Netscaler with Webcam+OpenOTP Radius Bridge

[Kamal S. K.]

Hi,

I am trying to achieve 2 factor authentication using Netscaler and OpenOTP as radius server with Google authenticator(HOTP).I have followed your documentation and this support group.

Issue :I am getting invalid credentials message at Netscaler.Wireshark shows that OpenOTP RB is rejecting my auth request.

Radtest and "Test user login" shows success.
I have created empty OU WedADM before Webadm installation and as the subcontainers were not created automatically, I have created them manually.But now I can see all containers are empty.Not sure if this is the reason.Any help?

Many thanks,
Kamal

[francois...@rcdevs.com]

Hi Kamal,

For Radius bridge, have you configured the client in /opt/radiusd/conf/clients.conf ? What is the content of /opt/radiusd/logs/radiusd.log?

For containers, webadm ask you if it can create them at the login to the web interface. But if radtest works, then the configuration should be correct.

[Kamal S. K.]

Hi Francois,

Thank you for looking into this and helping me.

Now this setup is working fine. I saw your recommendation on other post and  deleted WebADM schema through AD explorer. Got an option to recreate it when I restarted webadm service and login to WebADM admin portal. 

- On netscaler I am getting enter Username, Password and Passcode.  If I provide  Passcode , I am not able to login with "Invalid credentials". But if I provide only  Username and password , I get a Token challenge and Auth is successful. Not sure, which setting controls this behavior. Password concatenation ?

- Only HOTP is working for me. TOTP is not  working. Is it because I have time difference between my infrastructure vs Mobile (google auth installed)? If yes , how can I resolve this?

A suggessiton , It would be nice to have a screenshot of a working WebADM schema in documentation.

Many thanks!

Regards,

Kamal

[Yoann Traut (RCDevs)]

Hello, 

For this point :

"- On netscaler I am getting enter Username, Password and Passcode.  If I provide  Passcode , I am not able to login with "Invalid credentials". But if I provide only  Username and password , I get a Token challenge and Auth is successful. Not sure, which setting controls this behavior. Password concatenation ?"

Could you provide us webadm logs of this failure please ? (full session) 

For the TOTP token who doesn't work for you, webadm should be configured with an NTP server. The mobile too. 

On the webadm side, you can check under WebADM GUI >  Admin tab if the NTP check is ok.

Regards   

[Kamal S. K.]

Hi Yoann,

Thanks a lot for looking into this issue. 

1)  This is what I see in webadm.log

[2018-07-25 13:48:56] [127.0.0.1] [OpenOTP:UR2868L4] > Username: user4

[2018-07-25 13:48:56] [127.0.0.1] [OpenOTP:UR2868L4] > Password: xxxxxx

[2018-07-25 13:48:56] [127.0.0.1] [OpenOTP:UR2868L4] > Options: RADIUS,-U2F

[2018-07-25 13:48:56] [127.0.0.1] [OpenOTP:UR2868L4] Registered openotpSimpleLogin request

[2018-07-25 13:48:56] [127.0.0.1] [OpenOTP:UR2868L4] Checking OpenOTP built-in freeware license

[2018-07-25 13:48:56] [127.0.0.1] [OpenOTP:UR2868L4] License Ok (3/40 active users)

[2018-07-25 13:48:56] [127.0.0.1] [OpenOTP:UR2868L4] Resolved LDAP user: CN=user4,CN=Users,DC=CRTEST,DC=INT

[2018-07-25 13:48:56] [127.0.0.1] [OpenOTP:UR2868L4] Started transaction lock for user

[2018-07-25 13:48:56] [127.0.0.1] [OpenOTP:UR2868L4] Found user fullname: user4

[2018-07-25 13:48:56] [127.0.0.1] [OpenOTP:UR2868L4] Found user language: EN

[2018-07-25 13:48:56] [127.0.0.1] [OpenOTP:UR2868L4] Found 1 user emails: us...@crtest.int

[2018-07-25 13:48:56] [127.0.0.1] [OpenOTP:UR2868L4] Found 39 user settings: LoginMode=LDAPOTP,OTPType=TOKEN,OTPLength=6,ChallengeMode=Yes,ChallengeTimeout=90,MobileTimeout=30,EnableLogin=Yes,HOTPLookAheadWindow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,OCRASuite=OCRA-1:HOTP-SHA1-6:QN06-T1M,SMSType=Normal,SMSMode=Ondemand,MailMode=Ondemand,LastOTPTime=300,ListChallengeMode=ShowID

[2018-07-25 13:48:56] [127.0.0.1] [OpenOTP:UR2868L4] Found 5 user data: LoginCount,RejectCount,TokenType,TokenKey,TokenState

[2018-07-25 13:48:56] [127.0.0.1] [OpenOTP:UR2868L4] Found 1 registered OTP token (HOTP)

[2018-07-25 13:48:56] [127.0.0.1] [OpenOTP:UR2868L4] Requested login factors: LDAP & OTP

[2018-07-25 13:48:56] [127.0.0.1] [OpenOTP:UR2868L4] Wrong LDAP password

[2018-07-25 13:48:56] [127.0.0.1] [OpenOTP:UR2868L4] Updated user data

[2018-07-25 13:48:57] [127.0.0.1] [OpenOTP:UR2868L4] Sent failure response

2) Sorry I am not able to find anything related to NTP check in WenADM GUI.

Regards,

Kamal

[Yoann Traut (RCDevs)]

Hello, 

1) According to your webadm logs, the LDAP password is wrong. So question : 

- How Netscaler is configured  for the authentication ? 

I mean, on the Netscaler login page, you have Username, LDAP password and OTP password fields. 

So, did you only point to webadm for the authentication, or did you split the authentication, and the LDAP password is  checked by your LDAP server and the other field is checked by WebADM/OpenOTP ? 

2) It's under Admin Tab through WebADM GUI. 

look the screenshot attached. 

 

Regards 

[Kamal S. K.]

Hi Yoann,

1) Yes, on Netscaler login page , I have  Username,LDAP Password,OTP fields. 

                 Provide only Username and LDAP Password and Submit. Next page will appear with a field to enter OTP. After providing OTP , I am able to login successfully.

                  But If I provide Username, LDAP Password and OTP on same login page, Authentication fails.

      On netscaler, I have 2 auth policies configured, one is pointing to my Domain controller for LDAP and another is RADIUS policy which is pointing to WebAdm/OprnOTP/MFA server over port 1812.

Regards,

Kamal

[francois...@rcdevs.com]

Hi Kamal,

Can you start radiusd in debug mode and check the output:

/opt/radiusd/bin/radiusd stop

/opt/radiusd/bin/radiusd debug

And check which password is received by radiusd?

[Kamal S. K.]

Hi Francois,

Seems like radiusd is misunderstanding OTP passcode as LDAP password.

Regards,

Kamal

________________________________________

Ready to process requests

(0) Received Access-Request Id 14 from 10.106.141.25:12410 to 10.106.141.177:1812 length 51

(0)   NAS-IP-Address = 10.106.124.136

(0)   User-Name = "user4"

(0)   User-Password = "352165"        

(0) # Executing section authorize from file /opt/radiusd/lib/radiusd.ini

(0)   authorize {

(0) eap: No EAP-Message, not doing EAP

(0)     [eap] = noop

(0) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type

(0) pap: WARNING: Authentication will fail unless a "known good" password is available

(0)     [pap] = noop

(0)     [openotp] = ok

(0)   } # authorize = ok

(0) Found Auth-Type = OTP

(0) # Executing group from file /opt/radiusd/lib/radiusd.ini

(0)   Auth-Type OTP {

rlm_openotp: Sending openotpSimpleLogin request

rlm_openotp: OpenOTP authentication failed

rlm_openotp: Reply message: Invalid username or password

rlm_openotp: Sending Access-Reject

(0)     [openotp] = reject

(0)   } # Auth-Type OTP = reject

(0) Failed to authenticate the user

(0) Using Post-Auth-Type Reject

(0) Post-Auth-Type sub-section not found.  Ignoring.

(0) Login incorrect: [user4] (from client any port 0)

(0) Sent Access-Reject Id 14 from 10.106.141.177:1812 to 10.106.141.25:12410 length 0

(0)   Reply-Message := "Invalid username or password"

(0)   Error-Cause := 15301376

(0) Finished request

________________________________________

[Yoann Traut (RCDevs)]

Hello,

Could you perform an authentication (who fail) and send us logs in /opt/webadm/logs/webadm.log of this failure please ? (all the openotp session for this fail) 

Regards   

[Yoann Traut (RCDevs)]

Sorry, I already asked you the logs. 

As you can see in logs, the login mode is : LoginMode=LDAPOTP

It should be OTP only, because LDAP credentials are checked by AD. And this error happens because the OTP  is checked as an LDAP password. 

So you have 2 ways : 

- create a client policy for your Netscaler and define the LoginMode=OTP 

https://www.rcdevs.com/docs/howtos/client_policy/clientpolicy/

or define the LoginMode=OTP  at the OpenOTP application level. 

Regards