[WEBADM] No Domain has been defined configured

[nwo...@gmail.com]

Hi! We want to setup a Multi-factor authentication System in our network. For this we want to test the OpenOTP System.

I set up an Centos 7 System in our testlab, downloaded the WebADM installation file and install it. After this I configure an MariaDB with the reqired table and user. I change the server.xml and the webadm.conf file to the following and start the service. The feedback gave me the info that all is right.

Checking system architecture... Ok

Checking libudev dependency... Ok

Checking server configurations... Ok

No Enterprise license found (using bundled Freeware license)

Please contact sa...@rcdevs.com for commercial information

Starting WebADM PKI server... Ok

Starting WebADM Session server... Ok

Starting WebADM HTTP server... Ok

Checking server connections. Please wait... 

Connected LDAP server: sw-dc-tst (192.168.0.1)

Connected SQL server: openotp MariaDB (127.0.0.1)

Connected PKI server: PKI Server (localhost)

Connected Session server: Session Server (localhost)

Checking LDAP proxy user access... Ok

Checking SQL database access... Ok

Checking PKI service access... Ok

I logged on the Website with the full DN for the Administrator and complete the installation process. After this all steps report the status Success and I finshed this step.

But nw there is the first part of my problem: I can't login with my UID the website supports the Error: No Domain has been defined configured

After the installation of OpenOTP (without any Problems) I created a test User and generate an OTP Token. If I want to Test this with the "Test User Login" function I get the error Could not find any user Domain.

Could anybody tell my what I forgot or configured wrong?

I would be grateful for any help.

Thanks in advance

Marc

-----------------------------------------------------------------

webadm.conf

-----------------------------------------------------------------

#

# WebADM Server Configuration

#

# WebADM login mode

# - PKI: Requires client certificate and login password.

# - UID: Requires domain name, login name and password.

# - DN: Requires login DN and password.

# Using certificates is the most secure login method. To use certificate login,

# you must login WebADM and create a login certificate for your administrators.

# The UID mode requires a WebADM domain to exist and have its User Search Base

# set to the subtree where are located the administrator users. When using UID 

# and if there is no domain existing in WebADM, the login mode is automatically

# forced to DN. You will also need to login with the the full user DN and setup

# a WebADM domain to be able to use the UID login mode.

auth_mode UID

# Show the registered domain list when auth_mode is set to UID.

list_domains Yes

# Set a default admin login domain when auth_mode is set to UID.

default_domain "DC=nwotst,DC=int"

# User level changes the level of feature and configuration for all applications.

# WebADM proposes three levels: Beginner, Intermediate and Expert. The default

# level (Expert) is recommended as it provides access to all the RCDevs features.

user_level Expert

# The proxy user is used by WebADM for accessing LDAP objects over which the

# admin user does not have read permissions or out of an admin session.

# The proxy user should have read permissions on the whole LDAP tree,

# and write permissions on the users / groups used by the WebApps and WebSrvs.

# The use of a proxy user is required for WebApps and WebSrvs.

# With ActiveDirectory, you can use any Domain Administrator DN as proxy user,

# which should look like cn=Administrator,cn=Users,dc=mydomain,dc=com.

proxy_user     "cn=otpadmin,cn=Users,dc=nwotst,dc=int"

proxy_password "******"

# Super administrators have extended WebADM privileges such as setup permissions,

# additional operations and unlimited access to any LDAP encrypted data. Access

# restriction configured in the WebADM OptionSets do not apply to super admins.

# You can set a list of individual LDAP users or LDAP groups here.

# With ActiveDirectory, your administrator account should be is something like

# cn=Administrator,cn=Users,dc=mydomain,dc=com. And you can replace the sample 

# super_admins group on the second line with an existing security group.

super_admins "cn=otpadmin,cn=Users,dc=nwotst,dc=int",

super_admins "cn=Administrator,cn=Users,dc=nwotst,dc=int"

# LDAP objectclasses

container_oclasses      "container", "organizationalUnit", "organization", "domain", "locality", "country", \

                        "openldaprootdse", "treeroot"

# user_oclasses is used to build the LDAP search filter with 'Domain' auth_mode.

# If your super admin user user does not have one of the following objectclasses,

# add one of its objectclasses to the list.

user_oclasses           "user", "account", "person", "inetOrgPerson", "posixAccount"

group_oclasses          "group", "groupOfNames", "groupOfUniqueNames", "dynamicGroup", "posixGroup"

# With ActiveDirectory 2003 only, you need to add the 'user' objectclass to the

# webadm_account_oclasses and the 'group' objectclass to the webadm_group_oclasses.

webadm_account_oclasses "webadmAccount"

webadm_group_oclasses   "webadmGroup"

webadm_config_oclasses  "webadmConfig"

# LDAP attributes

certificate_attrs       "userCertificate"

password_attrs          "userPassword", "unicodePwd", "sambaNTPassword"

uid_attrs               "uid", "samAccountName", "userPrincipalName"

member_attrs            "member", "uniqueMember"

memberof_attrs          "memberOf", "groupMembership"

memberuid_attrs         "memberUid"

language_attrs          "preferredLanguage"

mobile_attrs            "mobile"

mail_attrs              "mail"

webadm_data_attrs       "webadmData"

webadm_settings_attrs   "webadmSettings"

webadm_type_attrs       "webadmType"

# ignore some AD attributes

ignored_attrs "ntsecuritydescriptor", "objectcategory", "objectsid", "badpasswordtime", \

              "badpwdcount", "lastlogoff", "lastlogon", "logoncount", "lastlogontimestamp", \

              "pwdlastset", "primarygroupid", "samaccounttype"

# Find below the LDAP containers required by WebADM.

# Change the container's DN to fit your ldap tree base.

# WebADM AdminRoles container

adminroles_container "cn=AdminRoles,cn=WebADM,dc=nwotst,dc=int"

# WebADM Optionsets container

optionsets_container "cn=OptionSets,cn=WebADM,dc=nwotst,dc=int"

# WebApp configurations container

webapps_container "cn=WebApps,cn=WebADM,dc=nwotst,dc=int"

# WebSrv configurations container

websrvs_container "cn=WebSrvs,cn=WebADM,dc=nwotst,dc=int"

# Mount points container

mountpoints_container "cn=Mountpoints,cn=WebADM,dc=nwotst,dc=int"

# Domain and Trusts container

domains_container "cn=Domains,cn=WebADM,dc=nwotst,dc=int"

# Clients container

clients_container "cn=Clients,cn=WebADM,dc=nwotst,dc=int"

# You can set here the timeout (in seconds) of a WebADM session.

# Web sessions will be closed after this period of inactivity.

# The Manager Interface cookie-based sessions are disabled by default.

admin_session 900

manager_session 0

webapps_session 600

# You can set here the WebADM internal cache timeout. A normal value is one hour.

cache_timeout 3600

# Time zone

# Look at the docs/timezones.txt for the list of time zones.

#time_zone "Europe/Paris"

# Application languages

languages "EN","DE"

# WebADM encrypts LDAP user data, sensitive configurations and user sessions with

# AES-256. The encryption key(s) must be 256bit base64-encoded random binary data.

# Use the command 'openssl rand -base64 32' to generate a new encryption key.

# Warning: If you change the encryption key, any encrypted data will become invalid!

# You can set several encryption keys for key rollout. All the defined keys are used

# for decrypting data. And the first defined key is used to (re-)encrypt data.

# Two encryption modes are supported:

# Standard: AES-256-CBC (default)

# Advanced: AES-256-CBC with per-object encryption (stronger)

encrypt_data Yes

encrypt_mode Standard

encrypt_hsm  No

encrypt_key  "*****************************************"

# Hardware Cryptography Module

# Yubico YubiHSM and RCDevs HSMHub are currently supported for hardware encryption.

# Up to 8 HSM modules can be concurrently attached to the server.

#hsm_model YubiHSM

#hsm_keyid 1

# Data store defines which back-end is used for storing user data and settings.

# By default WebADM stores the user and group metadata in the LDAP. By setting the

# data_store to SQL, these metadata are stored in a dedicated SQL table.

# LDAP is generally the prefered option because it maximizes the system consistency.

# SQL is prefered if you absolutely need read-only LDAP access for the proxy_user.

data_store LDAP

# The group mode defines how WebADM will handle LDAP groups.

# - Direct mode: WebADM finds user groups using the memberof_attrs defined above.

#   In this case, the group membership is defined in the LDAP user objects.

# - Indirect mode: WebADM finds user groups by searching group objects which contain

#   the user DN as part of the member_attrs.

# - Auto: Both direct and indirect groups and used.

# - Disabled: All LDAP group features are disabled in WebADM.

# By default (when group_mode is not specified) WebADM handles both group modes.

group_mode Auto

# LDAP cache increases a lot performances under high server loads. The cache limits

# the number of LDAP requests by storing resolved user DN and group settings. When

# enabled, results are cached for 300 secs.

ldap_cache Yes

# LDAP routing enables LDAP request load-balancing when multiple LDAP servers are

# configured in servers.xml. You should enable this feature if LDAP server load

# becomes a bottleneck due to big amount of users (ex. more than 10000 users).

#ldap_routing No

# You can optionally disable some features if you run multiple WebADM server with

# different purposes. For example, if you dont want to provide admin portal on an 

# Internet-exposed WebApps and WebSrvs server.

# By default, all the functionalities are enabled.

enable_admin Yes

enable_manager Yes

enable_webapps Yes

enable_websrvs Yes

# Enable extended logging to the webadm.log file (enabled by default).

# Records all WebApps and Web Service events to the webadm.log file.

log_webapps Yes

log_websrvs Yes

# Enable syslog reporting (disabled by default). When enable, system logs are sent

# to both the WebADM log files and syslog.

#log_syslog No

#log_format CEF

#syslog_facility LOG_USER

# Alerts are always recorded to the SQL Alert log. Additionally, when alert_email

# is defined, the alerts are also sent by email to the configured recipient(s).

#alert_email "m...@mydomain.com"

# If your WebADM server is used behind a reverse-proxy or load-balancer, you need to

# set the IP address(es) of your reverse-proxy server(s). Your proxy MUST create the

# HTTP_X_FORWARDED_FOR and HTTP_X_FORWARDED_HOST headers.

#reverse_proxies "192.168.0.100", "192.168.0.101"

# If you use WebADM Publishing Proxy (WAProxy) for publishing applications on public

# networks, then you must set the IP address(es) of the WAProxy server(s).

# Enable this setting ONLY if you are using RCDevs WAProxy as reverse-proxy!

#waproxy_proxies "192.168.0.102"

# Check for new product versions and license updates on RCDevs' website.

# These features require outbound Internet access from the server.

check_versions Yes

check_licenses Yes

# WebApps theme

# Comment the following line to disable the default theme.

webapps_theme "default"

# End-user messages

# The following variables are available: %USERNAME%, %USERDN%, %USERID%, %DOMAIN%, %APPNAME%

# Additional variables are available depending on the context: %APPID%, %TIMEOUT%, %EXPIRES%

unlock_subject "Unlocked access to %APPNAME%"

unlock_message "Hello %USERNAME%,\r\n\r\nYou have a one-time access to the %APPNAME%.\r\nYour access will automatically expire %EXPIRES%."

# Personalization options

# You can customize your organization name, logo file and website URL.

# The logo file must be PNG image with size 100x50 pixels.

#org_name "RCDevs SA"

#org_logo "rcdevs.png"

#org_site "http://www.rcdevs.com/"

# Misc options

#treeview_width 300

#treeview_items 1500

#default_portal Admin

#ldap_uidcase No

-----------------------------------------------------------------

server.xml

-----------------------------------------------------------------

<?xml version="1.0" encoding="UTF-8" ?>

<Servers>

<!--

******************************************

***  WebADM Remote Server Connections  ***

******************************************

You can configure multiple instances for each of the following servers.

At logon, WebADM will try to connect the configured servers in the same

order they appear in this file and uses the first one it successfully 

establishes the connection to. If the server connection goes down, it

will automatically failover to the next configured server.

At least one LDAP server is required to run WebADM.

Supported servers: OpenLDAP, Active Directory, Novell eDirectory, 389.

Allowed LDAP parameters are:

 - name: server friendly name

 - host: server hostname or IP address

 - port: LDAP port number

   default and TLS: 389

   default SSL: 636

 - encryption: connection type

   allowed type are NONE, SSL and TLS

   default: 'NONE'

 - ca_cert: Trusted CA for SSL and TLS

-->

<LdapServer name="sw-dc-tst"

host="192.168.0.1"

port="636"

encryption="SSL"

ca_file="" />

<!--

<LdapServer name="LDAP Server 2"

host="remotehost"

        port="389"

encryption="TLS"

ca_file="" />

-->

<!--

SQL servers are used for logs; message localizations and inventories.

Supported servers: MySQL, PostgreSQL, MSSQL, Sybase, Oracle, SQLite.

Allowed LDAP parameters are:

 - type: MySQL, PostgreSQL, MSSQL, Sybase, Oracle or SQLite.

 - name: server friendly name

 - host: server hostname or IP address

 - port: SQL port number (depends on server type)

 - user: database user

 - password: database password

 - database: database name

 - tnsname: Oracle TNS name (Oracle only) 

 

With SQLite, only the 'database' must be set and other parameters are

ignored. The database is the full path to a SQLite DB file where WebADM

has full right access. 

With Oracle, you can optionally use TNS names. If the 'tnsname' is set

then the 'host' and 'port' parameters are ignored and a tnsnames.ora 

file must exist under the conf/ directory.

-->

<SqlServer name="openotp MariaDB"

type="MySQL"

host="localhost"

user="webadm"

password="webadm"

database="webadm" />

<!--

A session server is required for webservices using sessions

such as OpenOTP. You can specify one or more SQL servers here.

The session server is included in WebADM. So you can keep the

default settings here.

-->

<SessionServer name="Session Server"

host="localhost"

port="4000"

        secret="" />

<!--

A PKI server (or CA) is required for signing user certificates.

The RSign PKI server is included in WebADM. So you can keep the

default settings here.

-->

<PkiServer name="PKI Server"

host="localhost"

port="5000"

secret="secret"

ca_file="" />

<!--

WebADM supports YubiHSM connected locally or the network-based

RCDevs HSM Server (HSMHub). With RCDevs HSMHub, the HSM server

connection parameters must be set below.

-->

<!--

<HsmServer name="HSM Server"

        host="remotehost"

port="6000"

secret="secret"

ca_file="" />

-->

<!--

You need to configure RCDevs Push server(s) in order to use

TiQR Push or RCDevs Mobile Authenticator with Push login.

If you have an Enterprise license then you don't need to 

register a RCDevs push account (keep user and password empty).

-->

<!--

<PushServer name="Push Server"

        host="push.rcdevs.com"

        port="7000"

        user="TRAIL1989368837"

        password="339cef55c72a08d48fb9"

        ca_file="" />

-->

<!--

Uncomment the followinf block if you have a license server

with an IP pool-based Enterprise license from RCDevs.

-->

<!--

<LicenseServer name="License Server"

        type="Production"

        host="remotehost"

        port="8000" />

-->

<!--

HTTP proxy servers can be used by WebADM for connecting

remote Web services and version checking.

-->

<!--

<ProxyServer name="HTTP Proxy"

host="proxy"

        port="8080"

        user=""

        password=""

ca_file="" />

-->

<!--

SMTP mail servers can be used by WebADM for sending emails.

If no server is specified, WebADM will use the local mailer

in /usb/sbin/sendmail to send emails.

-->

<!--

<MailServer name="SMTP Server"

        host="localhost"

port="25"

user=""

password=""

encryption="NONE"

ca_file="" />

-->

</Servers>

[francois...@rcdevs.com]

Hello,

Have you the default domaine when you go to Webadm interface > Admin > Local Domain.

It should be created during the first connection with the attached screen shot.

[nwo...@gmail.com]

Hi,

i got this Screen after the first login. and after the configuration of failed points all was ok. But there is no Local Domain. If I create on i get no change.

[Yoann Traut (RCDevs)]

Have you configured the local domain in WebADM GUI ? 

Go on Admin > Local Domain > Default > CONFIGURE 

Could you send us a screenshot of your current configuration please ? 

[Yoann Traut (RCDevs)]

You must have something like that. (look the screenshot attached) 

[alejandro hernandez]

Hello. 
 Here is my configuration screenshot.

Regards.

[Yoann Traut (RCDevs)]

Hello, 

You made mistakes in webadm.conf and the setup you have chosen is incorrect for AD, you have chosen OpenLDAP setup instead of AD setup.  

Have a look on this doc for the AD. 

https://www.rcdevs.com/docs/howtos/ad_openotp/ms_ad/

In that doc, you have to choose between AD schema extended or not extended (points 3 or 4) 

Re-Run the setup script, choose one of AD setups and get back to us if you encountered problem again. 

Edit your webadm.conf file according to the one available in the documentation. 

Regards

[alejandro hernandez]

Hello, I re-configure using AD Extended schema. The problem persit in the new configuration schema.

I solved this putting my AD as the primary DNS in both, PFSense and WebADM, also use PAP in My PFSense client configuration (This option is now configurable in most recent PFSense versions, is recommended update screenshoots in WEBADM Documentation).

Thanks for the support and regards.

[alejandro hernandez]

I have a cuestion for you. ¿WebADM support MSCHAPv1|MSCHAPv2 instead PAP, for RADIUS client conections?

[Yoann Traut (RCDevs)]

No. 

[Yoann Traut (RCDevs)]

Are you able to perform a login with WebADM/OpenOTP from Pfsense GUI > Diagnostics > Authentication ? 

On my side yes and i'm running the last version of Pfsense 2.4.4_3. 

This is my radiusd debug logs : 

(0) Received Access-Request Id 224 from 192.168.3.146:62596 to 192.168.3.54:1812 length 141

(0)   Service-Type = Login-User

(0)   User-Name = "adminis...@yorcdevs.com"

(0)   User-Password = "password732509"

(0)   NAS-IP-Address = 192.168.3.70

(0)   NAS-Identifier = "pfSense.yorcdevs.com"

(0)   Called-Station-Id = "00:50:56:3a:34:c0:pfSense.yorcdevs.com"

(0) # Executing section authorize from file /opt/radiusd/lib/radiusd.ini

(0)   authorize {

(0) eap: No EAP-Message, not doing EAP

(0)     [eap] = noop

(0) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type

(0) pap: WARNING: Authentication will fail unless a "known good" password is available

(0)     [pap] = noop

(0)     [openotp] = ok

(0)   } # authorize = ok

(0) Found Auth-Type = OTP

(0) # Executing group from file /opt/radiusd/lib/radiusd.ini

(0)   Auth-Type OTP {

rlm_openotp: Found client attribute "NAS-Identifier" with value "pfSense.yorcdevs.com"

rlm_openotp: Sending openotpSimpleLogin request

rlm_openotp: OpenOTP authentication succeeded

rlm_openotp: Reply message: Authentication success

rlm_openotp: Sending Access-Accept

(0)     [openotp] = ok

(0)   } # Auth-Type OTP = ok

(0) Login OK: [adminis...@yorcdevs.com] (from client any port 0)

(0) Sent Access-Accept Id 224 from 192.168.3.54:1812 to 192.168.3.146:62596 length 0

(0)   Reply-Message := "Authentication success"

(0) Finished request

Waking up in 9.9 seconds.

This is my webadm logs : 

[2019-10-29 10:43:53] [192.168.3.54] [OpenOTP:TGXMXD1T] New openotpSimpleLogin SOAP request

[2019-10-29 10:43:53] [192.168.3.54] [OpenOTP:TGXMXD1T] > Username: adminis...@yorcdevs.com

[2019-10-29 10:43:53] [192.168.3.54] [OpenOTP:TGXMXD1T] > Password: xxxxxxxxxxxxxx

[2019-10-29 10:43:53] [192.168.3.54] [OpenOTP:TGXMXD1T] > Client ID: pfSense.yorcdevs.com

[2019-10-29 10:43:53] [192.168.3.54] [OpenOTP:TGXMXD1T] > Options: RADIUS,-U2F

[2019-10-29 10:43:53] [192.168.3.54] [OpenOTP:TGXMXD1T] Enforcing client policy: pfSense.yorcdevs.com (matched client ID)

[2019-10-29 10:43:53] [192.168.3.54] [OpenOTP:TGXMXD1T] Registered openotpSimpleLogin request

[2019-10-29 10:43:53] [192.168.3.54] [OpenOTP:TGXMXD1T] Ignoring 3 memberof values for user 'CN=Administrateur,CN=Users,DC=yorcdevs,DC=com' (out of domain group search base)

[2019-10-29 10:43:54] [192.168.3.54] [OpenOTP:TGXMXD1T] Resolved LDAP user: CN=Administrateur,CN=Users,DC=yorcdevs,DC=com

[2019-10-29 10:43:54] [192.168.3.54] [OpenOTP:TGXMXD1T] Resolved LDAP groups: master,propriétaires créateurs de la stratégie de groupe,admins du domaine,administrateurs de l’entreprise,administrateurs du schéma,groupe de réplication dont le mot de passe rodc est refusé,testdynamique

[2019-10-29 10:43:54] [192.168.3.54] [OpenOTP:TGXMXD1T] Started transaction lock for user

[2019-10-29 10:43:54] [192.168.3.54] [OpenOTP:TGXMXD1T] Found user fullname: administrateur

[2019-10-29 10:43:54] [192.168.3.54] [OpenOTP:TGXMXD1T] Found user language: EN

[2019-10-29 10:43:54] [192.168.3.54] [OpenOTP:TGXMXD1T] Found 3 user certificates

[2019-10-29 10:43:54] [192.168.3.54] [OpenOTP:TGXMXD1T] Found 46 user settings: LoginMode=LDAPOTP,OTPType=TOKEN,PushLogin=Yes,ExpireNotify=MAIL,ChallengeMode=No,ChallengeTimeout=90,ChallengeRetry=Yes,OTPLength=6,MobileTimeout=30,EnableLogin=Yes,SelfRegister=Yes,PasswordReset=Yes,HOTPLookAheadWindow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,OCRASuite=OCRA-1:HOTP-SHA1-6:QN06-T1M,DeviceType=FIDO2,SMSType=Normal,SMSMode=Ondemand,SecureMail=No,MailMode=Ondemand,PrefetchExpire=10,LastOTPTime=300,ListChallengeMode=ShowID

[2019-10-29 10:43:54] [192.168.3.54] [OpenOTP:TGXMXD1T] Found 16 user data: OTPPrefix,LastOTP,TokenType,TokenKey,TokenState,TokenID,TokenSerial,Token2Type,Token2Key,Token2State,Token2ID,Token2Serial,Device1Type,Device1Name,Device1Data,Device1State

[2019-10-29 10:43:54] [192.168.3.54] [OpenOTP:TGXMXD1T] Last OTP expired 2019-10-29 10:31:55

[2019-10-29 10:43:54] [192.168.3.54] [OpenOTP:TGXMXD1T] Found 2 registered OTP tokens (TOTP,YUBIKEY)

[2019-10-29 10:43:54] [192.168.3.54] [OpenOTP:TGXMXD1T] Challenge mode disabled (assuming concatenated passwords)

[2019-10-29 10:43:54] [192.168.3.54] [OpenOTP:TGXMXD1T] Requested login factors: LDAP & OTP

[2019-10-29 10:43:54] [192.168.3.54] [OpenOTP:TGXMXD1T] LDAP password Ok

[2019-10-29 10:43:54] [192.168.3.54] [OpenOTP:TGXMXD1T] TOTP password Ok (token #1)

[2019-10-29 10:43:54] [192.168.3.54] [OpenOTP:TGXMXD1T] Updated user data

[2019-10-29 10:43:54] [192.168.3.54] [OpenOTP:TGXMXD1T] Sent login success response

This is the authentication result on pfsense : 

(screenshot attached)

Regards

[Yoann Traut (RCDevs)]

I also tried with OpenVPN server on Pfsense and it works well. 

WebADM logs : 

[2019-10-29 12:37:15] [192.168.3.54] [OpenOTP:L4WHGBMH] New openotpSimpleLogin SOAP request

[2019-10-29 12:37:15] [192.168.3.54] [OpenOTP:L4WHGBMH] > Username: administrateur

[2019-10-29 12:37:15] [192.168.3.54] [OpenOTP:L4WHGBMH] > Password: xxxxxxxxxxxxxx

[2019-10-29 12:37:15] [192.168.3.54] [OpenOTP:L4WHGBMH] > Client ID: openVPN

[2019-10-29 12:37:15] [192.168.3.54] [OpenOTP:L4WHGBMH] > Options: RADIUS,-U2F

[2019-10-29 12:37:15] [192.168.3.54] [OpenOTP:L4WHGBMH] Enforcing client policy: openVPN (matched client ID)

[2019-10-29 12:37:15] [192.168.3.54] [OpenOTP:L4WHGBMH] Registered openotpSimpleLogin request

[2019-10-29 12:37:15] [192.168.3.54] [OpenOTP:L4WHGBMH] Resolved LDAP user: CN=Administrateur,CN=Users,DC=yorcdevs,DC=com (cached)

[2019-10-29 12:37:15] [192.168.3.54] [OpenOTP:L4WHGBMH] Resolved LDAP groups: master,propriétaires créateurs de la stratégie de groupe,admins du domaine,administrateurs de l’entreprise,administrateurs du schéma,groupe de réplication dont le mot de passe rodc est refusé,testdynamique

[2019-10-29 12:37:15] [192.168.3.54] [OpenOTP:L4WHGBMH] Started transaction lock for user

[2019-10-29 12:37:15] [192.168.3.54] [OpenOTP:L4WHGBMH] Found user fullname: administrateur

[2019-10-29 12:37:15] [192.168.3.54] [OpenOTP:L4WHGBMH] Found user language: EN

[2019-10-29 12:37:15] [192.168.3.54] [OpenOTP:L4WHGBMH] Found 3 user certificates

[2019-10-29 12:37:15] [192.168.3.54] [OpenOTP:L4WHGBMH] Found 46 user settings: LoginMode=LDAPOTP,OTPType=TOKEN,PushLogin=Yes,ExpireNotify=MAIL,ChallengeMode=No,ChallengeTimeout=90,ChallengeRetry=Yes,OTPLength=6,MobileTimeout=30,EnableLogin=Yes,SelfRegister=Yes,PasswordReset=Yes,HOTPLookAheadWindow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,OCRASuite=OCRA-1:HOTP-SHA1-6:QN06-T1M,DeviceType=FIDO2,SMSType=Normal,SMSMode=Ondemand,SecureMail=No,MailMode=Ondemand,PrefetchExpire=10,LastOTPTime=300,ListChallengeMode=ShowID

[2019-10-29 12:37:15] [192.168.3.54] [OpenOTP:L4WHGBMH] Found 16 user data: OTPPrefix,LastOTP,TokenType,TokenKey,TokenState,TokenID,TokenSerial,Token2Type,Token2Key,Token2State,Token2ID,Token2Serial,Device1Type,Device1Name,Device1Data,Device1State

[2019-10-29 12:37:15] [192.168.3.54] [OpenOTP:L4WHGBMH] Last OTP present (valid until 2019-10-29 12:40:24)

[2019-10-29 12:37:15] [192.168.3.54] [OpenOTP:L4WHGBMH] Found 2 registered OTP tokens (TOTP,YUBIKEY)

[2019-10-29 12:37:15] [192.168.3.54] [OpenOTP:L4WHGBMH] Challenge mode disabled (assuming concatenated passwords)

[2019-10-29 12:37:15] [192.168.3.54] [OpenOTP:L4WHGBMH] Requested login factors: LDAP & OTP

[2019-10-29 12:37:15] [192.168.3.54] [OpenOTP:L4WHGBMH] LDAP password Ok

[2019-10-29 12:37:15] [192.168.3.54] [OpenOTP:L4WHGBMH] TOTP password Ok (token #1)

[2019-10-29 12:37:15] [192.168.3.54] [OpenOTP:L4WHGBMH] Updated user data

[2019-10-29 12:37:15] [192.168.3.54] [OpenOTP:L4WHGBMH] Sent login success response

Radius Bridge logs  (you can see in clear text the ldap password and the OTP provided in concatened mode) : 

(4) Received Access-Request Id 218 from 192.168.3.146:10686 to 192.168.3.54:1812 length 147

(4)   Service-Type = Login-User

(4)   User-Name = "administrateur"

(4)   User-Password = "password519452"

(4)   NAS-IP-Address = 192.168.3.70

(4)   NAS-Identifier = "openVPN"

(4)   Calling-Station-Id = "192.168.3.146:1195"

(4)   Called-Station-Id = "00:50:56:3a:34:c0:pfSense.yorcdevs.com"

(4)   NAS-Port-Type = Virtual

(4)   NAS-Port = 1195

(4) # Executing section authorize from file /opt/radiusd/lib/radiusd.ini

(4)   authorize {

(4) eap: No EAP-Message, not doing EAP

(4)     [eap] = noop

(4) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type

(4) pap: WARNING: Authentication will fail unless a "known good" password is available

(4)     [pap] = noop

(4)     [openotp] = ok

(4)   } # authorize = ok

(4) Found Auth-Type = OTP

(4) # Executing group from file /opt/radiusd/lib/radiusd.ini

(4)   Auth-Type OTP {

rlm_openotp: Found client attribute "NAS-Identifier" with value "openVPN"

rlm_openotp: Ignoring source attribute "Calling-Station-Id" (not an IP address)

rlm_openotp: Sending openotpSimpleLogin request

rlm_openotp: OpenOTP authentication succeeded

rlm_openotp: Reply message: Authentication success

rlm_openotp: Sending Access-Accept

(4)     [openotp] = ok

(4)   } # Auth-Type OTP = ok

(4) Login OK: [administrateur] (from client any port 1195 cli 192.168.3.146:1195)

(4) Sent Access-Accept Id 218 from 192.168.3.54:1812 to 192.168.3.146:10686 length 0

(4)   Reply-Message := "Authentication success"

(4) Finished request

Waking up in 9.9 seconds.

(4) Cleaning up request packet ID 218 with timestamp +131

Ready to process requests

VPN Client logs (Viscosity here) : 

2019-10-29 12:37:01: Viscosity Mac 1.8.1 (1511)

2019-10-29 12:37:01: Viscosity OpenVPN Engine Started

2019-10-29 12:37:01: Running on macOS 10.14.3

2019-10-29 12:37:01: ---------

2019-10-29 12:37:01: State changed to Connexion en cours

2019-10-29 12:37:01: Vérification du statut d'accessibilité de la connexion...

2019-10-29 12:37:01: La connexion est accessible. Tentative de démarrage de la connexion.

2019-10-29 12:37:02: OpenVPN 2.4.7 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Sep 11 2019

2019-10-29 12:37:02: library versions: OpenSSL 1.0.2t  10 Sep 2019, LZO 2.10

2019-10-29 12:37:15: Valid endpoint found: 192.168.3.146:1195:udp

2019-10-29 12:37:15: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

2019-10-29 12:37:15: TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.3.146:1195

2019-10-29 12:37:15: UDP link local: (not bound)

2019-10-29 12:37:15: UDP link remote: [AF_INET]192.168.3.146:1195

2019-10-29 12:37:15: State changed to Authentification en cours

2019-10-29 12:37:15: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this

2019-10-29 12:37:15: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1569'

2019-10-29 12:37:15: WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'

2019-10-29 12:37:15: WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-128-CBC'

2019-10-29 12:37:15: WARNING: 'auth' is used inconsistently, local='auth SHA1', remote='auth SHA256'

2019-10-29 12:37:15: [pfsense] Peer Connection Initiated with [AF_INET]192.168.3.146:1195

2019-10-29 12:37:17: WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).

2019-10-29 12:37:17: WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).

2019-10-29 12:37:17: WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.

2019-10-29 12:37:17: Opened utun device utun10

2019-10-29 12:37:17: /sbin/ifconfig utun10 delete

2019-10-29 12:37:17: NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure

2019-10-29 12:37:17: /sbin/ifconfig utun10 10.0.8.2 10.0.8.2 netmask 255.255.255.0 mtu 1500 up

2019-10-29 12:37:17: Initialization Sequence Completed

2019-10-29 12:37:17: DNS mode set to Split

2019-10-29 12:37:17: WARNING: Split DNS is being used however no DNS domains are present. The DNS server/s for this connection may not be used. For more information please see: https://www.sparklabs.com/support/kb/article/warning-split-dns-is-being-used-however-no-dns-domains-are-present/

2019-10-29 12:37:17: State changed to Connected

My client policy : 

(screenshot attached) 

Regards 

[alejandro hernandez]

Hello.

As I mentioned above, I create a new laboratory whit a MS-AD Server + WebADM + pfSense. In this new deploy, the issue was solved. Also I configure my pfSense in System > User Manager > Authentication Servers > WebADM with PAP as protocol in RADIUS Server Settings section.

The problem with this is that the PAP Protocol is insecure because it sends the password in plain text. I try the same configuration with MSCHAPv1 and MSCHAPv2 but it doesn't work. Now I want configure the communication between WEBADM and pfSense as MSCHAPv1 | MSCHAPv2

Can I see your System > User Manager > Authentication Servers > WebADM configuration in pfSense?

[Yoann Traut (RCDevs)]

Hello, 

MSCHAP V1/V2 are not supported by Radius Bridge. 

If PAP is used under a trusted network it's not a problem. RADIUS doesn't actually send the users passwords in plaintext but it XORs the passwords with an MD5 hash based on a shared secret. 

Regards 

[alejandro hernandez]

Thanks!!