Error Radius

[rwdinfo...@segeca.com]

hello,

Here is my configuration:

OpenOTP with RADIUS on the same server

WEBADM, LoginMode: OTP

Openotp.conf: password_mode = 0 or 2

SSL VPN: Propalms OneGate

RADIUS secret : OK in Propalms and OpenOTP

Can not log in OTP, here is the error in the file radiusd.log:

Thu Oct 31 11:46:02 2013 : Auth: rlm_openotp: Invalid "User-Password" attribute (bad format or wrong RADIUS secret)

Can you help me?

Best regards

[Administrators]

If it's PPTP VPN, you need PAP authentication with the client.

[rwdinfo...@segeca.com]

No it 's SSL/TLS VPN

Can we have the details of RADIUS communications with RadiusBridge ?

[rwdinfo...@segeca.com]

Hi,

I do not know where does the problem !

Can you help me?

Alternatively, you offer a paid service to help with remote control ?

Best regards

[Administrators]

The error you get is when the password is not recognised as a valid UTF-8 string when it comes to the server (i.e it's certainly received in a binary form). It can be that secret is wrong or the VPN uses a MSCHAP or similar unsupported password transport (with PPTP VPN only).

Else just to be sure, does the user password contain strange characters? can you test with a simple password value just to check if password value could be in cause...

[rwdinfo...@segeca.com]

I use a FEITIAN OTP C100 or Google Authentificator

The RADIUS Secret is very simple (123)

Le jeudi 31 octobre 2013 12:47:59 UTC+1, rwdinfo...@segeca.com a écrit :

[Administrators]

Ok so no possible issue here.

I asked in case the issue was at the LDAP password and not the OTP.

Can you show screens of all the configs on the VPN?

[rwdinfo...@segeca.com]

Hi,

There 's not much on the setting on the VPN Radius OneGate of PROPALMS :

PROPALMS is using PPTP VPN server with PAP authentication.

Also actually, I work with a RADIUS server FEITIAN PPTP and PAP authentification.

Is it possible to have more logs in RADIUSBRIGDE?

Thank you for your help me

Best regards,

Le jeudi 31 octobre 2013 12:47:59 UTC+1, rwdinfo...@segeca.com a écrit :

[Administrators]

More logs will not help because its just the content of the user password which is received in a wrong format. 

You can start RB in debug mode by editing /opt/radiusd/bin/radiusd and change:

 echo -n "Starting OpenOTP Radius Bridge... "

    openotp-radiusd

to:

echo -n "Starting OpenOTP Radius Bridge... "

    openotp-radiusd -X

But the issue is certainly that the client does not send a PAP password to the VPN but a CHAP or other.

Check on the VPN Client (on the workstation) what RADIUS password protocol is set. It must be PAP.

[rwdinfo...@segeca.com]

Hi,

Here is a copy of the screen with the command line RADIUSD -X

what do you think?

Best Regards

Le jeudi 31 octobre 2013 12:47:59 UTC+1, rwdinfo...@segeca.com a écrit :

[rwdinfo...@segeca.com]

I checked on the VPN client that PAP authentication is used, I even got confirmation of the VPN (PROPALMS OneGate) editor !

And why there is a socket error in the logs?

Thank you for help me

Le jeudi 31 octobre 2013 12:47:59 UTC+1, rwdinfo...@segeca.com a écrit :

[Administrators]

That seems to be the problem : RB cannot communicate with OpenOTP Web service.

Is RB on the same machine as OpenOTP/WebADM? Is it the VM appliance?

The server URL to communicate with OpenOTP is set in /opt/radiusd/conf/openotp.conf.

Check your firewall.

[Administrators]

Check few things:

1- About the radius secret: per-client secret is defied in /opt/radiusd/conf/clients.conf

You should have a definition for the OneGate VPN IP with a secret (password). This secret is the same on the VPN.

Note : Drop the 0.0.0.0/0 entry in clients.conf to be sure this entry is not used by default (this would cause secret to be wrong).

2- Check openotp network service is accessible locally:

Do with a "telnet localhost 8080"

> In /opt/radiusd/conf/openotp.conf you should have the openotp URL set to : server_url = "http://localhost:8080/openotp/"

[Administrators]

Other point: SELinux may cause this kind of trouble.

Disable SELinux if it is enabled.

[rwdinfo...@segeca.com]

The problem was SELinux !

but now I have another error in the radiusd.log:

Wed Nov 27 17:35:16 2013 : Error: Discarding duplicate request from client any port 55788 - ID: 93 due to unfinished request 1

Wed Nov 27 17:35:16 2013 : Error: rlm_openotp: recv failed (No child processes)

Wed Nov 27 17:35:16 2013 : Error: rlm_openotp: openotpSimpleLogin request failed

For information, with your VMware VM, everything works fine !

But I use HYPER-V :((

thanks

[rwdinfo...@segeca.com]

Hi,

Can you help me please ?

Best regards

[Administrators]

No idea what it can be. It's not tested on HYPER V.

Maybe a network configuration issue or network driver incompatibility in the VM.

[rwdinfo...@segeca.com]

I do not think because I have no problem accessing the same WEBADM or other network services (ntp, snmp, webmin ...)

What does the error :  Error: "rlm_openotp: recv failed (No child processes)" and "openotpSimpleLogin request failed" ?

Thanks

[Administrators]

We investigate this as others reported issues with RB socket reads when using Virtualised servers.

[Administrators]

You can try something which may help:

On the VPN, disable RADIUS retries (set 0 retrie) and set a longer RADIUS timeout of ex. 10sec.

On Tuesday, December 3, 2013 7:07:56 PM UTC+1, rwdinfo...@segeca.com wrote: