Hello
I have an installation with the radius bridge installed, with ldap connection from WebADM to an AD.
I have assigned a QRCode-based Authenticator (Time-based) to a user. I can successful authenticate on the WebADM GUI by starting the "Test User Authentication" function and enter the ldap password and the OTP token.
When I do the authentication test on the cli by using the radtest, the authentication fails on the radtest but showing me a success on the webadm log. When I do the test from the radius client, which is a Palo Alto VPN client (Global Protect), it fails too.
Bellow are is the test by using radtest and the corresponding logs:
-->
Enter password: *******
(0) -: Expected Access-Accept got Access-Challenge
Result: Challenge
Session: 7533784342575179586d475a69705636
Enter your TOKEN password: 765828
(0) -: Expected Access-Accept got Access-Reject
Result: Failed
User-Password: "765828"
State: 0x7533784342575179586d475a69705636 NAS-Identifier: "RadTest"
Cleartext-Password: "765828"
The log of the radius bridge looks ok, except the last line:
--->
Wed Jul 25 11:33:37 2018 : Auth: rlm_openotp: OpenOTP authentication challenge
Wed Jul 25 11:33:45 2018 : Auth: rlm_openotp: OpenOTP authentication succeeded
Wed Jul 25 11:33:45 2018 : Error: rlm_openotp: Invalid Reply Data (invalid value-pairs format or attribute not in dictionary)
This is the log of webadm, showing the test during the failed radtest:
--->
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] New openotpSimpleLogin SOAP request
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] > Username: usertest
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] > Password: xxxxxxx
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] > Client ID: RadTest
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] > Options: RADIUS,-U2F
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Registered openotpSimpleLogin request
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Ignoring 14 members for group 'XYZ' (out of domain group search base)
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Resolved LDAP user: XYZ
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Resolved LDAP groups: XYZ
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Started transaction lock for user
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Found user fullname: usertest
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Found user language: EN
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Found 1 user mobiles: XYZ
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Found 1 user emails: XYZ
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Found 39 user settings: LoginMode=LDAPOTP,OTPType=TOKEN,OTPLength=6,ChallengeMode=Yes,ChallengeTimeout=90,MobileTimeout=30,EnableLogin=Yes,HOTPLookAheadWindow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,OCRASuite=OCRA-1:HOTP-SHA1-6:QN06-T1M,SMSType=Normal,SMSMode=Ondemand,MailMode=Ondemand,LastOTPTime=300,ListChallengeMode=ShowID,ReplyData=[1 Items]
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Found 6 user data: LoginCount,RejectCount,LastOTP,TokenType,TokenKey,TokenState
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Last OTP expired 2018-07-25 11:30:14
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Found 1 registered OTP token (TOTP)
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Requested login factors: LDAP & OTP
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] LDAP password Ok
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Authentication challenge required
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Updated user data
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Started OTP authentication session of ID QRsn3cXFjyfccB3h valid for 90 seconds
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Sent challenge response
[2018-07-25 11:33:45] [127.0.0.1] [OpenOTP:9LWW139C] New openotpChallenge SOAP request
[2018-07-25 11:33:45] [127.0.0.1] [OpenOTP:9LWW139C] > Username: usertest
[2018-07-25 11:33:45] [127.0.0.1] [OpenOTP:9LWW139C] > Session: QRsn3cXFjyfccB3h
[2018-07-25 11:33:45] [127.0.0.1] [OpenOTP:9LWW139C] > OTP Password: xxxxxx
[2018-07-25 11:33:45] [127.0.0.1] [OpenOTP:9LWW139C] Registered openotpChallenge request
[2018-07-25 11:33:45] [127.0.0.1] [OpenOTP:9LWW139C] Found authentication session started 2018-07-25 11:33:37
[2018-07-25 11:33:45] [127.0.0.1] [OpenOTP:9LWW139C] Started transaction lock for user
[2018-07-25 11:33:45] [127.0.0.1] [OpenOTP:9LWW139C] TOTP password Ok (token #1)
[2018-07-25 11:33:45] [127.0.0.1] [OpenOTP:9LWW139C] Updated user data
[2018-07-25 11:33:45] [127.0.0.1] [OpenOTP:9LWW139C] Returning 1 radius reply attributes
[2018-07-25 11:33:45] [127.0.0.1] [OpenOTP:9LWW139C] Sent success response
What do I miss? Thank you for your help.
best regards
Andre