Cisco ASA VPN + LDAP + OpenOTP Authentication Issue
1,435 views
Skip to first unread message
Paul Hirschorn
Nov 25, 2013, 3:43:57 PM11/25/13
to rcdevs-t...@googlegroups.com
Hey guys,
I just finished setting up my OpenOTP + Radiusd setup in my test environment and I can't seem to get past an authentication issue.
WebADM is setup by way of virtual appliance
Webadm/openotp is successfully connected to my test active directory environment . It enumerates the users/groups without an issue, Adding the openotp attributes to users/groups works fine.
The cisco asa is successfully authenticating with the radiusd daemon.
If I test the authentication from the cisco -> the OpenOTP/Radiusd servers at the cisco cli it works
" test aaa-server authentication OPENOTP host x.x.x.x username testuser password password+openotpkey" - I get a successful authentication message.
snippet from test on cisco ASA:
INFO: Attempting Authentication test to IP address <x.x.x.x> (timeout: 12 seconds)
INFO: Authentication Successful
If I try my VPN I get an error with the following logs/entries
==> radiusd.log <==
Mon Nov 25 20:51:36 2013 : Auth: rlm_openotp: OpenOTP Authentication succeeded
Mon Nov 25 20:51:39 2013 : Auth: rlm_openotp: OpenOTP Authentication failed
==> requests.log <==
Mon Nov 25 20:51:36 2013 : Auth: Login OK: [remotevpnuser] (from client x.x.x.x port 9502720 y.y.y.y)
Mon Nov 25 20:51:39 2013 : Auth: Login incorrect: [remotevpnuser] (from client x.x.x.x port 9502720 cli y.y.y.y)
I tried changing the authentication mode from LDAPOTP -> LDAP, just to see if I can get it to authenticate successfully.
So I changed the Mode from LDAPOTP -> LDAP, logged into the cisco ASA, attempted the following
" test aaa-server authentication OPENOTP host x.x.x.x username testuser password password"
...it fails.
I try that same user again with
" test aaa-server authentication OPENOTP host x.x.x.x username testuser password password+openotpkey"
...it succeeds.
So the issue is two-part. OpenOTP seems to be ignoring my change from LDAPOTP to LDAP - I sort of don't care about this because ultimately I want LDAPOTP to be working. It might have been useful to isolate that behavior first. Ideally I'd like to be able to use IPSEC VPN's to the Cisco ASA with the Password+OTP
Versions:
Webadm v1.2
Radiusd v2.2.2
OpenOTP.Conf
-bash-3.2# grep "^[^#;]" openotp.conf
server_url = "http://127.0.0.1:8080/openotp/"
password_mode = 3
password_separator = "+"
domain_separator = "\\"
Thank you all for the assistance.
Regards,
Paul
I just finished setting up my OpenOTP + Radiusd setup in my test environment and I can't seem to get past an authentication issue.
WebADM is setup by way of virtual appliance
Webadm/openotp is successfully connected to my test active directory environment . It enumerates the users/groups without an issue, Adding the openotp attributes to users/groups works fine.
The cisco asa is successfully authenticating with the radiusd daemon.
If I test the authentication from the cisco -> the OpenOTP/Radiusd servers at the cisco cli it works
" test aaa-server authentication OPENOTP host x.x.x.x username testuser password password+openotpkey" - I get a successful authentication message.
snippet from test on cisco ASA:
INFO: Attempting Authentication test to IP address <x.x.x.x> (timeout: 12 seconds)
INFO: Authentication Successful
If I try my VPN I get an error with the following logs/entries
==> radiusd.log <==
Mon Nov 25 20:51:36 2013 : Auth: rlm_openotp: OpenOTP Authentication succeeded
Mon Nov 25 20:51:39 2013 : Auth: rlm_openotp: OpenOTP Authentication failed
==> requests.log <==
Mon Nov 25 20:51:36 2013 : Auth: Login OK: [remotevpnuser] (from client x.x.x.x port 9502720 y.y.y.y)
Mon Nov 25 20:51:39 2013 : Auth: Login incorrect: [remotevpnuser] (from client x.x.x.x port 9502720 cli y.y.y.y)
I tried changing the authentication mode from LDAPOTP -> LDAP, just to see if I can get it to authenticate successfully.
So I changed the Mode from LDAPOTP -> LDAP, logged into the cisco ASA, attempted the following
" test aaa-server authentication OPENOTP host x.x.x.x username testuser password password"
...it fails.
I try that same user again with
" test aaa-server authentication OPENOTP host x.x.x.x username testuser password password+openotpkey"
...it succeeds.
So the issue is two-part. OpenOTP seems to be ignoring my change from LDAPOTP to LDAP - I sort of don't care about this because ultimately I want LDAPOTP to be working. It might have been useful to isolate that behavior first. Ideally I'd like to be able to use IPSEC VPN's to the Cisco ASA with the Password+OTP
Versions:
Webadm v1.2
Radiusd v2.2.2
OpenOTP.Conf
-bash-3.2# grep "^[^#;]" openotp.conf
server_url = "http://127.0.0.1:8080/openotp/"
password_mode = 3
password_separator = "+"
domain_separator = "\\"
Thank you all for the assistance.
Regards,
Paul
Administrators
Nov 26, 2013, 4:38:38 AM11/26/13
to rcdevs-t...@googlegroups.com
password_mode = 3 is for concatenated passwords so Ok you seem to use password concatenation.
Concatenation is only for LDAP+OTP of course and your users must be set with LDAPOTP LoginMode to get it working.
Note: If your VPN supports challenged OTP mode (which Cisco does), you should let password_mode with the default (= 0).
Note: If your VPN supports challenged OTP mode (which Cisco does), you should let password_mode with the default (= 0).
In this mode, OpenOTP does all the job and you do not have to set password_mode according to the LoginMode in WebADM.
Paul Hirschorn
Nov 26, 2013, 11:24:43 AM11/26/13
to rcdevs-t...@googlegroups.com
Thank you for the quick reply. Unfortunately this doesn't help. I saw the attached link and I intentionally set the auth method to 3 from 0 because it wasn't working.
One pretty major issue is that changing the property on the user account from LDAPOTP to LDAP doesn't have any effect. The server only responds affirmatively with LDAPOTP regardless of how the account is set. Once I set it to LDAP, I still only got a successful response once I tested with the LDAPPassword + OTP.
The Cisco IPSEC VPN Client does not seem to accept the challenge response which is why I decided to use the concatenated method. This tests fine at the cli but in an actual client test it fails. Also, some of our users use the shrewsoft VPN client which doesn't seem to accept/recognize the challenge response.
One pretty major issue is that changing the property on the user account from LDAPOTP to LDAP doesn't have any effect. The server only responds affirmatively with LDAPOTP regardless of how the account is set. Once I set it to LDAP, I still only got a successful response once I tested with the LDAPPassword + OTP.
The Cisco IPSEC VPN Client does not seem to accept the challenge response which is why I decided to use the concatenated method. This tests fine at the cli but in an actual client test it fails. Also, some of our users use the shrewsoft VPN client which doesn't seem to accept/recognize the challenge response.
Administrators
Nov 26, 2013, 12:43:57 PM11/26/13
to rcdevs-t...@googlegroups.com
That's normal. Check the /opt/webadm/logs/soapd.log and you will see what OpenOTP receives from RB.
With mode 3, RB works in concatenated mode so it will split your LDAP and OTP passwords from the received password entry.
So even if the user is LDAP mode, RB in mode 3 expects the two passwords in a concatenated form.
Note: The RB smart mode is 0 of course where RB does nothing but this mode needs challenge.
Note: The RB smart mode is 0 of course where RB does nothing but this mode needs challenge.
BTW: You can make RB work in mode 3 and force user_settings = "LoginMode=LDAPOTP" in /opt/radiusd/conf/openotp.conf
Then for the VPN part, it's always LDAP + OTP concatenated.
And in other OpenOTP client apps you can still set what you need.
Paul Hirschorn
Nov 26, 2013, 6:46:54 PM11/26/13
to rcdevs-t...@googlegroups.com
Ok -- I tried this under the most ideal of circumstances. Still no joy...
I set the auth_mode to 0. Downloaded the cisco VPN client, entered all the appropriate information. ==> ../logs/requests.log <==
Wed Nov 27 00:05:00 2013 : Auth: Login OK: [username] (from client 10.1.3.1 port 9699328 cli y.y.y.y)
Wed Nov 27 00:05:02 2013 : Auth: Login incorrect: [username] (from client 10.1.3.1 port 9699328 cli y.y.y.y)
==> ../logs/radiusd.log <==
Wed Nov 27 00:05:00 2013 : Auth: rlm_openotp: OpenOTP Authentication succeeded
Wed Nov 27 00:05:02 2013 : Auth: rlm_openotp: OpenOTP Authentication failed
--
You received this message because you are subscribed to a topic in the Google Groups "RCDevs Security Solutions - Technical" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rcdevs-technical/Rm558rBXfcQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rcdevs-technic...@googlegroups.com.
To post to this group, send email to rcdevs-t...@googlegroups.com.
Visit this group at http://groups.google.com/group/rcdevs-technical.
For more options, visit https://groups.google.com/groups/opt_out.
Paul Hirschorn
Nov 26, 2013, 9:25:27 PM11/26/13
to rcdevs-t...@googlegroups.com
This is from the soapd.log. It looks like it tries to authenticate 2x,
[2013-11-27 04:07:56] [127.0.0.1] [OpenOTP_1935243D] New openotpSimpleLogin SOAP request
[2013-11-27 04:07:56] [127.0.0.1] [OpenOTP_1935243D] > Username: username
[2013-11-27 04:07:56] [127.0.0.1] [OpenOTP_1935243D] > Password: xxxxxxxxxxx
[2013-11-27 04:07:56] [127.0.0.1] [OpenOTP_1935243D] > Client ID: 10.1.3.1
[2013-11-27 04:07:56] [127.0.0.1] [OpenOTP_1935243D] Registered openotpSimpleLogin request
[2013-11-27 04:07:56] [127.0.0.1] [OpenOTP_1935243D] Resolved LDAP user: CN=Paul Hirschorn,OU=CompanyUsers,OU=Companycard,DC=Companydev,DC=corp
[2013-11-27 04:07:56] [127.0.0.1] [OpenOTP_1935243D] Resolved LDAP groups: openotpadmins,domain admins
[2013-11-27 04:07:56] [127.0.0.1] [OpenOTP_1935243D] Started transaction lock for user
[2013-11-27 04:07:56] [127.0.0.1] [OpenOTP_1935243D] Found user language: EN
[2013-11-27 04:07:56] [127.0.0.1] [OpenOTP_1935243D] Found 1 user mobiles: 917-123-4567
[2013-11-27 04:07:56] [127.0.0.1] [OpenOTP_1935243D] Found 1 user emails: Pa...@CompanyCard.Com
[2013-11-27 04:07:56] [127.0.0.1] [OpenOTP_1935243D] Found 26 user settings: LoginMode=LDAPOTP,OTPType=TOKEN,OTPLength=6,ChallengeMode=1,ChallengeTimeout=90,ChallengeLock=,OTPPrefix=,HOTPLookAheadWindow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,MOTPTimeOffsetWindow=120,OCRASuite=OCRA-1:HOTP-SHA1-6:QN06-T1M,SMSType=Normal,SMSMode=Ondemand,MailMode=Ondemand,LastOTPTime=300,ListChallengeMode=ShowID,ReplyData=Class="OU=WWW-GP"\r\n
[2013-11-27 04:07:56] [127.0.0.1] [OpenOTP_1935243D] Found 4 user data: LoginCount,TokenType,TokenKey,TokenState
[2013-11-27 04:07:56] [127.0.0.1] [OpenOTP_1935243D] Found 1 registered Tokens: HOTP
[2013-11-27 04:07:56] [127.0.0.1] [OpenOTP_1935243D] LDAP password Ok
[2013-11-27 04:07:56] [127.0.0.1] [OpenOTP_1935243D] OTP challenge required
[2013-11-27 04:07:56] [127.0.0.1] [OpenOTP_1935243D] Started challenge session of ID e80e495035cee2eb valid for 90 seconds
[2013-11-27 04:07:56] [127.0.0.1] [OpenOTP_1935243D] Sent challenge response
[2013-11-27 04:08:10] [127.0.0.1] [OpenOTP_1935243D] New openotpChallenge SOAP request
[2013-11-27 04:08:10] [127.0.0.1] [OpenOTP_1935243D] > Username: username
[2013-11-27 04:08:10] [127.0.0.1] [OpenOTP_1935243D] > Session: e80e495035cee2eb
[2013-11-27 04:08:10] [127.0.0.1] [OpenOTP_1935243D] > OTP Password: xxxxxx
[2013-11-27 04:08:10] [127.0.0.1] [OpenOTP_1935243D] Registered openotpChallenge request
[2013-11-27 04:08:10] [127.0.0.1] [OpenOTP_1935243D] Found challenge session started 2013-11-27 03:07:56
[2013-11-27 04:08:10] [127.0.0.1] [OpenOTP_1935243D] Started transaction lock for user
[2013-11-27 04:08:10] [127.0.0.1] [OpenOTP_1935243D] HOTP password Ok
[2013-11-27 04:08:10] [127.0.0.1] [OpenOTP_1935243D] Updated user data
[2013-11-27 04:08:10] [127.0.0.1] [OpenOTP_1935243D] Sent success response
[2013-11-27 04:08:11] [127.0.0.1] [OpenOTP_8F3F0D24] New openotpChallenge SOAP request
[2013-11-27 04:08:11] [127.0.0.1] [OpenOTP_8F3F0D24] > Username: username
[2013-11-27 04:08:11] [127.0.0.1] [OpenOTP_8F3F0D24] > Session: e80e495035cee2eb
[2013-11-27 04:08:11] [127.0.0.1] [OpenOTP_8F3F0D24] > OTP Password: xxxxxxxxxxxxx
[2013-11-27 04:08:11] [127.0.0.1] [OpenOTP_8F3F0D24] Registered openotpChallenge request
[2013-11-27 04:08:11] [127.0.0.1] [OpenOTP_8F3F0D24] Session already handled or expired
[2013-11-27 04:08:13] [127.0.0.1] [OpenOTP_8F3F0D24] Sent failure response
[2013-11-27 04:07:56] [127.0.0.1] [OpenOTP_1935243D] New openotpSimpleLogin SOAP request
[2013-11-27 04:07:56] [127.0.0.1] [OpenOTP_1935243D] > Username: username
[2013-11-27 04:07:56] [127.0.0.1] [OpenOTP_1935243D] > Password: xxxxxxxxxxx
[2013-11-27 04:07:56] [127.0.0.1] [OpenOTP_1935243D] > Client ID: 10.1.3.1
[2013-11-27 04:07:56] [127.0.0.1] [OpenOTP_1935243D] Registered openotpSimpleLogin request
[2013-11-27 04:07:56] [127.0.0.1] [OpenOTP_1935243D] Resolved LDAP user: CN=Paul Hirschorn,OU=CompanyUsers,OU=Companycard,DC=Companydev,DC=corp
[2013-11-27 04:07:56] [127.0.0.1] [OpenOTP_1935243D] Resolved LDAP groups: openotpadmins,domain admins
[2013-11-27 04:07:56] [127.0.0.1] [OpenOTP_1935243D] Started transaction lock for user
[2013-11-27 04:07:56] [127.0.0.1] [OpenOTP_1935243D] Found user language: EN
[2013-11-27 04:07:56] [127.0.0.1] [OpenOTP_1935243D] Found 1 user mobiles: 917-123-4567
[2013-11-27 04:07:56] [127.0.0.1] [OpenOTP_1935243D] Found 1 user emails: Pa...@CompanyCard.Com
[2013-11-27 04:07:56] [127.0.0.1] [OpenOTP_1935243D] Found 26 user settings: LoginMode=LDAPOTP,OTPType=TOKEN,OTPLength=6,ChallengeMode=1,ChallengeTimeout=90,ChallengeLock=,OTPPrefix=,HOTPLookAheadWindow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,MOTPTimeOffsetWindow=120,OCRASuite=OCRA-1:HOTP-SHA1-6:QN06-T1M,SMSType=Normal,SMSMode=Ondemand,MailMode=Ondemand,LastOTPTime=300,ListChallengeMode=ShowID,ReplyData=Class="OU=WWW-GP"\r\n
[2013-11-27 04:07:56] [127.0.0.1] [OpenOTP_1935243D] Found 4 user data: LoginCount,TokenType,TokenKey,TokenState
[2013-11-27 04:07:56] [127.0.0.1] [OpenOTP_1935243D] Found 1 registered Tokens: HOTP
[2013-11-27 04:07:56] [127.0.0.1] [OpenOTP_1935243D] LDAP password Ok
[2013-11-27 04:07:56] [127.0.0.1] [OpenOTP_1935243D] OTP challenge required
[2013-11-27 04:07:56] [127.0.0.1] [OpenOTP_1935243D] Started challenge session of ID e80e495035cee2eb valid for 90 seconds
[2013-11-27 04:07:56] [127.0.0.1] [OpenOTP_1935243D] Sent challenge response
[2013-11-27 04:08:10] [127.0.0.1] [OpenOTP_1935243D] New openotpChallenge SOAP request
[2013-11-27 04:08:10] [127.0.0.1] [OpenOTP_1935243D] > Username: username
[2013-11-27 04:08:10] [127.0.0.1] [OpenOTP_1935243D] > Session: e80e495035cee2eb
[2013-11-27 04:08:10] [127.0.0.1] [OpenOTP_1935243D] > OTP Password: xxxxxx
[2013-11-27 04:08:10] [127.0.0.1] [OpenOTP_1935243D] Registered openotpChallenge request
[2013-11-27 04:08:10] [127.0.0.1] [OpenOTP_1935243D] Found challenge session started 2013-11-27 03:07:56
[2013-11-27 04:08:10] [127.0.0.1] [OpenOTP_1935243D] Started transaction lock for user
[2013-11-27 04:08:10] [127.0.0.1] [OpenOTP_1935243D] HOTP password Ok
[2013-11-27 04:08:10] [127.0.0.1] [OpenOTP_1935243D] Updated user data
[2013-11-27 04:08:10] [127.0.0.1] [OpenOTP_1935243D] Sent success response
[2013-11-27 04:08:11] [127.0.0.1] [OpenOTP_8F3F0D24] New openotpChallenge SOAP request
[2013-11-27 04:08:11] [127.0.0.1] [OpenOTP_8F3F0D24] > Username: username
[2013-11-27 04:08:11] [127.0.0.1] [OpenOTP_8F3F0D24] > Session: e80e495035cee2eb
[2013-11-27 04:08:11] [127.0.0.1] [OpenOTP_8F3F0D24] > OTP Password: xxxxxxxxxxxxx
[2013-11-27 04:08:11] [127.0.0.1] [OpenOTP_8F3F0D24] Registered openotpChallenge request
[2013-11-27 04:08:11] [127.0.0.1] [OpenOTP_8F3F0D24] Session already handled or expired
[2013-11-27 04:08:13] [127.0.0.1] [OpenOTP_8F3F0D24] Sent failure response
Paul Hirschorn
Nov 26, 2013, 10:02:03 PM11/26/13
to rcdevs-t...@googlegroups.com
New Information... It's sort of been solved.
This user was a member of a group which I activated for use with OpenOTP. Once I removed the OpenOTP settings from the group I was able to successfully authenticate. The reason for the group was because I put in reply-data which assigns the user to a group policy on the Cisco ASA.
Is this a bug?
This user was a member of a group which I activated for use with OpenOTP. Once I removed the OpenOTP settings from the group I was able to successfully authenticate. The reason for the group was because I put in reply-data which assigns the user to a group policy on the Cisco ASA.
Is this a bug?
Administrators
Nov 27, 2013, 4:03:16 AM11/27/13
to rcdevs-t...@googlegroups.com
It should work. You can put the ReplyData on groups.
What is strange is the value of your reply data Class="OU=WWW-GP"\r\n
Why does it ends with \r\n?
Reply all
Reply to author
Forward
0 new messages