Radius Bridge: radtest = OK, Login with SuperMicro IPMI ->Wrong LDAP / Yubikey / TOTP (LDAP+Yubikey)

Denny Fuchs

unread,

Sep 9, 2018, 2:04:51 PM9/9/18

to RCDevs Security Solutions - Technical

Hello,

we try to get the Radius (1.3.5-1) working, as login for SuperMicro IPMI. I get radtest working with LDAP and Yubikey (Disable challenge Response in the defaults, because I can't the Policy working, as there is no client ID).

If I login with my username and the combination of LDAP and Yubikey:

[2018-09-09 19:45:44] [127.0.0.1] [DEBUG:17640:ldap_frm.php:debug_log] LDAP read: (objectclass=*) (cn=Denny Fuchs,ou=People,dc=example,dc=com) [2018-09-09 19:45:44] [127.0.0.1] [OpenOTP:94UZWDK3] Found 42 user settings: LoginMode=LDAPMFA,OTPType=TOKEN,OTPLength=8,ChallengeMode=No,ChallengeTimeout=90,ChallengeFake=Yes,MobileTimeout=30,EnableLogin=Yes,HOTPLookAheadWindow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,OCRASuite=OCRA-1:HOTP-SHA1-6:QN06-T1M,DeviceType=U2F,SMSType=Normal,SMSMode=Ondemand,MailMode=Ondemand,PrefetchExpire=10,LastOTPTime=300,ListChallengeMode=ShowID [2018-09-09 19:45:44] [127.0.0.1] [OpenOTP:94UZWDK3] Found 11 user data: LoginCount,RejectCount,LastOTP,TokenType,TokenKey,TokenState,TokenID,TokenSerial,Token2Type,Token2Key,Token2State [2018-09-09 19:45:44] [127.0.0.1] [OpenOTP:94UZWDK3] Last OTP expired 2018-09-09 19:41:19 [2018-09-09 19:45:44] [127.0.0.1] [OpenOTP:94UZWDK3] Found 2 registered OTP tokens (YUBIKEY,TOTP) [2018-09-09 19:45:44] [127.0.0.1] [OpenOTP:94UZWDK3] Challenge mode disabled (checking concatenated passwords) [2018-09-09 19:45:44] [127.0.0.1] [OpenOTP:94UZWDK3] Requested login factors: LDAP & OTP [2018-09-09 19:45:44] [127.0.0.1] [DEBUG:17640:watchd_frm.php:debug_log] Watchd LDAP server: qh-a07-auth-01 [2018-09-09 19:45:44] [127.0.0.1] [DEBUG:17640:watchd_frm.php:debug_log] Watchd LDAP server: qh-a07-auth-01 [2018-09-09 19:45:44] [127.0.0.1] [OpenOTP:94UZWDK3] Wrong LDAP password [2018-09-09 19:45:44] [127.0.0.1] [OpenOTP:94UZWDK3] Wrong YUBIKEY password (token #1) [2018-09-09 19:45:44] [127.0.0.1] [OpenOTP:94UZWDK3] Wrong TOTP password (token #2) [2018-09-09 19:45:44] [127.0.0.1] [OpenOTP:94UZWDK3] Updated user data [2018-09-09 19:45:44] [127.0.0.1] [DEBUG:17640:sql_frm.php:debug_log] SQL query: INSERT INTO "WebSrv" ("Time","Session","Text","Application","DN","Host") VALUES (?,?,?,?,?,?) [2018-09-09 19:45:44] [127.0.0.1] [DEBUG:17640:sql_frm.php:debug_log] > Param #1: 2018-09-09 19:45:44 [2018-09-09 19:45:44] [127.0.0.1] [DEBUG:17640:sql_frm.php:debug_log] > Param #2: replaced [2018-09-09 19:45:44] [127.0.0.1] [DEBUG:17640:sql_frm.php:debug_log] > Param #3: Authentication failed (LDAP & TOKEN) [2018-09-09 19:45:44] [127.0.0.1] [DEBUG:17640:sql_frm.php:debug_log] > Param #4: OpenOTP [2018-09-09 19:45:44] [127.0.0.1] [DEBUG:17640:sql_frm.php:debug_log] > Param #5: cn=Denny Fuchs,ou=People,dc=example,dc=com [2018-09-09 19:45:44] [127.0.0.1] [DEBUG:17640:sql_frm.php:debug_log] > Param #6: 127.0.0.1 [2018-09-09 19:45:45] [127.0.0.1] [OpenOTP:94UZWDK3] Sent failure response [2018-09-09 19:45:45] [127.0.0.1] [DEBUG:17640] Process execution time: 0.12 seconds

If I try only the LDAP password, I get an OK, but OTP (yubikey) is missing.

In the manual from Supermicro I find for users.conf in FreeRadius:

Then you will be able to grant privileges to a user account. There are four
types of user accounts. The list below displays the four types of accounts and
the vendor-specific attributes.
•
radius_admin:
Password: "123456"
Vendor-Specific Attributes: "H=4, I=4"
•
radius_operator:
Password: "654321"
Vendor-Specific Attributes: "H=3, I=3"
•
radius_user:
Password: "654321"
Vendor-Specific Attributes: "H=2, I=2"
•
radius_callback:
Password: "654321"
Vendor-Specific Attributes: "H=1, I=1"A-2

I have no idea, where I can search for more answers ...

Any suggestions ?

Yoann Traut (RCDevs)

unread,

Sep 10, 2018, 5:38:56 AM9/10/18

to RCDevs Security Solutions - Technical

Hello,

"I get radtest working with LDAP and Yubikey (Disable challenge Response in the defaults, because I can't the Policy working, as there is no client ID)."

A client ID passed in the request is not mandatory to match a Client policy, you can use the client IP too.

In your logs :

[2018-09-09 19:45:44] [127.0.0.1] [OpenOTP:94UZWDK3] Challenge mode disabled (checking concatenated passwords)

[...]

[2018-09-09 19:45:44] [127.0.0.1] [OpenOTP:94UZWDK3] Wrong LDAP password
[2018-09-09 19:45:44] [127.0.0.1] [OpenOTP:94UZWDK3] Wrong YUBIKEY password (token #1)
[2018-09-09 19:45:44] [127.0.0.1] [OpenOTP:94UZWDK3] Wrong TOTP password (token #2)

When you disable the challenge mode, you have to enter the LDAP password and Yubikey password in the same password field (concatened mode)

According to your logs, ldap password is wrong and yubikey password too.

Regards

Denny Fuchs

unread,

Sep 10, 2018, 9:11:30 AM9/10/18

to RCDevs Security Solutions - Technical

Hello,

glad, that you answered :-)

Am Montag, 10. September 2018 11:38:56 UTC+2 schrieb Yoann Traut (RCDevs):

When you disable the challenge mode, you have to enter the LDAP password and Yubikey password in the same password field (concatened mode)
According to your logs, ldap password is wrong and yubikey password too.

exactly that is, what I have. I tried:

Only LDAP password -> correct LDAP password is identified in log

Only Yubikey -> Yubikey / OTP is not recognized as TOKEN, just wrong LDAP password

LDAPYUBIKEY -> LDAP password is wrong, Yubikey is Wrong / TOTP is wrong

If I try testing with radtest, than LDAPYUBIKEY works as expected. I would assume, that I can see a good LDAP password ins the logs, but it seems, that also the LDAP password isn't recognized anymore (the first password part).

Yoann Traut (RCDevs)

unread,

Sep 10, 2018, 10:57:04 AM9/10/18

to RCDevs Security Solutions - Technical

From which client it doesn't work as expected ?

Regards

Denny Fuchs

unread,

Sep 10, 2018, 12:50:20 PM9/10/18

to RCDevs Security Solutions - Technical

Am Montag, 10. September 2018 16:57:04 UTC+2 schrieb Yoann Traut (RCDevs):

From which client it doesn't work as expected ?

localhost, where WebADM and radiusd is installed. I tested with "radtest".

Yoann Traut (RCDevs)

unread,

Sep 11, 2018, 5:00:45 AM9/11/18

to RCDevs Security Solutions - Technical

Can we plan a quick remote session to check together what happen exactly ?

Regards

Denny Fuchs

unread,

Sep 12, 2018, 12:14:08 PM9/12/18

to RCDevs Security Solutions - Technical

hi,

big thanks for the awesome support :-) We get it finally working:

In WebADM I had to change the client alias name to 127.0.0.1, where the Radius daemon is running
I had to create a file /opt/radiusd/lib/dictionaries/dictionary.supermicro with the following content

# -*- text -*-
# Copyright (C) 2015 The FreeRADIUS Server project and contributors
#
# dictionary.lcs
#
#                             originally by
#                             "Eugen K. " <>
#


VENDOR      SUPERMICRO            21317


BEGIN-VENDOR   Supermicro


# Attributes
# Callback H=1, I=1 Attr-26 = 0x483D312C20493D31
# User H=2, I=2 Attr-26 = 0x483D322C20493D32
# Operator H=3, I=3 Attr-26 = 0x483D332C20493D33
# Administrator H=4, I=4 Attr-26 = 0x483D342C20493D34


ATTRIBUTE   IPMI-26     27 string
ATTRIBUTE   IPMI       8  string


END-VENDOR   Supermicro

I added IPMI-26, if we get later a problem, and the HEX is needed ...

I had to enable the group to send the Radius values, like documented here.
I had to add: Client: [ ALL ] Attribute: IPMI="H=4,I=4"

One point was, that OTP does not work with Yubikey. I think, its a bug in IPMI from Supermicro (to long string?), but it does work, if I override the OTP with LDAP only on the client policies.

Only question is: I want to restrict a bit more, with the policies, but unsure, where to use it. On the radiusd/conf/client.conf I have:

client sw-mgmt  {
  ipaddr = *
  shortname = sw
  secret = averylongstring
}

I have also installed a Nginx which is a loadbalancer for both instances from Webadm (and Radiusd package installed), so an authentication looks like:

(4) Wed Sep 12 17:44:01 2018: Auth: Login OK: [foobar] (from client mgmt port 1)

Mon Sep 10 11:49:04 2018
        Acct-Status-Type = Accounting-On
        NAS-Identifier = "lan-02"
        Acct-Delay-Time = 0
        NAS-IP-Address = 192.168.1.9
        Timestamp = 1536572944

So, what is the best place to say: for lan-02 or 192.168.1.0/24 use only LDAP and for different kind of stuff, use LDAP and OTP ... ?

cu denny

Yoann Traut (RCDevs)

unread,

Sep 13, 2018, 5:08:36 AM9/13/18

to RCDevs Security Solutions - Technical

Hello Denny,

"So, what is the best place to say: for lan-02 or 192.168.1.0/24 use only LDAP and for different kind of stuff, use LDAP and OTP ... ?"

I see that you configured a NAS-Identifier so in your authentication request, you should be able to see this NAS-ID in the WebADM request. Have a look in /opt/webadm/logs/webadm.log file to see if the NAS-ID is passed correctly.

If yes, you can create a client policy with this NAS-ID.

To do it, you can follow this doc : https://www.rcdevs.com/docs/howtos/client_policy/clientpolicy/

When you are in the client policy configuration, found the section named "Forced application policies". Click edit and you can configure OpenOTP application for this specific client. So, you will configure LDAPOTP as login mode. Always in the same client policy configuration, you will find a setting named "Per-Network Extra Policies"

Put your Network address in the "internal networks" setting, in you case 192.168.1.0/24

and edit "Application settings" setting. You are able to configure OpenOTP setting for this network. Choose the login mode LDAP. LDAP only will be asked when the request come from the 192.168.1.0/24 network.

Regards

Yoann Traut (RCDevs)

unread,

Sep 13, 2018, 5:10:15 AM9/13/18

to RCDevs Security Solutions - Technical

For the Yubikey issue, could you send us logs about an authentication failure with the Yubikey ?

Logs in /opt/webadm/logs/webadm.log

Regards

Denny Fuchs

unread,

Sep 14, 2018, 10:15:04 AM9/14/18

to RCDevs Security Solutions - Technical

Hello,

it seems not related to Yubikey, its also a normal OTP with 8 chars. We think, LDAP password and OTP/Yubi is to long. The password is for example 22 chars long and maybe the IPMI cuts the password to 18 or 20 chars, than Radius couldn't authenticate. I have a case open on Supermicro asking, how long the password could be.

Yoann Traut (RCDevs)

unread,

Sep 14, 2018, 10:21:21 AM9/14/18

to RCDevs Security Solutions - Technical

Hello,

To be sure, you can perform a radtest authentication on your webadm server.

[root@webadm1 ~]# /opt/radiusd/bin/radtest

Usage: radtest user [server[:port]] [secret]

[root@webadm1 ~]# /opt/radiusd/bin/radtest Administrator 127.0.0.1:1812 testing123

If the authentication is a success with radtest then, the issue probably comes from your IPMI.

Regards

Denny Fuchs

unread,

Sep 14, 2018, 11:47:10 AM9/14/18

to RCDevs Security Solutions - Technical

Am Freitag, 14. September 2018 16:21:21 UTC+2 schrieb Yoann Traut (RCDevs):

Hello,

To be sure, you can perform a radtest authentication on your webadm server.

exactly this works :-) So I'm pretty sure, that SuperMico breaks the password.

Yoann Traut (RCDevs)

unread,

Sep 14, 2018, 11:57:27 AM9/14/18

to RCDevs Security Solutions - Technical

It can be the reason. We encountered the same issue with Dell Thin client and Radius authentication. The OTP filed in the Thin client was limited to 30 characters and the yubikey OTP require 44 characters.