radtest failed | webadm test user auth successful
838 views
Skip to first unread message
Andre Muentener
Jul 25, 2018, 5:45:44 AM7/25/18
to RCDevs Security Solutions - Technical
Hello
I have an installation with the radius bridge installed, with ldap connection from WebADM to an AD.
I have assigned a QRCode-based Authenticator (Time-based) to a user. I can successful authenticate on the WebADM GUI by starting the "Test User Authentication" function and enter the ldap password and the OTP token.
When I do the authentication test on the cli by using the radtest, the authentication fails on the radtest but showing me a success on the webadm log. When I do the test from the radius client, which is a Palo Alto VPN client (Global Protect), it fails too.
Bellow are is the test by using radtest and the corresponding logs:
-->
sudo ./radtest usertest 127.0.0.1:1812 radiuskey
Enter password: *******
(0) -: Expected Access-Accept got Access-Challenge
Result: Challenge
Session: 7533784342575179586d475a69705636
Enter your TOKEN password: 765828
(0) -: Expected Access-Accept got Access-Reject
Result: Failed
Sent Access-Request Id 106 from 0.0.0.0:38379 to 127.0.0.1:1812 length 70 User-Name: "usertest"
User-Password: "765828"
State: 0x7533784342575179586d475a69705636 NAS-Identifier: "RadTest"
Cleartext-Password: "765828"
Received Access-Reject Id 106 from 127.0.0.1:1812 to 127.0.0.1:38379 length 20
The log of the radius bridge looks ok, except the last line:
--->
Wed Jul 25 11:33:37 2018 : Auth: rlm_openotp: OpenOTP authentication challenge
Wed Jul 25 11:33:45 2018 : Auth: rlm_openotp: OpenOTP authentication succeeded
Wed Jul 25 11:33:45 2018 : Error: rlm_openotp: Invalid Reply Data (invalid value-pairs format or attribute not in dictionary)
This is the log of webadm, showing the test during the failed radtest:
--->
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] New openotpSimpleLogin SOAP request
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] > Username: usertest
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] > Password: xxxxxxx
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] > Client ID: RadTest
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] > Options: RADIUS,-U2F
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Registered openotpSimpleLogin request
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Ignoring 14 members for group 'XYZ' (out of domain group search base)
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Resolved LDAP user: XYZ
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Resolved LDAP groups: XYZ
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Started transaction lock for user
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Found user fullname: usertest
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Found user language: EN
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Found 1 user mobiles: XYZ
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Found 1 user emails: XYZ
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Found 39 user settings: LoginMode=LDAPOTP,OTPType=TOKEN,OTPLength=6,ChallengeMode=Yes,ChallengeTimeout=90,MobileTimeout=30,EnableLogin=Yes,HOTPLookAheadWindow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,OCRASuite=OCRA-1:HOTP-SHA1-6:QN06-T1M,SMSType=Normal,SMSMode=Ondemand,MailMode=Ondemand,LastOTPTime=300,ListChallengeMode=ShowID,ReplyData=[1 Items]
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Found 6 user data: LoginCount,RejectCount,LastOTP,TokenType,TokenKey,TokenState
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Last OTP expired 2018-07-25 11:30:14
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Found 1 registered OTP token (TOTP)
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Requested login factors: LDAP & OTP
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] LDAP password Ok
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Authentication challenge required
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Updated user data
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Started OTP authentication session of ID QRsn3cXFjyfccB3h valid for 90 seconds
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Sent challenge response
[2018-07-25 11:33:45] [127.0.0.1] [OpenOTP:9LWW139C] New openotpChallenge SOAP request
[2018-07-25 11:33:45] [127.0.0.1] [OpenOTP:9LWW139C] > Username: usertest
[2018-07-25 11:33:45] [127.0.0.1] [OpenOTP:9LWW139C] > Session: QRsn3cXFjyfccB3h
[2018-07-25 11:33:45] [127.0.0.1] [OpenOTP:9LWW139C] > OTP Password: xxxxxx
[2018-07-25 11:33:45] [127.0.0.1] [OpenOTP:9LWW139C] Registered openotpChallenge request
[2018-07-25 11:33:45] [127.0.0.1] [OpenOTP:9LWW139C] Found authentication session started 2018-07-25 11:33:37
[2018-07-25 11:33:45] [127.0.0.1] [OpenOTP:9LWW139C] Started transaction lock for user
[2018-07-25 11:33:45] [127.0.0.1] [OpenOTP:9LWW139C] TOTP password Ok (token #1)
[2018-07-25 11:33:45] [127.0.0.1] [OpenOTP:9LWW139C] Updated user data
[2018-07-25 11:33:45] [127.0.0.1] [OpenOTP:9LWW139C] Returning 1 radius reply attributes
[2018-07-25 11:33:45] [127.0.0.1] [OpenOTP:9LWW139C] Sent success response
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] > Username: usertest
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] > Password: xxxxxxx
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] > Client ID: RadTest
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] > Options: RADIUS,-U2F
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Registered openotpSimpleLogin request
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Ignoring 14 members for group 'XYZ' (out of domain group search base)
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Resolved LDAP user: XYZ
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Resolved LDAP groups: XYZ
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Started transaction lock for user
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Found user fullname: usertest
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Found user language: EN
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Found 1 user mobiles: XYZ
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Found 1 user emails: XYZ
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Found 39 user settings: LoginMode=LDAPOTP,OTPType=TOKEN,OTPLength=6,ChallengeMode=Yes,ChallengeTimeout=90,MobileTimeout=30,EnableLogin=Yes,HOTPLookAheadWindow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,OCRASuite=OCRA-1:HOTP-SHA1-6:QN06-T1M,SMSType=Normal,SMSMode=Ondemand,MailMode=Ondemand,LastOTPTime=300,ListChallengeMode=ShowID,ReplyData=[1 Items]
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Found 6 user data: LoginCount,RejectCount,LastOTP,TokenType,TokenKey,TokenState
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Last OTP expired 2018-07-25 11:30:14
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Found 1 registered OTP token (TOTP)
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Requested login factors: LDAP & OTP
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] LDAP password Ok
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Authentication challenge required
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Updated user data
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Started OTP authentication session of ID QRsn3cXFjyfccB3h valid for 90 seconds
[2018-07-25 11:33:37] [127.0.0.1] [OpenOTP:9LWW139C] Sent challenge response
[2018-07-25 11:33:45] [127.0.0.1] [OpenOTP:9LWW139C] New openotpChallenge SOAP request
[2018-07-25 11:33:45] [127.0.0.1] [OpenOTP:9LWW139C] > Username: usertest
[2018-07-25 11:33:45] [127.0.0.1] [OpenOTP:9LWW139C] > Session: QRsn3cXFjyfccB3h
[2018-07-25 11:33:45] [127.0.0.1] [OpenOTP:9LWW139C] > OTP Password: xxxxxx
[2018-07-25 11:33:45] [127.0.0.1] [OpenOTP:9LWW139C] Registered openotpChallenge request
[2018-07-25 11:33:45] [127.0.0.1] [OpenOTP:9LWW139C] Found authentication session started 2018-07-25 11:33:37
[2018-07-25 11:33:45] [127.0.0.1] [OpenOTP:9LWW139C] Started transaction lock for user
[2018-07-25 11:33:45] [127.0.0.1] [OpenOTP:9LWW139C] TOTP password Ok (token #1)
[2018-07-25 11:33:45] [127.0.0.1] [OpenOTP:9LWW139C] Updated user data
[2018-07-25 11:33:45] [127.0.0.1] [OpenOTP:9LWW139C] Returning 1 radius reply attributes
[2018-07-25 11:33:45] [127.0.0.1] [OpenOTP:9LWW139C] Sent success response
What do I miss? Thank you for your help.
best regards
Andre
francois...@rcdevs.com
Jul 25, 2018, 5:55:20 AM7/25/18
to RCDevs Security Solutions - Technical
Hi,
What is the radius reply attribute that you have defined in webadm? It is not in a dictionary.
Andre Muentener
Jul 25, 2018, 5:59:14 AM7/25/18
to rcdevs-t...@googlegroups.com
Hi
I checked the users Radius Options but there is nothing defined for radius attributes. Is there another place to check?
Andre
--
You received this message because you are subscribed to the Google Groups "RCDevs Security Solutions - Technical" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rcdevs-technic...@googlegroups.com.
To post to this group, send email to rcdevs-t...@googlegroups.com.
Visit this group at https://groups.google.com/group/rcdevs-technical.
For more options, visit https://groups.google.com/d/optout.
Andre Muentener
Jul 25, 2018, 6:09:25 AM7/25/18
to rcdevs-t...@googlegroups.com
Hi
I found the the radius attribute in a group assigned to the user. The radtest auth has been successful.
Thanks for your help
Andre
Am 25.07.2018 um 11:59 schrieb Andre Muentener <Andre.M...@anyweb.ch>:
Hi
I checked the users Radius Options but there is nothing defined for radius attributes. Is there another place to check?
<Radius-Option.png>
Reply all
Reply to author
Forward
0 new messages