Watchguard SSLVPN with LDAP Proxy
39 views
Skip to first unread message
Massimo Bassan
Mar 22, 2024, 4:51:03 AMMar 22
to RCDevs Security
Hello guys,
Have any of you had a chance to integrate a watchguard firewall with LDAP Proxy authentication for SSL VPNs ?
Thanks a lot
Have any of you had a chance to integrate a watchguard firewall with LDAP Proxy authentication for SSL VPNs ?
Thanks a lot
Yoann Traut (RCDevs)
Mar 22, 2024, 4:57:04 AMMar 22
to RCDevs Security
Hello,
From my point of view it would be better to configure your Watchguard firewall through Radius Protocol.
If you really need to configure it over LDAP, then it should not be a problem with our LDProxy component.
Regards
Massimo Bassan
Mar 25, 2024, 9:36:44 AMMar 25
to RCDevs Security
Hello,
I'm using the downloaded Virtual Machine, and using the debug tools for Radius systems (NTRadping) I can't invoke anything on the system. Same thing if I configure LDAP proxy, the user test works but if I make a call to the proxy server with ldp.exe it gives me an error on the user
I'm definitely doing something wrong, but I don't understand where if I can't use the debug tools
Regards
I'm using the downloaded Virtual Machine, and using the debug tools for Radius systems (NTRadping) I can't invoke anything on the system. Same thing if I configure LDAP proxy, the user test works but if I make a call to the proxy server with ldp.exe it gives me an error on the user
I'm definitely doing something wrong, but I don't understand where if I can't use the debug tools
Regards
Yoann Traut (RCDevs)
Mar 25, 2024, 9:56:37 AMMar 25
to RCDevs Security
Hello,
Does LDproxy is configured with your WebADM/OpenOTP backend?
If yes, do you see authentication attempts in WebADM GUI > Databases > WebADM Server Log file?
Regards
Massimo Bassan
Mar 25, 2024, 12:52:28 PMMar 25
to RCDevs Security
Hello,
we believe yes, but the log says:
[2024-03-25 17:03:23] [127.0.0.1:56346] [OpenOTP:0AQCN38H] New openotpSimpleLogin SOAP request
[2024-03-25 17:03:23] [127.0.0.1:56346] [OpenOTP:0AQCN38H] > Username: cn=xxxxxx xxxxxxxcn=users,dc=xxxx,dc=local
[2024-03-25 17:03:23] [127.0.0.1:56346] [OpenOTP:0AQCN38H] > Password: xxxxxxxxxxxxx
[2024-03-25 17:03:23] [127.0.0.1:56346] [OpenOTP:0AQCN38H] > Settings: ChallengeMode=No
[2024-03-25 17:03:23] [127.0.0.1:56346] [OpenOTP:0AQCN38H] > Options: DIAGMSG,NOVOICE,-U2F,LDAPDN
[2024-03-25 17:03:23] [127.0.0.1:56346] [OpenOTP:0AQCN38H] Registered openotpSimpleLogin request
[2024-03-25 17:03:23] [127.0.0.1:56346] [OpenOTP:0AQCN38H] Checking OpenOTP license for XXX XXX
[2024-03-25 17:03:23] [127.0.0.1:56346] [OpenOTP:0AQCN38H] License Ok (1/25 active users)
[2024-03-25 17:03:23] [127.0.0.1:56346] [OpenOTP:0AQCN38H] Domain not provided and no default domain configured
[2024-03-25 17:03:23] [127.0.0.1:56346] [OpenOTP:0AQCN38H] User invalid or not found
[2024-03-25 17:03:23] [127.0.0.1:56346] [OpenOTP:0AQCN38H] Sent failure response
Anyway, we had set /opt/webadm/conf/webadm.conf
Regards
we believe yes, but the log says:
[2024-03-25 17:03:23] [127.0.0.1:56346] [OpenOTP:0AQCN38H] New openotpSimpleLogin SOAP request
[2024-03-25 17:03:23] [127.0.0.1:56346] [OpenOTP:0AQCN38H] > Username: cn=xxxxxx xxxxxxxcn=users,dc=xxxx,dc=local
[2024-03-25 17:03:23] [127.0.0.1:56346] [OpenOTP:0AQCN38H] > Password: xxxxxxxxxxxxx
[2024-03-25 17:03:23] [127.0.0.1:56346] [OpenOTP:0AQCN38H] > Settings: ChallengeMode=No
[2024-03-25 17:03:23] [127.0.0.1:56346] [OpenOTP:0AQCN38H] > Options: DIAGMSG,NOVOICE,-U2F,LDAPDN
[2024-03-25 17:03:23] [127.0.0.1:56346] [OpenOTP:0AQCN38H] Registered openotpSimpleLogin request
[2024-03-25 17:03:23] [127.0.0.1:56346] [OpenOTP:0AQCN38H] Checking OpenOTP license for XXX XXX
[2024-03-25 17:03:23] [127.0.0.1:56346] [OpenOTP:0AQCN38H] License Ok (1/25 active users)
[2024-03-25 17:03:23] [127.0.0.1:56346] [OpenOTP:0AQCN38H] Domain not provided and no default domain configured
[2024-03-25 17:03:23] [127.0.0.1:56346] [OpenOTP:0AQCN38H] User invalid or not found
[2024-03-25 17:03:23] [127.0.0.1:56346] [OpenOTP:0AQCN38H] Sent failure response
Anyway, we had set /opt/webadm/conf/webadm.conf
Regards
Yoann Traut (RCDevs)
Mar 25, 2024, 12:58:29 PMMar 25
to RCDevs Security
Hello,
Ok.
Login to WebADM GUI > Admin tab > Users Domain.
Check here that your domain is including the user you are trying to authenticate through the user search base setting.
If ok, then check Applications > MFA Authentication Server > Configure > and set a default Domain, or if you have multiple domains, create a client policy for your LDAP Client and in the client policy configure the default domain for that policy.
Have a look in ldproxy.conf to configure a client section with a default WebADM domain and client_id for client policy mapping.
e.g:
client {
name myapp
client_addr 192.168.3.237
client_mask 255.255.255.255
client_id myappid
domain adrcdevs
ignored_dn "cn=aduser12,cn=Users,dc=adrcdevs,dc=com"
}
name myapp
client_addr 192.168.3.237
client_mask 255.255.255.255
client_id myappid
domain adrcdevs
ignored_dn "cn=aduser12,cn=Users,dc=adrcdevs,dc=com"
}
Regards
Massimo Bassan
Mar 26, 2024, 9:03:14 AMMar 26
to RCDevs Security
WOW, thanks a lot for the info. Now OpenVPN Connect ask me the OTP.
But I have another problem: from WebADM Logs it seems everything is OK, watchgiard firewall told me that the user it's in a right group ....... these the logs, any suggestions?
[2024-03-26 12:20:34] [127.0.0.1:60726] [OpenOTP:NEGKH2YE] Sent login success response
[2024-03-26 13:25:24] [127.0.0.1:55994] [WebSrv] Web application 'OpenID' is missing configurations
[2024-03-26 13:25:24] [127.0.0.1:55994] [WebSrv] Web application 'HelpDesk' is missing configurations
[2024-03-26 13:25:24] [127.0.0.1:55994] [OpenOTP:KFJ8F572] New openotpSimpleLogin SOAP request
[2024-03-26 13:25:24] [127.0.0.1:55994] [OpenOTP:KFJ8F572] > Username: name.user
[2024-03-26 13:25:24] [127.0.0.1:55994] [OpenOTP:KFJ8F572] > Password: xxxxxxxxxxxxx
[2024-03-26 13:25:24] [127.0.0.1:55994] [OpenOTP:KFJ8F572] > Client ID: 172.16.0.1
[2024-03-26 13:25:24] [127.0.0.1:55994] [OpenOTP:KFJ8F572] > Options: RADIUS,NOVOICE,-U2F
[2024-03-26 13:25:24] [127.0.0.1:55994] [OpenOTP:KFJ8F572] Registered openotpSimpleLogin request
[2024-03-26 13:25:24] [127.0.0.1:55994] [OpenOTP:KFJ8F572] Checking OpenOTP license for TSF SRL
[2024-03-26 13:25:24] [127.0.0.1:55994] [OpenOTP:KFJ8F572] License Ok (1/25 active users)
[2024-03-26 13:25:24] [127.0.0.1:55994] [OpenOTP:KFJ8F572] Resolved LDAP user: CN=Massimo Bassan,CN=Users,DC=namedom,DC=local
[2024-03-26 13:25:24] [127.0.0.1:55994] [OpenOTP:KFJ8F572] Resolved LDAP groups: sslvpn-users,vpn-users,tsf_users
[2024-03-26 13:25:25] [127.0.0.1:55994] [OpenOTP:KFJ8F572] Started transaction lock for user
[2024-03-26 13:25:25] [127.0.0.1:55994] [OpenOTP:KFJ8F572] Found user language: IT
[2024-03-26 13:25:25] [127.0.0.1:55994] [OpenOTP:KFJ8F572] Found 1 user mobiles: +393383387922
[2024-03-26 13:25:25] [127.0.0.1:55994] [OpenOTP:KFJ8F572] Found 1 user emails: name...@domain.com
[2024-03-26 13:25:25] [127.0.0.1:55994] [OpenOTP:KFJ8F572] Found 50 user settings: LoginMode=LDAPOTP,OTPType=TOKEN,ChallengeMode=Yes,ChallengeTimeout=90,OTPLength=6,OfflineExpire=30,MobileTimeout=30,EnableLogin=Yes,HOTPLookAheadWindow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,OCRASuite=OCRA-1:HOTP-SHA1-6:QN06-T1M,U2FPINMode=Discouraged,SMSType=Normal,SMSMode=Ondemand,MailMode=Ondemand,PrefetchExpire=10,LastOTPTime=300,ListChallengeMode=ShowID
[2024-03-26 13:25:25] [127.0.0.1:55994] [OpenOTP:KFJ8F572] Found 4 user data: LastOTP,TokenType,TokenKey,TokenState
[2024-03-26 13:25:25] [127.0.0.1:55994] [OpenOTP:KFJ8F572] Last OTP expired 2024-03-26 12:25:34
[2024-03-26 13:25:25] [127.0.0.1:55994] [OpenOTP:KFJ8F572] Found 1 registered OTP token (TOTP)
[2024-03-26 13:25:25] [127.0.0.1:55994] [OpenOTP:KFJ8F572] Requested login factors: LDAP & OTP
[2024-03-26 13:25:25] [127.0.0.1:55994] [OpenOTP:KFJ8F572] LDAP password Ok
[2024-03-26 13:25:25] [127.0.0.1:55994] [OpenOTP:KFJ8F572] Authentication challenge required
[2024-03-26 13:25:25] [127.0.0.1:55994] [OpenOTP:KFJ8F572] Updated user data
[2024-03-26 13:25:25] [127.0.0.1:55994] [OpenOTP:KFJ8F572] Started OTP authentication session of ID 50JTM7CA9bc7PRN0 valid for 90 seconds
[2024-03-26 13:25:25] [127.0.0.1:55994] [OpenOTP:KFJ8F572] Sent login challenge response
[2024-03-26 13:25:39] [127.0.0.1:45438] [OpenOTP:KFJ8F572] New openotpChallenge SOAP request
[2024-03-26 13:25:39] [127.0.0.1:45438] [OpenOTP:KFJ8F572] > Username: name.user
[2024-03-26 13:25:39] [127.0.0.1:45438] [OpenOTP:KFJ8F572] > Session: 50JTM7CA9bc7PRN0
[2024-03-26 13:25:39] [127.0.0.1:45438] [OpenOTP:KFJ8F572] > OTP Password: xxxxxx
[2024-03-26 13:25:39] [127.0.0.1:45438] [OpenOTP:KFJ8F572] Found authentication session started 2024-03-26 13:25:25
[2024-03-26 13:25:39] [127.0.0.1:45438] [OpenOTP:KFJ8F572] Started transaction lock for user
[2024-03-26 13:25:39] [127.0.0.1:45438] [OpenOTP:KFJ8F572] TOTP password Ok (token #1)
[2024-03-26 13:25:39] [127.0.0.1:45438] [OpenOTP:KFJ8F572] Updated user data
[2024-03-26 13:25:39] [127.0.0.1:45438] [OpenOTP:KFJ8F572] Sent login success response
2024-03-26 13:27:18 sslvpn entered username is name.user, domain_user is name.user Debug
2024-03-26 13:27:18 sslvpn extracted username is name.user, auth domain is (null) Debug
2024-03-26 13:27:18 sslvpn read sslvpn auth_type[1] for domain namedom.local OK Debug
2024-03-26 13:27:18 sslvpn preparation done: user=name.user, domain=namedom.local auth_type=1, user_type=0 Debug
2024-03-26 13:27:18 sslvpn Find existing session: find_flag=2 Debug
2024-03-26 13:27:18 sslvpn No existing session found and will create a new session. Debug
2024-03-26 13:27:18 sslvpn sslvpn_insert_pending_req: user=name.user, domain=namedom.local:, msg_id=34 Debug
2024-03-26 13:27:18 sslvpn sslvpn_read_async_status: Received msg_id=34, status xpath=/toAdmdClient/authRqstAck Debug
2024-03-26 13:27:18 sslvpn receive auth rqst ack, rqst id=268 Debug
2024-03-26 13:27:18 sslvpn continue to wait Debug
2024-03-26 13:27:18 sslvpn put request back to fifo with req_id=0 Debug
2024-03-26 13:27:19 sslvpn sslvpn_read_async_status: Received msg_id=34, status xpath=/toAdmdClient/authResult Debug
2024-03-26 13:27:19 sslvpn receive auth result, rqst id=268 result=5 Debug
2024-03-26 13:27:19 sslvpn Challenge: Enter your TOKEN password , reqId: 268 Debug
2024-03-26 13:27:19 sslvpn auth success Debug
2024-03-26 13:27:19 sslvpn 2-factor challenge: CRV1:R,E:268:bWFzc2ltby5iYXNzYW4=:Enter your TOKEN password Debug
2024-03-26 13:27:19 sslvpn Wrote '0 CRV1:R,E:268:bWFzc2ltby5iYXNzYW4=:Enter your TOKEN password ' to /tmp/openvpn_acf_6184fadc325b60b22497632473f80720.tmp Debug
2024-03-26 13:27:19 sslvpn put request back to fifo with req_id=268 Debug
2024-03-26 13:27:19 sslvpn Entering function sslvpn_client_event, event is 16777217 Debug
2024-03-26 13:27:19 sslvpn Entered in sslvpn_takeaddr Debug
2024-03-26 13:27:19 sslvpn Arguments which needs to be sent:openvpn_del -1 0 1711456039 Debug
2024-03-26 13:27:19 sslvpn Going to open wgipc: Debug
2024-03-26 13:27:19 sslvpn Success,Sending Data to sslvpn_firecluster:openvpn_del -1 0 1711456039 Debug
2024-03-26 13:27:40 sslvpn entered username is name.user, domain_user is name.user Debug
2024-03-26 13:27:40 sslvpn extracted username is name.user, auth domain is (null) Debug
2024-03-26 13:27:40 sslvpn read sslvpn auth_type[1] for domain namedom.local OK Debug
2024-03-26 13:27:40 sslvpn preparation done: user=name.user, domain=namedom.local auth_type=1, user_type=0 Debug
2024-03-26 13:27:40 sslvpn Find existing session: find_flag=2 Debug
2024-03-26 13:27:40 sslvpn No existing session found and will create a new session. Debug
2024-03-26 13:27:40 sslvpn response: '640497', req_id: 0 Debug
2024-03-26 13:27:40 sslvpn Found msg_id from challenge req: 34 Debug
2024-03-26 13:27:40 sslvpn sslvpn_insert_pending_req: user=name.user, domain=namedom.local:, msg_id=34 Debug
2024-03-26 13:27:40 sslvpn sslvpn_read_async_status: Received msg_id=34, status xpath=/toAdmdClient/authRqstAck Debug
2024-03-26 13:27:40 sslvpn receive auth rqst ack, rqst id=268 Debug
2024-03-26 13:27:40 sslvpn continue to wait Debug
2024-03-26 13:27:40 sslvpn put request back to fifo with req_id=0 Debug
2024-03-26 13:27:40 admd Authentication failed: user name...@namedom.local isn't in the authorized SSLVPN group/user list! Debug
2024-03-26 13:27:40 admd Authentication of SSLVPN user [name...@namedom.local] from 5.91.26.62 was rejected, user isn't in the right group msg_id="1100-0005" Event
2024-03-26 13:27:40 sslvpn sslvpn_read_async_status: Received msg_id=34, status xpath=/toAdmdClient/authResult Debug
2024-03-26 13:27:40 sslvpn receive auth result, rqst id=268 result=2 Debug
2024-03-26 13:27:40 sslvpn auth failure Debug
But I have another problem: from WebADM Logs it seems everything is OK, watchgiard firewall told me that the user it's in a right group ....... these the logs, any suggestions?
[2024-03-26 12:20:34] [127.0.0.1:60726] [OpenOTP:NEGKH2YE] Sent login success response
[2024-03-26 13:25:24] [127.0.0.1:55994] [WebSrv] Web application 'OpenID' is missing configurations
[2024-03-26 13:25:24] [127.0.0.1:55994] [WebSrv] Web application 'HelpDesk' is missing configurations
[2024-03-26 13:25:24] [127.0.0.1:55994] [OpenOTP:KFJ8F572] New openotpSimpleLogin SOAP request
[2024-03-26 13:25:24] [127.0.0.1:55994] [OpenOTP:KFJ8F572] > Username: name.user
[2024-03-26 13:25:24] [127.0.0.1:55994] [OpenOTP:KFJ8F572] > Password: xxxxxxxxxxxxx
[2024-03-26 13:25:24] [127.0.0.1:55994] [OpenOTP:KFJ8F572] > Client ID: 172.16.0.1
[2024-03-26 13:25:24] [127.0.0.1:55994] [OpenOTP:KFJ8F572] > Options: RADIUS,NOVOICE,-U2F
[2024-03-26 13:25:24] [127.0.0.1:55994] [OpenOTP:KFJ8F572] Registered openotpSimpleLogin request
[2024-03-26 13:25:24] [127.0.0.1:55994] [OpenOTP:KFJ8F572] Checking OpenOTP license for TSF SRL
[2024-03-26 13:25:24] [127.0.0.1:55994] [OpenOTP:KFJ8F572] License Ok (1/25 active users)
[2024-03-26 13:25:24] [127.0.0.1:55994] [OpenOTP:KFJ8F572] Resolved LDAP user: CN=Massimo Bassan,CN=Users,DC=namedom,DC=local
[2024-03-26 13:25:24] [127.0.0.1:55994] [OpenOTP:KFJ8F572] Resolved LDAP groups: sslvpn-users,vpn-users,tsf_users
[2024-03-26 13:25:25] [127.0.0.1:55994] [OpenOTP:KFJ8F572] Started transaction lock for user
[2024-03-26 13:25:25] [127.0.0.1:55994] [OpenOTP:KFJ8F572] Found user language: IT
[2024-03-26 13:25:25] [127.0.0.1:55994] [OpenOTP:KFJ8F572] Found 1 user mobiles: +393383387922
[2024-03-26 13:25:25] [127.0.0.1:55994] [OpenOTP:KFJ8F572] Found 1 user emails: name...@domain.com
[2024-03-26 13:25:25] [127.0.0.1:55994] [OpenOTP:KFJ8F572] Found 50 user settings: LoginMode=LDAPOTP,OTPType=TOKEN,ChallengeMode=Yes,ChallengeTimeout=90,OTPLength=6,OfflineExpire=30,MobileTimeout=30,EnableLogin=Yes,HOTPLookAheadWindow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,OCRASuite=OCRA-1:HOTP-SHA1-6:QN06-T1M,U2FPINMode=Discouraged,SMSType=Normal,SMSMode=Ondemand,MailMode=Ondemand,PrefetchExpire=10,LastOTPTime=300,ListChallengeMode=ShowID
[2024-03-26 13:25:25] [127.0.0.1:55994] [OpenOTP:KFJ8F572] Found 4 user data: LastOTP,TokenType,TokenKey,TokenState
[2024-03-26 13:25:25] [127.0.0.1:55994] [OpenOTP:KFJ8F572] Last OTP expired 2024-03-26 12:25:34
[2024-03-26 13:25:25] [127.0.0.1:55994] [OpenOTP:KFJ8F572] Found 1 registered OTP token (TOTP)
[2024-03-26 13:25:25] [127.0.0.1:55994] [OpenOTP:KFJ8F572] Requested login factors: LDAP & OTP
[2024-03-26 13:25:25] [127.0.0.1:55994] [OpenOTP:KFJ8F572] LDAP password Ok
[2024-03-26 13:25:25] [127.0.0.1:55994] [OpenOTP:KFJ8F572] Authentication challenge required
[2024-03-26 13:25:25] [127.0.0.1:55994] [OpenOTP:KFJ8F572] Updated user data
[2024-03-26 13:25:25] [127.0.0.1:55994] [OpenOTP:KFJ8F572] Started OTP authentication session of ID 50JTM7CA9bc7PRN0 valid for 90 seconds
[2024-03-26 13:25:25] [127.0.0.1:55994] [OpenOTP:KFJ8F572] Sent login challenge response
[2024-03-26 13:25:39] [127.0.0.1:45438] [OpenOTP:KFJ8F572] New openotpChallenge SOAP request
[2024-03-26 13:25:39] [127.0.0.1:45438] [OpenOTP:KFJ8F572] > Username: name.user
[2024-03-26 13:25:39] [127.0.0.1:45438] [OpenOTP:KFJ8F572] > Session: 50JTM7CA9bc7PRN0
[2024-03-26 13:25:39] [127.0.0.1:45438] [OpenOTP:KFJ8F572] > OTP Password: xxxxxx
[2024-03-26 13:25:39] [127.0.0.1:45438] [OpenOTP:KFJ8F572] Found authentication session started 2024-03-26 13:25:25
[2024-03-26 13:25:39] [127.0.0.1:45438] [OpenOTP:KFJ8F572] Started transaction lock for user
[2024-03-26 13:25:39] [127.0.0.1:45438] [OpenOTP:KFJ8F572] TOTP password Ok (token #1)
[2024-03-26 13:25:39] [127.0.0.1:45438] [OpenOTP:KFJ8F572] Updated user data
[2024-03-26 13:25:39] [127.0.0.1:45438] [OpenOTP:KFJ8F572] Sent login success response
2024-03-26 13:27:18 sslvpn entered username is name.user, domain_user is name.user Debug
2024-03-26 13:27:18 sslvpn extracted username is name.user, auth domain is (null) Debug
2024-03-26 13:27:18 sslvpn read sslvpn auth_type[1] for domain namedom.local OK Debug
2024-03-26 13:27:18 sslvpn preparation done: user=name.user, domain=namedom.local auth_type=1, user_type=0 Debug
2024-03-26 13:27:18 sslvpn Find existing session: find_flag=2 Debug
2024-03-26 13:27:18 sslvpn No existing session found and will create a new session. Debug
2024-03-26 13:27:18 sslvpn sslvpn_insert_pending_req: user=name.user, domain=namedom.local:, msg_id=34 Debug
2024-03-26 13:27:18 sslvpn sslvpn_read_async_status: Received msg_id=34, status xpath=/toAdmdClient/authRqstAck Debug
2024-03-26 13:27:18 sslvpn receive auth rqst ack, rqst id=268 Debug
2024-03-26 13:27:18 sslvpn continue to wait Debug
2024-03-26 13:27:18 sslvpn put request back to fifo with req_id=0 Debug
2024-03-26 13:27:19 sslvpn sslvpn_read_async_status: Received msg_id=34, status xpath=/toAdmdClient/authResult Debug
2024-03-26 13:27:19 sslvpn receive auth result, rqst id=268 result=5 Debug
2024-03-26 13:27:19 sslvpn Challenge: Enter your TOKEN password , reqId: 268 Debug
2024-03-26 13:27:19 sslvpn auth success Debug
2024-03-26 13:27:19 sslvpn 2-factor challenge: CRV1:R,E:268:bWFzc2ltby5iYXNzYW4=:Enter your TOKEN password Debug
2024-03-26 13:27:19 sslvpn Wrote '0 CRV1:R,E:268:bWFzc2ltby5iYXNzYW4=:Enter your TOKEN password ' to /tmp/openvpn_acf_6184fadc325b60b22497632473f80720.tmp Debug
2024-03-26 13:27:19 sslvpn put request back to fifo with req_id=268 Debug
2024-03-26 13:27:19 sslvpn Entering function sslvpn_client_event, event is 16777217 Debug
2024-03-26 13:27:19 sslvpn Entered in sslvpn_takeaddr Debug
2024-03-26 13:27:19 sslvpn Arguments which needs to be sent:openvpn_del -1 0 1711456039 Debug
2024-03-26 13:27:19 sslvpn Going to open wgipc: Debug
2024-03-26 13:27:19 sslvpn Success,Sending Data to sslvpn_firecluster:openvpn_del -1 0 1711456039 Debug
2024-03-26 13:27:40 sslvpn entered username is name.user, domain_user is name.user Debug
2024-03-26 13:27:40 sslvpn extracted username is name.user, auth domain is (null) Debug
2024-03-26 13:27:40 sslvpn read sslvpn auth_type[1] for domain namedom.local OK Debug
2024-03-26 13:27:40 sslvpn preparation done: user=name.user, domain=namedom.local auth_type=1, user_type=0 Debug
2024-03-26 13:27:40 sslvpn Find existing session: find_flag=2 Debug
2024-03-26 13:27:40 sslvpn No existing session found and will create a new session. Debug
2024-03-26 13:27:40 sslvpn response: '640497', req_id: 0 Debug
2024-03-26 13:27:40 sslvpn Found msg_id from challenge req: 34 Debug
2024-03-26 13:27:40 sslvpn sslvpn_insert_pending_req: user=name.user, domain=namedom.local:, msg_id=34 Debug
2024-03-26 13:27:40 sslvpn sslvpn_read_async_status: Received msg_id=34, status xpath=/toAdmdClient/authRqstAck Debug
2024-03-26 13:27:40 sslvpn receive auth rqst ack, rqst id=268 Debug
2024-03-26 13:27:40 sslvpn continue to wait Debug
2024-03-26 13:27:40 sslvpn put request back to fifo with req_id=0 Debug
2024-03-26 13:27:40 admd Authentication failed: user name...@namedom.local isn't in the authorized SSLVPN group/user list! Debug
2024-03-26 13:27:40 admd Authentication of SSLVPN user [name...@namedom.local] from 5.91.26.62 was rejected, user isn't in the right group msg_id="1100-0005" Event
2024-03-26 13:27:40 sslvpn sslvpn_read_async_status: Received msg_id=34, status xpath=/toAdmdClient/authResult Debug
2024-03-26 13:27:40 sslvpn receive auth result, rqst id=268 result=2 Debug
2024-03-26 13:27:40 sslvpn auth failure Debug
marc....@gmail.com
Mar 26, 2024, 9:13:04 AMMar 26
to RCDevs Security
Hi Massimo,
You group error is linked to your watchgard configuration.
Try to check in the documentation how to put the user in the right group or to link a ldap backend for the group membership.
You have a Sent login success response for OpenOTP
Kind regards
Massimo Bassan
Mar 26, 2024, 11:02:08 AMMar 26
to RCDevs Security
Hi Marc,
I agree, this i a problem from watchguard non not from OpenOTP wich warks well.
Best Regards
I agree, this i a problem from watchguard non not from OpenOTP wich warks well.
Best Regards
Benoît Jager (RCDevs)
Mar 26, 2024, 11:08:07 AMMar 26
to RCDevs Security
Hello,
An alternative to checking groups of user from LDAP is to configure radius bridge to return groups in attributes inside Accept-Access response.
This can be done through return attribute feature:
You can find in /opt/radiusd/lib/dictionaries folder all RADIUS attributes compatible with our radius bridge.
Massimo Bassan
Mar 28, 2024, 12:15:55 PMMar 28
to RCDevs Security
THANK YOU VERY MUCH TO EVERYONE!
I have now solved every problem and it works well with RADIUS. When I have time, I will try with LDAP.
Regards
I have now solved every problem and it works well with RADIUS. When I have time, I will try with LDAP.
Regards
Reply all
Reply to author
Forward
0 new messages