Pfsense Opensource VPN servers and OpenOTP SMS authentication with challenge mode

[rajendar chintala]

Hello All!

We are planning to deploy OpenOTP along with Pfsense vpn sever. we have successfully configured the OpenOTP Server with Radius and able to login to it using only ldap password. but when we tried to configure the OpenOTP Radius with sms otp with challange response and tried to connect we are getting problem.

1. when we tried to connect, the openVpn client ask for Ldap username and password.

2. when we give the user name and password, it takes successfully and generate the challange response. we are getting  the sms also.

3. the Openvpn client asks for the username and password again.

4. when we enter the username and the otp, it says ldap password is wrong. 

Does anyone have success configuring OpenVPN server with On-demand SMS 2FA? I have tried RADIUS , but it looks like they don't handle challenges. I'm sure that OpenOTP configured and works correct:

i am attaching the radius configuration files also in the mail.

logs from /opt/radius/log//soapd.log

[2014-04-04 10:13:28] [192.168.1.11] [OpenOTP_98EFC84A] New openotpNormalLogin SOAP request

[2014-04-04 10:13:28] [192.168.1.11] [OpenOTP_98EFC84A] > Username: rajendar

[2014-04-04 10:13:28] [192.168.1.11] [OpenOTP_98EFC84A] > Domain: default

[2014-04-04 10:13:28] [192.168.1.11] [OpenOTP_98EFC84A] > LDAP Password: xxxxxxxxxxxx

[2014-04-04 10:13:28] [192.168.1.11] [OpenOTP_98EFC84A] > Client ID: bvritfw.computerport.local

[2014-04-04 10:13:28] [192.168.1.11] [OpenOTP_98EFC84A] Registered openotpNormalLogin request

[2014-04-04 10:13:28] [192.168.1.11] [OpenOTP_98EFC84A] Resolved LDAP user: cn=rajendar,o=Root (cached)

[2014-04-04 10:13:28] [192.168.1.11] [OpenOTP_98EFC84A] Started transaction lock for user

[2014-04-04 10:13:28] [192.168.1.11] [OpenOTP_98EFC84A] Found user language: EN

[2014-04-04 10:13:28] [192.168.1.11] [OpenOTP_98EFC84A] Found 1 user mobiles: +919491112794

[2014-04-04 10:13:28] [192.168.1.11] [OpenOTP_98EFC84A] Found 1 user emails: raje...@gmail.com

[2014-04-04 10:13:28] [192.168.1.11] [OpenOTP_98EFC84A] Found 27 user settings: LoginMode=LDAPOTP,LockTimer=5,MaxTries=10,Bl

ockTime=300,BlockMail=1,OTPType=SMS,OTPLength=6,ChallengeMode=1,ChallengeTimeout=90,ChallengeLock=,OTPPrefix=,HOTPLookAheadW

indow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,MOTPTimeOffsetWindow=120,OCRASuite=OCRA-1:HOTP-SHA1-6:QN06-T1M,SMSType=Nor

mal,SMSMode=Ondemand,MailMode=Ondemand,LastOTPTime=300,ListChallengeMode=ShowID

[2014-04-04 10:13:28] [192.168.1.11] [OpenOTP_98EFC84A] Found 6 user data: TriesCount,RejectCount,SMSCount,TokenType,TokenKe

y,TokenState

[2014-04-04 10:13:28] [192.168.1.11] [OpenOTP_98EFC84A] Blocking counter present (1/10 tries)

[2014-04-04 10:13:28] [192.168.1.11] [OpenOTP_98EFC84A] LDAP password Ok

[2014-04-04 10:13:28] [192.168.1.11] [OpenOTP_98EFC84A] OTP challenge required

[2014-04-04 10:13:29] [192.168.1.11] [OpenOTP_98EFC84A] Sent SMS password to +919491112794

[2014-04-04 10:13:30] [192.168.1.11] [OpenOTP_98EFC84A] Updated user data

[2014-04-04 10:13:30] [192.168.1.11] [OpenOTP_98EFC84A] Started challenge session of ID 16ddd110d4bd477b valid for 90 second

s

[2014-04-04 10:13:30] [192.168.1.11] [OpenOTP_98EFC84A] Sent challenge response

[2014-04-04 10:13:58] [192.168.1.11] [OpenOTP_3317B9C3] New openotpNormalLogin SOAP request

[2014-04-04 10:13:58] [192.168.1.11] [OpenOTP_3317B9C3] > Username: rajendar

[2014-04-04 10:13:58] [192.168.1.11] [OpenOTP_3317B9C3] > Domain: default

[2014-04-04 10:13:58] [192.168.1.11] [OpenOTP_3317B9C3] > LDAP Password: xxxxxx

[2014-04-04 10:13:58] [192.168.1.11] [OpenOTP_3317B9C3] > Client ID: bvritfw.computerport.local

[2014-04-04 10:13:58] [192.168.1.11] [OpenOTP_3317B9C3] Registered openotpNormalLogin request

[2014-04-04 10:13:58] [192.168.1.11] [OpenOTP_3317B9C3] Resolved LDAP user: cn=rajendar,o=Root (cached)

[2014-04-04 10:13:58] [192.168.1.11] [OpenOTP_3317B9C3] Started transaction lock for user

[2014-04-04 10:13:58] [192.168.1.11] [OpenOTP_3317B9C3] Found user language: EN

[2014-04-04 10:13:58] [192.168.1.11] [OpenOTP_3317B9C3] Found 1 user mobiles: +919491112794

[2014-04-04 10:13:58] [192.168.1.11] [OpenOTP_3317B9C3] Found 1 user emails: raje...@gmail.com

[2014-04-04 10:13:58] [192.168.1.11] [OpenOTP_3317B9C3] Found 27 user settings: LoginMode=LDAPOTP,LockTimer=5,MaxTries=10,Bl

ockTime=300,BlockMail=1,OTPType=SMS,OTPLength=6,ChallengeMode=1,ChallengeTimeout=90,ChallengeLock=,OTPPrefix=,HOTPLookAheadW

indow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,MOTPTimeOffsetWindow=120,OCRASuite=OCRA-1:HOTP-SHA1-6:QN06-T1M,SMSType=Nor

mal,SMSMode=Ondemand,MailMode=Ondemand,LastOTPTime=300,ListChallengeMode=ShowID

[2014-04-04 10:13:58] [192.168.1.11] [OpenOTP_3317B9C3] Found 6 user data: TriesCount,RejectCount,SMSCount,TokenType,TokenKe

y,TokenState

[2014-04-04 10:13:58] [192.168.1.11] [OpenOTP_3317B9C3] Blocking counter present (1/10 tries)

[2014-04-04 10:13:58] [192.168.1.11] [OpenOTP_3317B9C3] Wrong LDAP password

[2014-04-04 10:13:58] [192.168.1.11] [OpenOTP_3317B9C3] Updated blocking counter: 2/10 tries

[2014-04-04 10:13:58] [192.168.1.11] [OpenOTP_3317B9C3] Started blocking timer valid for 5 seconds

[2014-04-04 10:13:58] [192.168.1.11] [OpenOTP_3317B9C3] Updated user data

[2014-04-04 10:14:00] [192.168.1.11] [OpenOTP_3317B9C3] Sent failure response

Regards,

Rajendar chintala.

[rajendar chintala]

Hi RCDEVS,

Can Any one please check and reply to the post...

Best Regards

Rajendar ch

[Administrators]

Your VPN does not seem to handle / support the RADIUS Challenge-Response mode.

After entering the LDAP password do you get a prompt from the VPN client asking for your SMS password?

If the VPN does not handle the challenge, that's why it sends again an OpenOTP login requests and not a challenge request in the second step.

Check the pfsense doc in case you need to configure something for challenge-response mode.

If not supported you need to use concatenated passwords.

Note: SMS with concatenated passwords (ie. without a challenge) requires SMS Prefetch mode in OpenOTP