Access-Challenge fails

Integration / Auth Clients
1

Hello,

I just installed PI on ubuntu 20.4 with freeradius 3.0.20 and trying to get it running on vpn. The users should authenticate with ldap in the first step and then enter the HOTP. However I dont get a popup or anything to enter the token. As I can see in freeradius-X the challenge fails with
state = 0x3035333637323230313638373734353437333135
instantly after the reply-message. Did anyhone have similar problems or a clue where the problem could be ?

(0) Received Access-Request Id 165 from 10.10.67.15:11921 to 10.10.67.8:1812 length 56
(0)   User-Name = "test"
(0)   User-Password = "test123"
(0)   NAS-Identifier = "dc.swlb.de"
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/privacyidea
(0)   authorize {
(0)     update request {
(0)       EXPAND %{Packet-Src-IP-Address}
(0)          --> 10.10.67.15
(0)       Packet-Src-IP-Address = 10.10.67.15
(0)     } # update request = noop
(0) perl-privacyidea:   $RAD_REQUEST{'User-Name'} = &request:User-Name -> 'test'
(0) perl-privacyidea:   $RAD_REQUEST{'User-Password'} = &request:User-Password -> 'test123'
(0) perl-privacyidea:   $RAD_REQUEST{'NAS-Identifier'} = &request:NAS-Identifier -> 'dc.swlb.de'
(0) perl-privacyidea:   $RAD_REQUEST{'Packet-Src-IP-Address'} = &request:Packet-Src-IP-Address -> '10.10.67.15'
(0) perl-privacyidea: &request:User-Password = $RAD_REQUEST{'User-Password'} -> 'test123'
(0) perl-privacyidea: &request:NAS-Identifier = $RAD_REQUEST{'NAS-Identifier'} -> 'dc.swlb.de'
(0) perl-privacyidea: &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'test'
(0) perl-privacyidea: &request:Packet-Src-IP-Address = $RAD_REQUEST{'Packet-Src-IP-Address'} -> '10.10.67.15'
(0)     [perl-privacyidea] = ok
(0)     if (ok || updated) {
(0)     if (ok || updated)  -> TRUE
(0)     if (ok || updated)  {
(0)       update control {
(0)         Auth-Type := Perl
(0)       } # update control = noop
(0)     } # if (ok || updated)  = noop
(0)   } # authorize = ok
(0) Found Auth-Type = Perl
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/privacyidea
(0)   Auth-Type Perl {
(0) perl-privacyidea:   $RAD_REQUEST{'User-Name'} = &request:User-Name -> 'test'
(0) perl-privacyidea:   $RAD_REQUEST{'User-Password'} = &request:User-Password -> 'test123'
(0) perl-privacyidea:   $RAD_REQUEST{'NAS-Identifier'} = &request:NAS-Identifier -> 'dc.swlb.de'
(0) perl-privacyidea:   $RAD_REQUEST{'Packet-Src-IP-Address'} = &request:Packet-Src-IP-Address -> '10.10.67.15'
(0) perl-privacyidea:   $RAD_CHECK{'Auth-Type'} = &control:Auth-Type -> 'Perl'
(0) perl-privacyidea:   $RAD_CONFIG{'Auth-Type'} = &control:Auth-Type -> 'Perl'
rlm_perl: Config File /etc/privacyidea/rlm_perl.ini found!
rlm_perl: Debugging config:
rlm_perl: Default URL https ://localhost/validate/check
rlm_perl: Looking for config for auth-type Perl
rlm_perl: Password encoding guessed: ascii
rlm_perl: Setting client IP to 10.10.67.15.
rlm_perl: Auth-Type: Perl
rlm_perl: url: https://localhost/validate/check
rlm_perl: user sent to privacyidea: test
rlm_perl: realm sent to privacyidea:
rlm_perl: resolver sent to privacyidea:
rlm_perl: client sent to privacyidea: 10.10.67.15
rlm_perl: state sent to privacyidea:
rlm_perl: urlparam user
rlm_perl: urlparam pass
rlm_perl: urlparam client
rlm_perl: Request timeout: 10
rlm_perl: Not verifying SSL certificate!
rlm_perl: elapsed time for privacyidea call: 0.917886
rlm_perl: privacyIDEA Result status is true!
rlm_perl: ++++ Parsing group: Mapping
rlm_perl: +++++ Found member 'Mapping user'
rlm_perl: ++++ Parsing group: Attribute
rlm_perl: +++++ Found member 'Attribute Filter-Id'
rlm_perl: ++++++ Attribute: IF ''->'' == '' THEN 'Filter-Id'
rlm_perl: ++++++ no directory
rlm_perl: +++++++ User attribute is a string:
rlm_perl: +++++++ trying to match
rlm_perl: ++++++++ Result: No match, no RADIUS attribute Filter-Id added.
rlm_perl: +++++ Found member 'Attribute otherAttribute'
rlm_perl: ++++++ Attribute: IF ''->'' == '' THEN 'otherAttribute'
rlm_perl: ++++++ no directory
rlm_perl: +++++++ User attribute is a string:
rlm_perl: +++++++ trying to match
rlm_perl: ++++++++ Result: No match, no RADIUS attribute otherAttribute added.
rlm_perl: +++++ Found member 'Attribute Class'
rlm_perl: ++++++ Attribute: IF ''->'' == '' THEN 'Class'
rlm_perl: ++++++ no directory
rlm_perl: +++++++ User attribute is a string:
rlm_perl: +++++++ trying to match
rlm_perl: ++++++++ Result: No match, no RADIUS attribute Class added.
rlm_perl: return RLM_MODULE_HANDLED
(0) perl-privacyidea: &request:User-Password = $RAD_REQUEST{'User-Password'} -> 'test123'
(0) perl-privacyidea: &request:NAS-Identifier = $RAD_REQUEST{'NAS-Identifier'} -> 'dc.swlb.de'
(0) perl-privacyidea: &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'test'
(0) perl-privacyidea: &request:Packet-Src-IP-Address = $RAD_REQUEST{'Packet-Src-IP-Address'} -> '10.10.67.15'
(0) perl-privacyidea: &reply:Reply-Message = $RAD_REPLY{'Reply-Message'} -> 'please enter otp: '
(0) perl-privacyidea: &reply:State = $RAD_REPLY{'State'} -> '05367220168774547315'
(0) perl-privacyidea: &control:Response-Packet-Type = $RAD_CHECK{'Response-Packet-Type'} -> 'Access-Challenge'
(0) perl-privacyidea: &control:Auth-Type = $RAD_CHECK{'Auth-Type'} -> 'Perl'
(0)     [perl-privacyidea] = handled
(0)   } # Auth-Type Perl = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found.  Ignoring.
(0) Sent Access-Challenge Id 165 from 10.10.67.8:1812 to 10.10.67.15:11921 length 0
(0)   Reply-Message = "please enter otp: "
(0)   State = 0x3035333637323230313638373734353437333135
(0) Finished request
2

Works perfectly. Everything is OK.
The RADIUS protocol sends the RADIUS Access-Challenge.
This is definitively a PEBKAC problem.

It is an issue of your RADIUS Client, your VPN. But what a shame - you do not tell anything about this one. Could be your RADIUS client is not capable of handling Access-Challenge. But how can anybody know this.

edit: N.B. the state is no sign of a failing challenge. It is the working challenge. The state connects the response to the original challege.