Integrating PaloAlto NGEN FW in FIPS MODE via LDPROXY and OpenOTP to enable MFA consisting of AD+Yubikey for GlobalProtect VPN and Management Interface
450 views
Skip to first unread message
Nui Nalu Boy
Mar 7, 2019, 7:22:31 PM3/7/19
to RCDevs Security Solutions - Technical
Hi,
I am attempting to integrate my PaloAlto NGEN FW in FIPS MODE via LDPROXY and OpenOTP to enable MFA consisting of AD+ FIPS Yubikey for GlobalProtect VPN Auth and the PaloAlto Management Interface Auth.
I attempted RADIUS BRIDGE integration, but unfortunately, the PAP authentication protocol is not supported in FIPS mode. The CHAP authentication protocol is supported by PaloAlto in FIPS mode, but I was made aware that the RADIUS BRIDGE + OpenOTP only supports PAP (Is this a true statement ?).
As a result, I am moving forward with integration via LDPROXY.
Questions:
- Do I need to enable MFA in LDAPOTP mode and assign a YUBIKEY to the AD bind user for LDPROXY + OpenOTP to function properly? Even though I have done so as outlined below to move forward in the integration steps, I am hoping this shouldn't be the case.
- Is this integration possible?
Any assistance would be greatly appreciated!
Aloha!
WebADM server activity events
[2019-03-07 16:02:09] [172.22.40.12] [OpenOTP:0AJ3UDSL] > Username: cn=pa admin,cn=users,dc=zepher,dc=local
[2019-03-07 16:02:09] [172.22.40.12] [OpenOTP:0AJ3UDSL] > Password: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
[2019-03-07 16:02:09] [172.22.40.12] [OpenOTP:0AJ3UDSL] > Settings: ChallengeMode=No
[2019-03-07 16:02:09] [172.22.40.12] [OpenOTP:0AJ3UDSL] > Options: -U2F,LDAPDN
[2019-03-07 16:02:09] [172.22.40.12] [OpenOTP:0AJ3UDSL] Registered openotpSimpleLogin request
[2019-03-07 16:02:09] [172.22.40.12] [OpenOTP:0AJ3UDSL] Resolved LDAP groups: domain admins,denied rodc password replication group
[2019-03-07 16:02:09] [172.22.40.12] [OpenOTP:0AJ3UDSL] Started transaction lock for user
[2019-03-07 16:02:09] [172.22.40.12] [OpenOTP:0AJ3UDSL] Found user fullname: PA Admin
[2019-03-07 16:02:09] [172.22.40.12] [OpenOTP:0AJ3UDSL] Found 43 user settings: LoginMode=LDAPOTP,OTPType=TOKEN,OTPLength=6,ChallengeMode=Yes,ChallengeTimeout=90,MobileTimeout=30,EnableLogin=Yes,HOTPLookAheadWindow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,OCRASuite=OCRA-1:HOTP-SHA1-6:QN06-T1M,DeviceType=FIDO2,SMSType=Normal,SMSMode=Ondemand,MailMode=Ondemand,PrefetchExpire=10,LastOTPTime=300,ListChallengeMode=ShowID
[2019-03-07 16:02:09] [172.22.40.12] [OpenOTP:0AJ3UDSL] Found 1 request settings: ChallengeMode=No
[2019-03-07 16:02:09] [172.22.40.12] [OpenOTP:0AJ3UDSL] Found 5 user data: LoginCount,TokenType,TokenKey,TokenState,TokenID
[2019-03-07 16:02:09] [172.22.40.12] [OpenOTP:0AJ3UDSL] Found 1 registered OTP token (YUBIKEY)
[2019-03-07 16:02:09] [172.22.40.12] [OpenOTP:0AJ3UDSL] Challenge mode disabled (checking concatenated passwords)
[2019-03-07 16:02:09] [172.22.40.12] [OpenOTP:0AJ3UDSL] Requested login factors: LDAP & OTP
[2019-03-07 16:02:09] [172.22.40.12] [OpenOTP:0AJ3UDSL] LDAP password Ok
[2019-03-07 16:02:09] [172.22.40.12] [OpenOTP:0AJ3UDSL] Challenge required but challenge mode disabled
[2019-03-07 16:02:10] [172.22.40.12] [OpenOTP:0AJ3UDSL] Sent failure response
LDPROXY OUTPUT IN DEBUG MODE
./ldproxy debug
Checking system architecture... Ok
Checking server configuration... Ok
Starting OpenOTP LDAP Bridge debug mode...[2019-03-07 15:57:39] @(#) $OpenLDAP: slapd 2.4.47 (Feb 8 2019 15:11:31) $
francois /sources/openldap-2.4.47/servers/slapd
[2019-03-07 15:57:39] conf: server_url = https://172.22.40.12:8443/openotp/
[2019-03-07 15:57:39] conf: soap_timeout = 30
[2019-03-07 15:57:39] conf: user_settings = ChallengeMode=No
[2019-03-07 15:57:39] conf: server_policy = 1
[2019-03-07 15:57:39] conf: status_cache = 30
[2019-03-07 15:57:39] conf: client Default: name = Default
[2019-03-07 15:57:39] conf: ldap2 ldap backend: name = ldap backend
[2019-03-07 15:57:39] conf: ldap2 ldap backend: uri = ldaps://172.22.30.2:389
[2019-03-07 15:57:39] conf: ldap2 ldap backend: suffix =
[2019-03-07 15:57:39] conf: ldap2 ldap backend: bind_dn = CN=PA Admin,CN=Users,DC=zepher,DC=local
[2019-03-07 15:57:39] conf: ldap1 ldap backend: bind_pw = ******************************************************
[2019-03-07 15:57:39] openotp_init: Initializing libopenotp
[2019-03-07 15:57:39] slapd starting
[2019-03-07 15:58:31] conn=1000 fd=9 ACCEPT from IP=172.22.30.50:45374 (IP=0.0.0.0:10636)
TLS: can't accept: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol.
[2019-03-07 15:58:31] conn=1000 fd=9 closed (TLS negotiation failure)
[2019-03-07 15:58:31] conn=1001 fd=9 ACCEPT from IP=172.22.30.1:58545 (IP=0.0.0.0:10636)
[2019-03-07 15:58:31] conn=1001 fd=9 TLS established tls_ssf=256 ssf=256
[2019-03-07 15:58:31] conn=1001 op=0 BIND dn="cn=PA Admin,cn=Users,dc=zepher,dc=local" method=128
[2019-03-07 15:58:31] conn=1001 openotp_bind: request from 172.22.30.1 as cn=pa admin,cn=users,dc=zepher,dc=local
[2019-03-07 15:58:31] conn=1001 openotp_bind: sending simple login request for 'cn=pa admin,cn=users,dc=zepher,dc=local'
[2019-03-07 15:58:32] conn=1001 openotp_bind: openotp said auth failure
TLS: can't connect: .
[2019-03-07 15:58:32] conn=1001 op=0 ldap_back_retry: retrying URI="ldaps://172.22.30.2:389" DN=""
TLS: can't connect: .
[2019-03-07 15:58:32] conn=1001 op=0 RESULT tag=97 err=49 text=Proxy operation retry failed
[2019-03-07 15:58:32] conn=1001 op=1 UNBIND
[2019-03-07 15:58:32] conn=1001 fd=9 closed
[2019-03-07 16:02:09] conn=1002 fd=9 ACCEPT from IP=172.22.30.50:45933 (IP=0.0.0.0:10636)
TLS: can't accept: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol.
[2019-03-07 16:02:09] conn=1002 fd=9 closed (TLS negotiation failure)
[2019-03-07 16:02:09] conn=1003 fd=9 ACCEPT from IP=172.22.30.1:48210 (IP=0.0.0.0:10636)
[2019-03-07 16:02:09] conn=1003 fd=9 TLS established tls_ssf=256 ssf=256
[2019-03-07 16:02:09] conn=1003 op=0 BIND dn="cn=PA Admin,cn=Users,dc=zepher,dc=local" method=128
[2019-03-07 16:02:09] conn=1003 openotp_bind: request from 172.22.30.1 as cn=pa admin,cn=users,dc=zepher,dc=local
[2019-03-07 16:02:09] conn=1003 openotp_bind: sending simple login request for 'cn=pa admin,cn=users,dc=zepher,dc=local'
[2019-03-07 16:02:10] conn=1003 openotp_bind: openotp said auth failure
TLS: can't connect: .
[2019-03-07 16:02:10] conn=1003 op=0 ldap_back_retry: retrying URI="ldaps://172.22.30.2:389" DN=""
TLS: can't connect: .
[2019-03-07 16:02:10] conn=1003 op=0 RESULT tag=97 err=49 text=Proxy operation retry failed
[2019-03-07 16:02:10] conn=1003 op=1 UNBIND
[2019-03-07 16:02:10] conn=1003 fd=9 closed
Yoann Traut (RCDevs)
Mar 8, 2019, 4:17:37 AM3/8/19
to RCDevs Security Solutions - Technical
Hello,
First, why do you want to use LDProxy for Palo Alto integration ? PA manage radius protocol who is more elegant than LDAP. Radius allow the multisteps authentication (first step Username/password LDAP and second step you are prompted to enter the OTP)
With LDAP bridge, the challenge mode is not supported. So you have to pass username and LDAPpassword+OTP in concatened mode.
I advise you to use radius, even if it's possible to do it with LDProxy.
Your error here according to your logs is because the OTP is not provided with the LDPA password in concatened mode. So webadm check the ldap password but is not able to check the OTP and it can not send a challenge request because it's not managed over ldap, so it's a failure
Have a look here :
Regards
Support
Mar 8, 2019, 5:47:08 AM3/8/19
to RCDevs Security Solutions - Technical
Hi,
Once that is successfull, then you should move on to testing over LDAP.
this integration is possible and has been tested. You do not need to assign the token to the LDProxy bind user.
Can you test the authentication from webadm using the simple login form, providing the LDAP password and the YubiOTP on the same field?
Nui Nalu Boy
Mar 10, 2019, 4:52:17 PM3/10/19
to RCDevs Security Solutions - Technical
Hi Yoann,
I agree RADIUS is a more elegant implementation.
I think you may have overlooked my question asserted previously that I was hoping you could answer:
"I attempted RADIUS BRIDGE integration, but unfortunately, the PAP authentication protocol is not supported in FIPS mode. The CHAP authentication protocol is supported by PaloAlto in FIPS mode, but I was made aware that the RADIUS BRIDGE + OpenOTP only supports PAP (Is this a true statement ?)."
Nui Nalu Boy
Mar 10, 2019, 5:43:09 PM3/10/19
to RCDevs Security Solutions - Technical
The authentication for the bind user is successful in WebAdm Test Authentication and while also initiating a logon from the PaloAlto Management Web Interface.
Although the bind user can handshake successfully, the end user (myself in this case where I am a PaloAlto Admin with an assigned Yubikey) is not able to authenticate successfully via my LDAP+OTP credentials per the logs below.
Any ideas would be most appreciated on what I should try next.
Thank you!
WebADM Logs
[2019-03-10 14:31:21] [172.22.40.12] [OpenOTP:6V6BD911] New openotpSimpleLogin SOAP request
[2019-03-10 14:31:21] [172.22.40.12] [OpenOTP:6V6BD911] > Username: cn=pa admin,cn=users,dc=zepher,dc=local
[2019-03-10 14:31:21] [172.22.40.12] [OpenOTP:6V6BD911] > Password: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
[2019-03-10 14:31:21] [172.22.40.12] [OpenOTP:6V6BD911] > Settings: ChallengeMode=No
[2019-03-10 14:31:21] [172.22.40.12] [OpenOTP:6V6BD911] > Options: -U2F,LDAPDN
[2019-03-10 14:31:21] [172.22.40.12] [OpenOTP:6V6BD911] Registered openotpSimpleLogin request
[2019-03-10 14:31:21] [172.22.40.12] [OpenOTP:6V6BD911] Resolved LDAP groups: domain admins,denied rodc password replication group
[2019-03-10 14:31:21] [172.22.40.12] [OpenOTP:6V6BD911] Started transaction lock for user
[2019-03-10 14:31:21] [172.22.40.12] [OpenOTP:6V6BD911] Found user fullname: PA Admin
[2019-03-10 14:31:21] [172.22.40.12] [OpenOTP:6V6BD911] Found 43 user settings: LoginMode=LDAP,OTPType=TOKEN,OTPLength=6,ChallengeMode=Yes,ChallengeTimeout=90,MobileTimeout=30,EnableLogin=Yes,HOTPLookAheadWindow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,OCRASuite=OCRA-1:HOTP-SHA1-6:QN06-T1M,DeviceType=FIDO2,SMSType=Normal,SMSMode=Ondemand,MailMode=Ondemand,PrefetchExpire=10,LastOTPTime=300,ListChallengeMode=ShowID
[2019-03-10 14:31:21] [172.22.40.12] [OpenOTP:6V6BD911] Found 1 request settings: ChallengeMode=No
[2019-03-10 14:31:21] [172.22.40.12] [OpenOTP:6V6BD911] Found 1 user data: LoginCount
[2019-03-10 14:31:21] [172.22.40.12] [OpenOTP:6V6BD911] Requested login factors: LDAP
[2019-03-10 14:31:21] [172.22.40.12] [OpenOTP:6V6BD911] LDAP password Ok
[2019-03-10 14:31:21] [172.22.40.12] [OpenOTP:6V6BD911] Updated user data
[2019-03-10 14:31:21] [172.22.40.12] [OpenOTP:6V6BD911] > Username: cn=pa admin,cn=users,dc=zepher,dc=local
[2019-03-10 14:31:21] [172.22.40.12] [OpenOTP:6V6BD911] > Password: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
[2019-03-10 14:31:21] [172.22.40.12] [OpenOTP:6V6BD911] > Settings: ChallengeMode=No
[2019-03-10 14:31:21] [172.22.40.12] [OpenOTP:6V6BD911] > Options: -U2F,LDAPDN
[2019-03-10 14:31:21] [172.22.40.12] [OpenOTP:6V6BD911] Registered openotpSimpleLogin request
[2019-03-10 14:31:21] [172.22.40.12] [OpenOTP:6V6BD911] Resolved LDAP groups: domain admins,denied rodc password replication group
[2019-03-10 14:31:21] [172.22.40.12] [OpenOTP:6V6BD911] Started transaction lock for user
[2019-03-10 14:31:21] [172.22.40.12] [OpenOTP:6V6BD911] Found user fullname: PA Admin
[2019-03-10 14:31:21] [172.22.40.12] [OpenOTP:6V6BD911] Found 43 user settings: LoginMode=LDAP,OTPType=TOKEN,OTPLength=6,ChallengeMode=Yes,ChallengeTimeout=90,MobileTimeout=30,EnableLogin=Yes,HOTPLookAheadWindow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,OCRASuite=OCRA-1:HOTP-SHA1-6:QN06-T1M,DeviceType=FIDO2,SMSType=Normal,SMSMode=Ondemand,MailMode=Ondemand,PrefetchExpire=10,LastOTPTime=300,ListChallengeMode=ShowID
[2019-03-10 14:31:21] [172.22.40.12] [OpenOTP:6V6BD911] Found 1 request settings: ChallengeMode=No
[2019-03-10 14:31:21] [172.22.40.12] [OpenOTP:6V6BD911] Found 1 user data: LoginCount
[2019-03-10 14:31:21] [172.22.40.12] [OpenOTP:6V6BD911] Requested login factors: LDAP
[2019-03-10 14:31:21] [172.22.40.12] [OpenOTP:6V6BD911] LDAP password Ok
[2019-03-10 14:31:21] [172.22.40.12] [OpenOTP:6V6BD911] Updated user data
[2019-03-10 14:31:21] [172.22.40.12] [OpenOTP:6V6BD911] Sent success response
LDPROXY Logs
tail -f ldproxy.log
[2019-03-10 14:30:40] conf: server_policy = 1
[2019-03-10 14:30:40] conf: status_cache = 30
[2019-03-10 14:30:40] conf: client Default: name = Default
[2019-03-10 14:30:40] conf: ldap2 ldap backend: name = ldap backend
[2019-03-10 14:30:40] conf: ldap2 ldap backend: uri = ldaps://172.22.30.2:389
[2019-03-10 14:30:40] conf: ldap2 ldap backend: suffix =
[2019-03-10 14:30:40] conf: ldap2 ldap backend: bind_dn = CN=PA Admin,CN=Users,DC=zepher,DC=local
[2019-03-10 14:30:40] conf: ldap1 ldap backend: bind_pw = ******************************************************
[2019-03-10 14:30:40] openotp_init: Initializing libopenotp
[2019-03-10 14:30:40] slapd starting
TLS: can't accept: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol.
[2019-03-10 14:31:21] conn=1001 openotp_bind: request from 172.22.30.1 as cn=pa admin,cn=users,dc=zepher,dc=local
[2019-03-10 14:31:21] conn=1001 openotp_bind: sending simple login request for 'cn=pa admin,cn=users,dc=zepher,dc=local'
[2019-03-10 14:31:21] conn=1001 openotp_bind: openotp said auth success
[2019-03-10 14:31:21] conn=1001 openotp_bind: using bind user 'CN=PA Admin,CN=Users,DC=zepher,DC=local'
TLS: can't connect: .
[2019-03-10 14:31:21] conn=1001 op=0 ldap_back_retry: retrying URI="ldaps://172.22.30.2:389" DN=""
TLS: can't connect: .
[2019-03-10 14:31:21] conn=1001 op=1 ldap_back_retry: retrying URI="ldaps://172.22.30.2:389" DN="CN=PA Admin,CN=Users,DC=zepher,DC=local"
[2019-03-10 14:31:21] conn=1001 op=1 ldap_back_dobind_int: DN="CN=PA Admin,CN=Users,DC=zepher,DC=local" without creds, binding anonymouslyTLS: can't connect: .
PALO ALTO LOGS
2019-03-10 14:31:21.889 -0700 debug: pan_auth_request_process(pan_auth_state_engine.c:3331): Receive request: msg type PAN_AUTH_REQ_REMOTE_INIT_AUTH, conv id 171, body length 2128
2019-03-10 14:31:21.890 -0700 debug: _authenticate_initial(pan_auth_state_engine.c:2387): Trying to authenticate (init auth): <profile: "", vsys: "", policy: "", username "mayach"> ; timeout setting: 40 secs ; authd id: 6643282472299673322
2019-03-10 14:31:21.890 -0700 debug: _get_auth_prof_detail(pan_auth_util.c:1048): admin user thru WebUI "mayach"
2019-03-10 14:31:21.890 -0700 debug: _get_admin_authentication_profile_by_name(pan_auth_util.c:549): Got auth prof "GP_LDAP_Auth_OpenOTP" for admin user "mayach"
2019-03-10 14:31:21.890 -0700 debug: _get_auth_prof_detail(pan_auth_util.c:1069): admin user thru WebUI "mayach" auth request without vsys: try "shared" any way
2019-03-10 14:31:21.890 -0700 debug: _get_authseq_profile(pan_auth_util.c:855): Auth profile/vsys (GP_LDAP_Auth_OpenOTP/shared) is NOT auth sequence
2019-03-10 14:31:21.890 -0700 debug: _retrieve_svr_ids(pan_auth_service.c:645): could not find auth server id vector for GP_LDAP_Auth_OpenOTP-shared-mfa
2019-03-10 14:31:21.890 -0700 debug: add_info_from_auth_profile_to_request(pan_auth_util.c:1019): MFA is not configured for the auth profile. No mfa server ids for the user "" (prof/vsys: GP_LDAP_Auth_OpenOTP/shared)
2019-03-10 14:31:21.890 -0700 debug: pan_auth_cache_user_is_allowed(pan_auth_cache_allowlist_n_grp.c:185): This is a single vsys platform, group check for allow list is performed on "vsys1"
2019-03-10 14:31:21.890 -0700 debug: _authenticate_by_localdb_or_remote_server(pan_auth_state_engine.c:1812): Authenticating user "mayach" with <profile: "GP_LDAP_Auth_OpenOTP", vsys: "shared">
2019-03-10 14:31:21.891 -0700 debug: _retrieve_svr_ids(pan_auth_service.c:648): find auth server id vector for GP_LDAP_Auth_OpenOTP-shared
2019-03-10 14:31:21.891 -0700 debug: _start_sync_auth(pan_auth_service_handle.c:461): recreate 0th LDAP session to remote server 172.22.40.12:10636 after retry-interval (60 sec) has elapsed
2019-03-10 14:31:21.891 -0700 debug: _recreate_a_ldap_session(pan_auth_service_handle.c:365): re-create ldap session (ip 172.22.40.12 ; source 172.22.30.1 ; vsys shared)
2019-03-10 14:31:21.891 -0700 debug: pan_authd_ldap_init_set(pan_authd_shared_ldap.c:821): useLDAPs: 0, startTLS: 0, b_ssl: 1
2019-03-10 14:31:21.891 -0700 ldap uri: ldap://172.22.40.12:10636
2019-03-10 14:31:21.891 -0700 ldap uri: ldap://172.22.40.12:10636
2019-03-10 14:31:21.891 -0700 debug: pan_authd_ldap_init_set(pan_authd_shared_ldap.c:836): open ldap TLS connection at 172.22.40.12:10636
2019-03-10 14:31:21.894 -0700 Error: pan_authd_ldap_init_set(pan_authd_shared_ldap.c:905): startTLS: failed
2019-03-10 14:31:21.894 -0700 debug: pan_authd_ldap_init_set(pan_authd_shared_ldap.c:913): fallback to SSL
2019-03-10 14:31:21.894 -0700 ldap uri: ldaps://172.22.40.12:10636
2019-03-10 14:31:21.894 -0700 debug: pan_authd_ldap_init_set(pan_authd_shared_ldap.c:928): set source route into ldap option: 172.22.30.1
2019-03-10 14:31:21.894 -0700 Succeed to init LDAPp=0x10f16d80 for entry 0
2019-03-10 14:31:21.894 -0700 b_ssl: Yes
2019-03-10 14:31:21.894 -0700 debug: pan_authd_ldap_bind(pan_authd_shared_ldap.c:606): binding with binddn CN=PA Admin,CN=Users,DC=zepher,DC=local
2019-03-10 14:31:22.209 -0700 binddn CN=PA Admin,CN=Users,DC=zepher,DC=local with LDAPp=0x10f16d80
2019-03-10 14:31:22.209 -0700 debug: auth_svr_set_prot_spec_data(pan_auth_svr.c:648): set VOIDp=0x10f16d80 for auth server context id=0
2019-03-10 14:31:22.209 -0700 debug: _recreate_a_ldap_session(pan_auth_service_handle.c:400): re-created 0th LDAP session for server: 172.22.40.12:10636
2019-03-10 14:31:22.209 -0700 debug: auth_svr_set_flag_retry_interval(pan_auth_svr.c:739): set retry-interval flag to "false" at Sun Mar 10 14:31:22 2019
2019-03-10 14:31:22.209 -0700 debug: _get_AD_maxPwdAge(pan_authd_shared_ldap.c:695): getting maxPwdAge attr from AD with LDAD pointer = 0x10f16d80...
2019-03-10 14:31:22.211 -0700 Error: _parse_ldap_search_result(pan_authd_shared_ldap.c:462): search failed 52 (Server is unavailable) ()
2019-03-10 14:31:22.212 -0700 Error: _get_AD_maxPwdAge(pan_authd_shared_ldap.c:726): failed to parse search result for maxPwdAge
2019-03-10 14:31:22.212 -0700 Error: pan_authd_ldap_authenticate(pan_authd_shared_ldap.c:1005): failed to get AD maxPwdAge attr
2019-03-10 14:31:22.212 -0700 Error: _start_sync_auth(pan_auth_service_handle.c:626): sync request for user "mayach" is failed or possibly timed out against 172.22.40.12:10636 with 0th VOIDp=0x10f16d80
2019-03-10 14:31:22.212 -0700 debug: pan_auth_response_process(pan_auth_state_engine.c:4270): auth status: auth failed
2019-03-10 14:31:22.212 -0700 debug: pan_auth_incr_failed_attempt(pan_authd_db.c:171): increase failed attempt for user: mayach
2019-03-10 14:31:22.237 -0700 debug: pan_auth_response_process(pan_auth_state_engine.c:4449): Authentication failed: <profile: "GP_LDAP_Auth_OpenOTP", vsys: "shared", username "mayach">
2019-03-10 14:31:22.237 -0700 failed authentication for user 'mayach'. Reason: Invalid username/password. auth profile 'GP_LDAP_Auth_OpenOTP', vsys 'shared', server profile 'OpenOTP', server address '172.22.40.12', From: 172.22.50.100.
2019-03-10 14:31:22.237 -0700 debug: _log_auth_respone(pan_auth_server.c:263): Sent PAN_AUTH_FAILURE auth response for user 'mayach' (exp_in_days=-1 (-1 never; 0 within a day))(authd_id: 6643282472299673322)
francois...@rcdevs.com
Mar 11, 2019, 3:56:53 AM3/11/19
to RCDevs Security Solutions - Technical
Hi
Your configuration in Ldproxy is not correct, you have to replace ldaps://172.22.30.2:389 with ldap://172.22.30.2:389 or ldaps://172.22.30.2:636
Nui Nalu Boy
Mar 11, 2019, 11:11:24 AM3/11/19
to RCDevs Security Solutions - Technical
Hi Francois,
Nice catch. I adjusted the port to 636.
Still though not able to successfully authenticate per the PaloAlto and LDPROXY logs below:
LDPROXY
tail -f ldproxy.log
[2019-03-11 07:55:14] conf: server_policy = 1
[2019-03-11 07:55:14] conf: status_cache = 30
[2019-03-11 07:55:14] conf: client Default: name = Default
[2019-03-11 07:55:14] conf: ldap2 ldap backend: name = ldap backend
[2019-03-11 07:55:14] conf: ldap2 ldap backend: uri = ldaps://172.22.30.2:636
[2019-03-11 07:55:14] conf: ldap2 ldap backend: suffix =
[2019-03-11 07:55:14] conf: ldap2 ldap backend: bind_dn = CN=PA Admin,CN=Users,DC=zepher,DC=local
[2019-03-11 07:55:14] conf: ldap1 ldap backend: bind_pw = ******************************************************
[2019-03-11 07:55:14] openotp_init: Initializing libopenotp
[2019-03-11 07:55:14] slapd starting
TLS: can't accept: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol.
[2019-03-11 08:00:00] conn=1001 openotp_bind: request from 172.22.30.1 as cn=pa admin,cn=users,dc=zepher,dc=local
[2019-03-11 08:00:00] conn=1001 openotp_bind: sending simple login request for 'cn=pa admin,cn=users,dc=zepher,dc=local'
[2019-03-11 08:00:00] conn=1001 openotp_bind: openotp said auth success
[2019-03-11 08:00:00] conn=1001 openotp_bind: using bind user 'CN=PA Admin,CN=Users,DC=zepher,DC=local'
TLS: can't connect: .
[2019-03-11 08:00:00] conn=1001 op=0 ldap_back_retry: retrying URI="ldaps://172.22.30.2:636" DN=""
TLS: can't connect: .
[2019-03-11 08:00:00] conn=1001 op=1 ldap_back_retry: retrying URI="ldaps://172.22.30.2:636" DN="CN=PA Admin,CN=Users,DC=zepher,DC=local"
[2019-03-11 08:00:00] conn=1001 op=1 ldap_back_dobind_int: DN="CN=PA Admin,CN=Users,DC=zepher,DC=local" without creds, binding anonymouslyTLS: can't connect: .
PALO ALTO LOGS
2019-03-11 08:00:00.389 -0700 debug: pan_auth_request_process(pan_auth_state_engine.c:3331): Receive request: msg type PAN_AUTH_REQ_REMOT E_INIT_AUTH, conv id 173, body length 2128
2019-03-11 08:00:00.389 -0700 debug: _authenticate_initial(pan_auth_state_engine.c:2387): Trying to authenticate (init auth): <profile: " ", vsys: "", policy: "", username "mayach"> ; timeout setting: 40 secs ; authd id: 6643282472299673362
2019-03-11 08:00:00.389 -0700 debug: _get_auth_prof_detail(pan_auth_util.c:1048): admin user thru WebUI "mayach"
2019-03-11 08:00:00.389 -0700 debug: _get_admin_authentication_profile_by_name(pan_auth_util.c:549): Got auth prof "GP_LDAP_Auth_OpenOTP" for admin user "mayach"
2019-03-11 08:00:00.389 -0700 debug: _get_auth_prof_detail(pan_auth_util.c:1069): admin user thru WebUI "mayach" auth request without vsy s: try "shared" any way
2019-03-11 08:00:00.389 -0700 debug: _get_authseq_profile(pan_auth_util.c:855): Auth profile/vsys (GP_LDAP_Auth_OpenOTP/shared) is NOT au th sequence
2019-03-11 08:00:00.390 -0700 debug: _retrieve_svr_ids(pan_auth_service.c:645): could not find auth server id vector for GP_LDAP_Auth_Ope nOTP-shared-mfa
2019-03-11 08:00:00.390 -0700 debug: add_info_from_auth_profile_to_request(pan_auth_util.c:1019): MFA is not configured for the auth prof ile. No mfa server ids for the user "" (prof/vsys: GP_LDAP_Auth_OpenOTP/shared)
2019-03-11 08:00:00.390 -0700 debug: pan_auth_cache_user_is_allowed(pan_auth_cache_allowlist_n_grp.c:185): This is a single vsys platform , group check for allow list is performed on "vsys1"
2019-03-11 08:00:00.390 -0700 debug: _authenticate_by_localdb_or_remote_server(pan_auth_state_engine.c:1812): Authenticating user "mayach " with <profile: "GP_LDAP_Auth_OpenOTP", vsys: "shared">
2019-03-11 08:00:00.390 -0700 debug: _retrieve_svr_ids(pan_auth_service.c:648): find auth server id vector for GP_LDAP_Auth_OpenOTP-share d
2019-03-11 08:00:00.390 -0700 debug: _get_AD_maxPwdAge(pan_authd_shared_ldap.c:695): getting maxPwdAge attr from AD with LDAD pointer = 0 x10f16d80...
2019-03-11 08:00:00.391 -0700 Error: _get_ldap_result(pan_authd_shared_ldap.c:561): ldap op failed Can't contact LDAP server
2019-03-11 08:00:00.391 -0700 Error: _get_AD_maxPwdAge(pan_authd_shared_ldap.c:713): failed to get ldap result
2019-03-11 08:00:00.391 -0700 Error: pan_authd_ldap_authenticate(pan_authd_shared_ldap.c:1005): failed to get AD maxPwdAge attr
2019-03-11 08:00:00.391 -0700 Error: _start_sync_auth(pan_auth_service_handle.c:570): LDAP auth: "Can't contact LDAP server" against 172 .22.40.12:10636 with 0th VOIDp=0x10f16d80
2019-03-11 08:00:00.391 -0700 debug: _start_sync_auth(pan_auth_service_handle.c:592): retry connection to make sure it is NOT down
2019-03-11 08:00:00.391 -0700 debug: _recreate_a_ldap_session(pan_auth_service_handle.c:365): re-create ldap session (ip 172.22.40.12 ; s ource 172.22.30.1 ; vsys shared)
2019-03-11 08:00:00.392 -0700 debug: auth_svr_set_prot_spec_data(pan_auth_svr.c:648): set VOIDp=(nil) for auth server context id=0
2019-03-11 08:00:00.392 -0700 debug: pan_authd_ldap_init_set(pan_authd_shared_ldap.c:821): useLDAPs: 0, startTLS: 0, b_ssl: 1
2019-03-11 08:00:00.392 -0700 ldap uri: ldap://172.22.40.12:10636
2019-03-11 08:00:00.392 -0700 ldap uri: ldap://172.22.40.12:10636
2019-03-11 08:00:00.392 -0700 debug: pan_authd_ldap_init_set(pan_authd_shared_ldap.c:836): open ldap TLS connection at 172.22.40.12:10636
2019-03-11 08:00:00.394 -0700 Error: pan_authd_ldap_init_set(pan_authd_shared_ldap.c:905): startTLS: failed
2019-03-11 08:00:00.394 -0700 debug: pan_authd_ldap_init_set(pan_authd_shared_ldap.c:913): fallback to SSL
2019-03-11 08:00:00.395 -0700 ldap uri: ldaps://172.22.40.12:10636
2019-03-11 08:00:00.395 -0700 debug: pan_authd_ldap_init_set(pan_authd_shared_ldap.c:928): set source route into ldap option: 172.22.30.1
2019-03-11 08:00:00.395 -0700 Succeed to init LDAPp=0x10f16d80 for entry 0
2019-03-11 08:00:00.395 -0700 b_ssl: Yes
2019-03-11 08:00:00.395 -0700 debug: pan_authd_ldap_bind(pan_authd_shared_ldap.c:606): binding with binddn CN=PA Admin,CN=Users,DC=zepher ,DC=local
2019-03-11 08:00:00.554 -0700 binddn CN=PA Admin,CN=Users,DC=zepher,DC=local with LDAPp=0x10f16d80
2019-03-11 08:00:00.554 -0700 debug: auth_svr_set_prot_spec_data(pan_auth_svr.c:648): set VOIDp=0x10f16d80 for auth server context id=0
2019-03-11 08:00:00.554 -0700 debug: _recreate_a_ldap_session(pan_auth_service_handle.c:400): re-created 0th LDAP session for server: 172 .22.40.12:10636
2019-03-11 08:00:00.554 -0700 debug: auth_svr_set_flag_retry_interval(pan_auth_svr.c:739): set retry-interval flag to "false" at Mon Mar 11 08:00:00 2019
2019-03-11 08:00:00.554 -0700 debug: _start_sync_auth(pan_auth_service_handle.c:616): reconnect to LDAP server 172.22.40.12:10636 with 0t h VOIDp=0x10f16d80
2019-03-11 08:00:00.554 -0700 debug: _get_AD_maxPwdAge(pan_authd_shared_ldap.c:695): getting maxPwdAge attr from AD with LDAD pointer = 0 x10f16d80...
2019-03-11 08:00:00.556 -0700 Error: _parse_ldap_search_result(pan_authd_shared_ldap.c:462): search failed 52 (Server is unavailable) ()
2019-03-11 08:00:00.556 -0700 Error: _get_AD_maxPwdAge(pan_authd_shared_ldap.c:726): failed to parse search result for maxPwdAge
2019-03-11 08:00:00.556 -0700 Error: pan_authd_ldap_authenticate(pan_authd_shared_ldap.c:1005): failed to get AD maxPwdAge attr
2019-03-11 08:00:00.557 -0700 Error: _start_sync_auth(pan_auth_service_handle.c:626): sync request for user "mayach" is failed or possib ly timed out against 172.22.40.12:10636 with 0th VOIDp=0x10f16d80
2019-03-11 08:00:00.557 -0700 debug: pan_auth_response_process(pan_auth_state_engine.c:4270): auth status: auth failed
2019-03-11 08:00:00.557 -0700 debug: pan_auth_incr_failed_attempt(pan_authd_db.c:171): increase failed attempt for user: mayach
2019-03-11 08:00:00.577 -0700 debug: pan_auth_response_process(pan_auth_state_engine.c:4449): Authentication failed: <profile: "GP_LDAP_A uth_OpenOTP", vsys: "shared", username "mayach">
2019-03-11 08:00:00.578 -0700 failed authentication for user 'mayach'. Reason: Invalid username/password. auth profile 'GP_LDAP_Auth_Ope nOTP', vsys 'shared', server profile 'OpenOTP', server address '172.22.40.12', From: 172.22.50.100.
2019-03-11 08:00:00.578 -0700 debug: _log_auth_respone(pan_auth_server.c:263): Sent PAN_AUTH_FAILURE auth response for user 'mayach' (exp _in_days=-1 (-1 never; 0 within a day))(authd_id: 6643282472299673362)
Nui Nalu Boy
Mar 11, 2019, 1:07:06 PM3/11/19
to RCDevs Security Solutions - Technical
Hi Yoann,
For shits and giggles, I just wanted to let you know that I tried the RADIUS BRIDGE leveraging the PAP Auth Protocol for the Palo Alto and GlobalProtect integration in FIPS mode.
And guess what?
IT WORKS PERFECTLY! :-)
I guess Palo Alto needs to update their documentation and REtrain their support staff on RADIUS and Palo Alto integration in FIPS mode.
Have a wonderful evening!
Thank you!
Support
Mar 12, 2019, 10:08:35 AM3/12/19
to RCDevs Security Solutions - Technical
Hi,
great that you got it to work with RADIUS.
I think the problem with LDAP is that your LDAP server is not really talking SSL:
TLS: can't accept: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol.
You can verify it with this command:
openssl s_client -connect <LDAP_SERVER_IP>:636
You should get the server certificate and other information and it should succefully establish an SSL session.
Reply all
Reply to author
Forward
0 new messages