType=FIDO2,SMSType=Normal,SMSMode=Ondemand,MailMode=Ondemand,PrefetchExpire=10,LastOTPTime=300,ListChallengeMode=ShowID

[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] Found 1 request settings: ChallengeMode=No

[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] Found 4 user data: LastOTP,TokenType,TokenKey,TokenState

[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] Last OTP expired 2020-01-23 14:41:38

[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] Found 1 registered OTP token (TOTP)

[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] Challenge mode disabled (assuming concatenated passwords)

[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] Requested login factors: LDAP & OTP

[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] LDAP password Ok

[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] Challenge required but challenge mode disabled

[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] Sent failure response

radiusd debug:

(0) Received Access-Request Id 6 from 10.141.64.14:1645 to 172.28.0.17:1645 length 234

(0)   Service-Type = Login-User

(0)   Cisco-AVPair = "service-type=Login"

(0)   Cisco-AVPair = "isakmp-phase1-id=eap"

(0)   Calling-Station-Id = "212.XX.XXX.XX"

(0)   Cisco-AVPair = "audit-session-id=L2L45CDF7ACAZO2L4D462AD0BZH11941273H2H2Y357D"

(0)   User-Name = "testuser"

(0)   Cisco-AVPair = "coa-push=true"

(0)   EAP-Message = 0x023b000d017465737475736572

(0)   Message-Authenticator = 0xa94a9d7888ae1a2a9978e3b573121517

(0)   NAS-IP-Address = 10.141.64.14

(0) # Executing section authorize from file /opt/radiusd/lib/radiusd.ini

(0)   authorize {

(0) eap: Peer sent EAP Response (code 2) ID 59 length 13

(0) eap: Continuing tunnel setup

(0)     [eap] = ok

(0)   } # authorize = ok

(0) Found Auth-Type = EAP

(0) # Executing group from file /opt/radiusd/lib/radiusd.ini

(0)   Auth-Type EAP {

(0) eap: Peer sent packet with method EAP Identity (1)

(0) eap: Calling submodule eap_ttls to process data

(0) eap_ttls: Initiating new TLS session

(0) eap_ttls: [eaptls start] = request

(0) eap: Sending EAP Request (code 1) ID 60 length 6

(0) eap: EAP session adding &reply:State = 0xa82519b2a8190cfc

(0)     [eap] = handled

(0)   } # Auth-Type EAP = handled

(0) Using Post-Auth-Type Challenge

(0) Post-Auth-Type sub-section not found.  Ignoring.

(0) Sent Access-Challenge Id 6 from 172.28.0.17:1645 to 10.141.64.14:1645 length 0

(0)   EAP-Message = 0x013c00061520

(0)   Message-Authenticator = 0x00000000000000000000000000000000

(0)   State = 0xa82519b2a8190cfc3b14c3237ae31d97

(0) Finished request

Waking up in 9.9 seconds.

(1) Received Access-Request Id 7 from 10.141.64.14:1645 to 172.28.0.17:1645 length 245

(1)   Service-Type = Login-User

(1)   Cisco-AVPair = "service-type=Login"

(1)   Cisco-AVPair = "isakmp-phase1-id=eap"

(1)   Calling-Station-Id = "212.XX.XXX.XX"

(1)   Cisco-AVPair = "audit-session-id=L2L45CDF7ACAZO2L4D462AD0BZH11941273H2H2Y357D"

(1)   User-Name = "testuser"

(1)   Cisco-AVPair = "coa-push=true"

(1)   EAP-Message = 0x023c00060306

(1)   Message-Authenticator = 0x504df3557baf8411cfc27bbdc3ea9ce9

(1)   State = 0xa82519b2a8190cfc3b14c3237ae31d97

(1)   NAS-IP-Address = 10.141.64.14

(1) session-state: No cached attributes

(1) # Executing section authorize from file /opt/radiusd/lib/radiusd.ini

(1)   authorize {

(1) eap: Peer sent EAP Response (code 2) ID 60 length 6

(1) eap: Continuing tunnel setup

(1)     [eap] = ok

(1)   } # authorize = ok

(1) Found Auth-Type = EAP

(1) # Executing group from file /opt/radiusd/lib/radiusd.ini

(1)   Auth-Type EAP {

(1) eap: Expiring EAP session with state 0xa82519b2a8190cfc

(1) eap: Finished EAP session with state 0xa82519b2a8190cfc

(1) eap: Previous EAP request found for state 0xa82519b2a8190cfc, released from the list

(1) eap: Peer sent packet with method EAP NAK (3)

(1) eap: Found mutually acceptable type GTC (6)

(1) eap: Calling submodule eap_gtc to process data

(1) eap_gtc: EXPAND Password:

(1) eap_gtc:    --> Password:

(1) eap: Sending EAP Request (code 1) ID 61 length 15

(1) eap: EAP session adding &reply:State = 0xa82519b2a9181ffc

(1)     [eap] = handled

(1)   } # Auth-Type EAP = handled

(1) Using Post-Auth-Type Challenge

(1) Post-Auth-Type sub-section not found.  Ignoring.

(1) Sent Access-Challenge Id 7 from 172.28.0.17:1645 to 10.141.64.14:1645 length 0

(1)   EAP-Message = 0x013d000f0650617373776f72643a20

(1)   Message-Authenticator = 0x00000000000000000000000000000000

(1)   State = 0xa82519b2a9181ffc3b14c3237ae31d97

(1) Finished request

Waking up in 9.9 seconds.

(2) Received Access-Request Id 8 from 10.141.64.14:1645 to 172.28.0.17:1645 length 252

(2)   Service-Type = Login-User

(2)   Cisco-AVPair = "service-type=Login"

(2)   Cisco-AVPair = "isakmp-phase1-id=eap"

(2)   Calling-Station-Id = "212.XX.XXX.XX"

(2)   Cisco-AVPair = "audit-session-id=L2L45CDF7ACAZO2L4D462AD0BZH11941273H2H2Y357D"

(2)   User-Name = "testuser"

(2)   Cisco-AVPair = "coa-push=true"

(2)   EAP-Message = 0x023d000d065465737431323334

(2)   Message-Authenticator = 0x9d5b532e871606f6c53728b6fe4fdd85

(2)   State = 0xa82519b2a9181ffc3b14c3237ae31d97

(2)   NAS-IP-Address = 10.141.64.14

(2) session-state: No cached attributes

(2) # Executing section authorize from file /opt/radiusd/lib/radiusd.ini

(2)   authorize {

(2) eap: Peer sent EAP Response (code 2) ID 61 length 13

(2) eap: Continuing tunnel setup

(2)     [eap] = ok

(2)   } # authorize = ok

(2) Found Auth-Type = EAP

(2) # Executing group from file /opt/radiusd/lib/radiusd.ini

(2)   Auth-Type EAP {

(2) eap: Expiring EAP session with state 0xa82519b2a9181ffc

(2) eap: Finished EAP session with state 0xa82519b2a9181ffc

(2) eap: Previous EAP request found for state 0xa82519b2a9181ffc, released from the list

(2) eap: Peer sent packet with method EAP GTC (6)

(2) eap: Calling submodule eap_gtc to process data

(2) eap_gtc: # Executing group from file /opt/radiusd/lib/radiusd.ini

(2) eap_gtc:   Auth-Type PAP {

rlm_openotp: Found EAP-GTC Wifi access request (disabing OpenOTP challenge mode)

(2) openotp: WARNING: No "known good" password found for the user.

rlm_openotp: Found client ID attribute with value "212.XX.XXX.XX"

rlm_openotp: Found source IP attribute with value "212.XX.XXX.XX"

rlm_openotp: Found device ID attribute with value ""

rlm_openotp: Found client IP attribute with value ""

rlm_openotp: Sending openotpSimpleLogin request

rlm_openotp: OpenOTP authentication failed

rlm_openotp: Reply message: Invalid username or password

rlm_openotp: Sending Access-Reject

(2) eap_gtc:     [openotp] = reject

(2) eap_gtc:   } # Auth-Type PAP = reject

(2) eap: ERROR: Failed continuing EAP GTC (6) session.  EAP sub-module failed

(2) eap: Sending EAP Failure (code 4) ID 61 length 4

(2) eap: Failed in EAP select

(2)     [eap] = invalid

(2)   } # Auth-Type EAP = invalid

(2) Failed to authenticate the user

(2) Using Post-Auth-Type Reject

(2) Post-Auth-Type sub-section not found.  Ignoring.

(2) Login incorrect (eap: Failed continuing EAP GTC (6) session.  EAP sub-module failed): [testuser] (from client any port 0 cli 212.XX.XXX.XX)

(2) Sent Access-Reject Id 8 from 172.28.0.17:1645 to 10.141.64.14:1645 length 0

(2)   Reply-Message := "Invalid username or password"

(2)   Error-Cause := 25238512

(2)   EAP-Message = 0x043d0004

(2)   Message-Authenticator = 0x00000000000000000000000000000000

(2) Finished request

[Yoann Traut (RCDevs)]

Hello 

According to policy loaded, the challengemode is disabled. 

OpenOTP.ChallengeMode=No

In that situation, OpenOTP expect user passsword and OTP concatenated in the same field like : 

pasword123456

where "password" is the ldap password and "123456" is the OTP. 

Anyconnect support the Challenge mode authentication. So in your client policy you can change the setting OpenOTP.ChallengeMode=Yes

With this setting, OpenOTP will provide a 3rd field to allow the end user to provide the OTP after a success username/password validation. 

Regards  

 

[Alexandr Tselobenok]

Hello! Thanks for the quick response!

I already tried to change the option in Client Policy and in Global MFA settings with no success.

Looks like it is overrided by radius request (Found 1 request settings: ChallengeMode=No) after it shows "rlm_openotp: Found EAP-GTC Wifi access request (disabing OpenOTP challenge mode)".

2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] Found 46 user settings: LoginMode=LDAPOTP,OTPType=TOKEN,ChallengeMode=Yes,ChallengeTimeout=90,OTPLength=6,MobileTimeout=30,EnableLogin=Yes,HOTPLookAheadWindow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,OCRASuite=OCRA-1:HOTP-SHA1-6:QN06-T1M,DeviceType=FIDO2,SMSType=Normal,SMSMode=Ondemand,MailMode=Ondemand,PrefetchExpire=10,LastOTPTime=300,ListChallengeMode=ShowID

Why does radiusd treats the request as "EAP-GTC Wifi access request" ?

[Yoann Traut (RCDevs)]

Ok. 

Could you check /opt/radiusd/conf/radiusd.conf file 

Check the setting cert_support = yes 

If it's configured to yes, change to No, restart radiusd service and retry. 

Regards 

[Alexandr Tselobenok]

The setting was commented. I uncommented it.

Now I have explicit "cert_support = no" in config.

Tried to connect - result the same.

[Support]

Hi,

challenge mode is disabled with EAP-GTC because many clients do not support radius challenge with it. This seems like a legacy solution from out part, as it is better to disable to challenge in a client policy if required.

We will check and can probably remove the setting from radius bridge, so that you can use challenge with EAP-GTC where supported by the clients.

[Michael Clarke]

Any update on this one?  I have a client also using GTC that is failing with the challenge not being sent.  Thanks

[Yoann Traut (RCDevs)]

Hello, 

The EAP-GTC challenge is not supported by Radius Bridge in order to introduce an OTP inside EAP-GTC. 

This integration can work in concatenated mode (ldap password + OTP password in the same password field) or through OpenOTP push login with the proper authentication strategy on WebADM side (challenge mode disabled)

Implement that feature in order to prompt a challenge to the user to provide an OTP when he is trying to login is not in our roadmap and require several months of development on our end.

Regards