Automatic Resync

I am trying to test the auto resync function and am not finding success. I
can resync manually just fine, but if I click through 15 OTPs on my HOTP
token (FreeOTP), it will fail and I haven’t been able to get it to resync
while just authenticating. I always have to go and do a resync from the
WebUI

I am using this for my authentication
testing: https:///validate/check?user=&pass=<OTP+PIN>

I believe I have the appropriate options set in the config, am I missing
something?:

mysql> select * from config;±-------------------------±--------------------±-------±------------+
| Key | Value | Type | Description |
±-------------------------±--------------------±-------±------------+
| AutoResync | 1 | None | None |
| AutoResyncTimeout | 300 | None | None |
| IncFailCountOnFalsePin | 1 | None | None |
| PrependPin | 0 | public | None |
| ReturnSamlAttributes | 1 | None | None |
| splitAtSign | 1 | None | None |
| UiLoginDisplayHelpButton | 0 | None | None |
| UiLoginDisplayRealmBox | 0 | None | None |
| timestamp | 2016-05-26 08:50:47 | | |
±-------------------------±--------------------±-------±------------+
9 rows in set (0.00 sec)

mysql> select * from policy;
±—±-------±------------------------±---------------±-----------------------------------------------------±------±-----------±---------±-----±-------±-----±----------+
| id | active | name | scope | action
| realm | adminrealm | resolver | user
| client | time | condition |
±—±-------±------------------------±---------------±-----------------------------------------------------±------±-----------±---------±-----±-------±-----±----------+
| 1 | 1 | WebUIPolicy | webui | logout_time=900,
tokenwizard, default_tokentype=hotp | | | |
| | | 0 |
| 2 | 1 | enroll_tokenlabel | enrollment |
tokenlabel=CompanyName/ | |
| | | | | 0 |
| 3 | 1 | RadiusPassThroughPolicy | authentication |
passthru=radiusserver01 | |
| | | | | 0 |
| 4 | 1 | AllowResync | user | resync
| | | |
| | | 0 |
±—±-------±------------------------±---------------±-----------------------------------------------------±------±-----------±---------±-----±-------±-----±----------+
4 rows in set (0.00 sec)

4.3.1.5. AutoResync
http://privacyidea.readthedocs.io/en/latest/configuration/system_config.html?highlight=resync#autoresync

Auto resync defines if the system should try to resync a token if a user
provides a wrong OTP value. AutoResync works like this:

  • If the counter of a wrong OTP value is within the resync window, the
    system remembers the counter of the OTP value for this token in the token
    info fieldotp1c.
  • Now the user needs to authenticate a second time within auto resync
    timeoutwith the next successive OTP value.
  • The system checks if the counter of the second OTP value is the
    successive value tootp1c.
  • If it is, the token counter is set and the user is successfully
    authenticated.

Note

AutoResync works for all HOTP and TOTP based tokens including SMS and Email
tokens.

Hi Aaron,

thanks for the hint.
Indeed the counter is not stored to the database in case of autoresync.
(For HOTP token).

Will open an issue for that.

Kind regards
CorneliusAm Donnerstag, den 26.05.2016, 12:14 -0700 schrieb Aaron McCrea:

Thanks for the idea.
I set that value to “True”.
That allows every other authentication to pass (Accept, reject,
accept, reject), but it never increments the token count so it is not
really resyncing. It is just aceepting if the last two OTPs are in
order. But then the next authentication fails and you have to
authenticate a second time.

It will still require a manual resync to get it back to the proper
token count.

On Thursday, May 26, 2016 at 9:46:48 AM UTC-7, Cornelius Kölbel wrote:
…it might be due to the representation in the database.

    mysql> select * from config; 
    +--------------------------+---------------------+--------+-------------+ 
    | Key                      | Value               | Type   |
    Description 
    | 
    +--------------------------+---------------------+--------+-------------+ 
    | AutoResync               | 1                   | None   |
    None 
    | 
    
    Try setting AutoResync = "True" on the database level and see
    if it 
    works now. 
    
    Kind regards 
    Cornelius 
    
    Am Donnerstag, den 26.05.2016, 09:01 -0700 schrieb Aaron
    McCrea: 
    > Also, I don't see a field called "otp1c" in the table
    "tokeninfo". 
    > 
    > 
    > mysql> select * from tokeninfo; 
    >
    +----+--------------------+---------------------+------+-------------+----------+ 
    > | id | Key                | Value               | Type |
    Description | 
    > token_id | 
    >
    +----+--------------------+---------------------+------+-------------+----------+ 
    > | 13 | hashlib            | sha1                |      | 
    > |        4 | 
    > | 14 | hashlib            | sha1                |      | 
    > |        5 | 
    > | 15 | hashlib            | sha1                |      | 
    > |        6 | 
    > | 16 | hashlib            | sha1                |      | 
    > |        7 | 
    > | 17 | hashlib            | sha1                |      | 
    > |        8 | 
    > | 18 | hashlib            | sha1                |      | 
    > |        9 | 
    > | 19 | hashlib            | sha1                |      |
    | 
    > 10 | 
    > | 20 | hashlib            | sha1                |      |
    | 
    > 11 | 
    > | 26 | hashlib            | sha1                |      |
    | 
    > 17 | 
    > | 27 | count_auth         | 50                  | NULL |
    NULL        | 
    > 17 | 
    > | 28 | count_auth_success | 15                  | NULL |
    NULL        | 
    > 17 | 
    > | 29 | last_auth          | 2016-05-26 15:22:48 | NULL |
    NULL        | 
    > 17 | 
    > | 38 | hashlib            | sha1                |      |
    | 
    > 20 | 
    > | 39 | count_auth         | 2                   | NULL |
    NULL        | 
    > 20 | 
    > | 40 | count_auth_success | 2                   | NULL |
    NULL        | 
    > 20 | 
    > | 41 | last_auth          | 2016-05-25 15:43:45 | NULL |
    NULL        | 
    > 20 | 
    >
    +----+--------------------+---------------------+------+-------------+----------+ 
    > 16 rows in set (0.00 sec) 
    > 
    > 
    > 
    > On Thursday, May 26, 2016 at 8:54:39 AM UTC-7, Aaron McCrea wrote: 
    >         I am trying to test the auto resync function and am
    not 
    >         finding success.  I can resync manually just fine,
    but if I 
    >         click through 15 OTPs on my HOTP token (FreeOTP), it
    will fail 
    >         and I haven't been able to get it to resync while
    just 
    >         authenticating. I always have to go and do a resync
    from the 
    >         WebUI 
    >         
    >         
    >         I am using this for my authentication 
    >         testing:
    https://<ServerIP>/validate/check?user=<username>&pass=<OTP
    +PIN> 
    >         
    >         
    >         I believe I have the appropriate options set in the
    config, am 
    >         I missing something?: 
    >         
    >         
    >         mysql> select * from config; 
    >
    +--------------------------+---------------------+--------+-------------+ 
    >         | Key                      | Value               |
    Type   | 
    >         Description | 
    >
    +--------------------------+---------------------+--------+-------------+ 
    >         | AutoResync               | 1                   |
    None   | 
    >         None        | 
    >         | AutoResyncTimeout        | 300                 |
    None   | 
    >         None        | 
    >         | IncFailCountOnFalsePin   | 1                   |
    None   | 
    >         None        | 
    >         | PrependPin               | 0                   |
    public | 
    >         None        | 
    >         | ReturnSamlAttributes     | 1                   |
    None   | 
    >         None        | 
    >         | splitAtSign              | 1                   |
    None   | 
    >         None        | 
    >         | UiLoginDisplayHelpButton | 0                   |
    None   | 
    >         None        | 
    >         | UiLoginDisplayRealmBox   | 0                   |
    None   | 
    >         None        | 
    >         | __timestamp__            | 2016-05-26 08:50:47 |
           | 
    >         | 
    >
    +--------------------------+---------------------+--------+-------------+ 
    >         9 rows in set (0.00 sec) 
    >         
    >         
    >         mysql> select * from policy; 
    >
    +----+--------+-------------------------+----------------+------------------------------------------------------+-------+------------+----------+------+--------+------+-----------+ 
    >         | id | active | name                    | scope
         | 
    >         action
    | realm | 
    >         adminrealm | resolver | user | client | time |
    condition | 
    >
    +----+--------+-------------------------+----------------+------------------------------------------------------+-------+------------+----------+------+--------+------+-----------+ 
    >         |  1 |      1 | WebUIPolicy             | webui
         | 
    >         logout_time=900, tokenwizard, default_tokentype=hotp
    | 
    >         |            |          |      |        |      |
    0 | 
    >         |  2 |      1 | enroll_tokenlabel       | enrollment
    | 
    >         tokenlabel=CompanyName/<s>
       | 
    >         |            |          |      |        |      |
    0 | 
    >         |  3 |      1 | RadiusPassThroughPolicy |
    authentication | 
    >         passthru=radiusserver01
    | 
    >         |            |          |      |        |      |
    0 | 
    >         |  4 |      1 | AllowResync             | user
    | 
    >         resync
    | 
    >         |            |          |      |        |      |
    0 | 
    >
    +----+--------+-------------------------+----------------+------------------------------------------------------+-------+------------+----------+------+--------+------+-----------+ 
    >         4 rows in set (0.00 sec) 
    >         
    >         
    >         
    >         
    >         
    >         4.3.1.5. AutoResync 
    >         Auto resync defines if the system should try to
    resync a token 
    >         if a user provides a wrong OTP value. AutoResync
    works like 
    >         this: 
    >         
    >               * If the counter of a wrong OTP value is
    within 
    >                 the resync window, the system remembers the
    counter of 
    >                 the OTP value for this token in the token
    info 
    >                 fieldotp1c. 
    >               * Now the user needs to authenticate a second
    time 
    >                 within auto resync timeoutwith the next
    successive OTP 
    >                 value. 
    >               * The system checks if the counter of the
    second OTP 
    >                 value is the successive value tootp1c. 
    >               * If it is, the token counter is set and the
    user is 
    >                 successfully authenticated. 
    >         Note 
    >         
    >         AutoResync works for all HOTP and TOTP based tokens
    including 
    >         SMS and Email tokens. 
    >         
    >         
    > -- 
    > Please read the blog post about getting help 
    > https://www.privacyidea.org/getting-help/. 
    >   
    > For professional services and consultancy regarding two
    factor 
    > authentication please visit 
    > https://netknights.it/en/leistungen/one-time-services/ 
    >   
    > In an enterprise environment you should get a SERVICE LEVEL
    AGREEMENT 
    > which suites your needs for SECURITY, AVAILABILITY and
    LIABILITY: 
    >
    https://netknights.it/en/leistungen/service-level-agreements/ 
    > --- 
    > You received this message because you are subscribed to the
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to
    priva...@googlegroups.com. 
    > Visit this group at
    https://groups.google.com/group/privacyidea. 
    > To view this discussion on the web visit 
    >
    https://groups.google.com/d/msgid/privacyidea/293f6c80-7fcc-4ba2-9a24-7754fd4fb16d%40googlegroups.com. 
    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/d9ea49e5-7f81-4247-9cd6-2ab9369fd50a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Thanks for the idea.
I set that value to “True”.
That allows every other authentication to pass (Accept, reject, accept,
reject), but it never increments the token count so it is not really
resyncing. It is just aceepting if the last two OTPs are in order. But then
the next authentication fails and you have to authenticate a second time.

It will still require a manual resync to get it back to the proper token
count.On Thursday, May 26, 2016 at 9:46:48 AM UTC-7, Cornelius Kölbel wrote:

…it might be due to the representation in the database.

mysql> select * from config;
±-------------------------±--------------------±-------±------------+
| Key | Value | Type | Description
|
±-------------------------±--------------------±-------±------------+
| AutoResync | 1 | None | None
|

Try setting AutoResync = “True” on the database level and see if it
works now.

Kind regards
Cornelius

Am Donnerstag, den 26.05.2016, 09:01 -0700 schrieb Aaron McCrea:

Also, I don’t see a field called “otp1c” in the table “tokeninfo”.

mysql> select * from tokeninfo;

±—±-------------------±--------------------±-----±------------±---------+

| id | Key | Value | Type | Description |
token_id |

±—±-------------------±--------------------±-----±------------±---------+

| 13 | hashlib | sha1 | |
| 4 |
| 14 | hashlib | sha1 | |
| 5 |
| 15 | hashlib | sha1 | |
| 6 |
| 16 | hashlib | sha1 | |
| 7 |
| 17 | hashlib | sha1 | |
| 8 |
| 18 | hashlib | sha1 | |
| 9 |
| 19 | hashlib | sha1 | | |
10 |
| 20 | hashlib | sha1 | | |
11 |
| 26 | hashlib | sha1 | | |
17 |
| 27 | count_auth | 50 | NULL | NULL |
17 |
| 28 | count_auth_success | 15 | NULL | NULL |
17 |
| 29 | last_auth | 2016-05-26 15:22:48 | NULL | NULL |
17 |
| 38 | hashlib | sha1 | | |
20 |
| 39 | count_auth | 2 | NULL | NULL |
20 |
| 40 | count_auth_success | 2 | NULL | NULL |
20 |
| 41 | last_auth | 2016-05-25 15:43:45 | NULL | NULL |
20 |

±—±-------------------±--------------------±-----±------------±---------+

16 rows in set (0.00 sec)

On Thursday, May 26, 2016 at 8:54:39 AM UTC-7, Aaron McCrea wrote:
I am trying to test the auto resync function and am not
finding success. I can resync manually just fine, but if I
click through 15 OTPs on my HOTP token (FreeOTP), it will fail
and I haven’t been able to get it to resync while just
authenticating. I always have to go and do a resync from the
WebUI

    I am using this for my authentication 
    testing: 

https:///validate/check?user=&pass=<OTP+PIN>

    I believe I have the appropriate options set in the config, am 
    I missing something?: 
    
    
    mysql> select * from config; 

±-------------------------±--------------------±-------±------------+

    | Key                      | Value               | Type   | 
    Description | 

±-------------------------±--------------------±-------±------------+

    | AutoResync               | 1                   | None   | 
    None        | 
    | AutoResyncTimeout        | 300                 | None   | 
    None        | 
    | IncFailCountOnFalsePin   | 1                   | None   | 
    None        | 
    | PrependPin               | 0                   | public | 
    None        | 
    | ReturnSamlAttributes     | 1                   | None   | 
    None        | 
    | splitAtSign              | 1                   | None   | 
    None        | 
    | UiLoginDisplayHelpButton | 0                   | None   | 
    None        | 
    | UiLoginDisplayRealmBox   | 0                   | None   | 
    None        | 
    | __timestamp__            | 2016-05-26 08:50:47 |        | 
    | 

±-------------------------±--------------------±-------±------------+

    9 rows in set (0.00 sec) 
    
    
    mysql> select * from policy; 

±—±-------±------------------------±---------------±-----------------------------------------------------±------±-----------±---------±-----±-------±-----±----------+

    | id | active | name                    | scope          | 
    action                                               | realm | 
    adminrealm | resolver | user | client | time | condition | 

±—±-------±------------------------±---------------±-----------------------------------------------------±------±-----------±---------±-----±-------±-----±----------+

    |  1 |      1 | WebUIPolicy             | webui          | 
    logout_time=900, tokenwizard, default_tokentype=hotp | 
    |            |          |      |        |      |         0 | 
    |  2 |      1 | enroll_tokenlabel       | enrollment     | 
    tokenlabel=CompanyName/<s>                            | 
    |            |          |      |        |      |         0 | 
    |  3 |      1 | RadiusPassThroughPolicy | authentication | 
    passthru=radiusserver01                                 | 
    |            |          |      |        |      |         0 | 
    |  4 |      1 | AllowResync             | user           | 
    resync                                               | 
    |            |          |      |        |      |         0 | 

±—±-------±------------------------±---------------±-----------------------------------------------------±------±-----------±---------±-----±-------±-----±----------+

    4 rows in set (0.00 sec) 
    
    
    
    
    
    4.3.1.5. AutoResync 
    Auto resync defines if the system should try to resync a token 
    if a user provides a wrong OTP value. AutoResync works like 
    this: 
    
          * If the counter of a wrong OTP value is within 
            the resync window, the system remembers the counter of 
            the OTP value for this token in the token info 
            fieldotp1c. 
          * Now the user needs to authenticate a second time 
            within auto resync timeoutwith the next successive OTP 
            value. 
          * The system checks if the counter of the second OTP 
            value is the successive value tootp1c. 
          * If it is, the token counter is set and the user is 
            successfully authenticated. 
    Note 
    
    AutoResync works for all HOTP and TOTP based tokens including 
    SMS and Email tokens. 


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/293f6c80-7fcc-4ba2-9a24-7754fd4fb16d%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu...@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

Also, I don’t see a field called “otp1c” in the table “tokeninfo”.

mysql> select * from tokeninfo;±—±-------------------±--------------------±-----±------------±---------+
| id | Key | Value | Type | Description |
token_id |
±—±-------------------±--------------------±-----±------------±---------+
| 13 | hashlib | sha1 | | |
4 |
| 14 | hashlib | sha1 | | |
5 |
| 15 | hashlib | sha1 | | |
6 |
| 16 | hashlib | sha1 | | |
7 |
| 17 | hashlib | sha1 | | |
8 |
| 18 | hashlib | sha1 | | |
9 |
| 19 | hashlib | sha1 | | |
10 |
| 20 | hashlib | sha1 | | |
11 |
| 26 | hashlib | sha1 | | |
17 |
| 27 | count_auth | 50 | NULL | NULL |
17 |
| 28 | count_auth_success | 15 | NULL | NULL |
17 |
| 29 | last_auth | 2016-05-26 15:22:48 | NULL | NULL |
17 |
| 38 | hashlib | sha1 | | |
20 |
| 39 | count_auth | 2 | NULL | NULL |
20 |
| 40 | count_auth_success | 2 | NULL | NULL |
20 |
| 41 | last_auth | 2016-05-25 15:43:45 | NULL | NULL |
20 |
±—±-------------------±--------------------±-----±------------±---------+
16 rows in set (0.00 sec)

On Thursday, May 26, 2016 at 8:54:39 AM UTC-7, Aaron McCrea wrote:

I am trying to test the auto resync function and am not finding success.
I can resync manually just fine, but if I click through 15 OTPs on my HOTP
token (FreeOTP), it will fail and I haven’t been able to get it to resync
while just authenticating. I always have to go and do a resync from the
WebUI

I am using this for my authentication
testing: https:///validate/check?user=&pass=<OTP+PIN>

I believe I have the appropriate options set in the config, am I missing
something?:

mysql> select * from config;
±-------------------------±--------------------±-------±------------+
| Key | Value | Type | Description |
±-------------------------±--------------------±-------±------------+
| AutoResync | 1 | None | None |
| AutoResyncTimeout | 300 | None | None |
| IncFailCountOnFalsePin | 1 | None | None |
| PrependPin | 0 | public | None |
| ReturnSamlAttributes | 1 | None | None |
| splitAtSign | 1 | None | None |
| UiLoginDisplayHelpButton | 0 | None | None |
| UiLoginDisplayRealmBox | 0 | None | None |
| timestamp | 2016-05-26 08:50:47 | | |
±-------------------------±--------------------±-------±------------+
9 rows in set (0.00 sec)

mysql> select * from policy;

±—±-------±------------------------±---------------±-----------------------------------------------------±------±-----------±---------±-----±-------±-----±----------+
| id | active | name | scope | action
| realm | adminrealm | resolver |
user | client | time | condition |

±—±-------±------------------------±---------------±-----------------------------------------------------±------±-----------±---------±-----±-------±-----±----------+
| 1 | 1 | WebUIPolicy | webui |
logout_time=900, tokenwizard, default_tokentype=hotp | | |
| | | | 0 |
| 2 | 1 | enroll_tokenlabel | enrollment |
tokenlabel=CompanyName/ | |
| | | | | 0 |
| 3 | 1 | RadiusPassThroughPolicy | authentication |
passthru=radiusserver01 | |
| | | | | 0 |
| 4 | 1 | AllowResync | user | resync
| | | |
| | | 0 |

±—±-------±------------------------±---------------±-----------------------------------------------------±------±-----------±---------±-----±-------±-----±----------+
4 rows in set (0.00 sec)

4.3.1.5. AutoResync
http://privacyidea.readthedocs.io/en/latest/configuration/system_config.html?highlight=resync#autoresync

Auto resync defines if the system should try to resync a token if a user
provides a wrong OTP value. AutoResync works like this:

  • If the counter of a wrong OTP value is within the resync window, the
    system remembers the counter of the OTP value for this token in the token
    info fieldotp1c.
  • Now the user needs to authenticate a second time within auto resync
    timeoutwith the next successive OTP value.
  • The system checks if the counter of the second OTP value is the
    successive value tootp1c.
  • If it is, the token counter is set and the user is successfully
    authenticated.

Note

AutoResync works for all HOTP and TOTP based tokens including SMS and
Email tokens.

…it might be due to the representation in the database.

mysql> select * from config;±-------------------------±--------------------±-------±------------+
| Key | Value | Type | Description
|
±-------------------------±--------------------±-------±------------+
| AutoResync | 1 | None | None
|

Try setting AutoResync = “True” on the database level and see if it
works now.

Kind regards
Cornelius

Am Donnerstag, den 26.05.2016, 09:01 -0700 schrieb Aaron McCrea:

Also, I don’t see a field called “otp1c” in the table “tokeninfo”.

mysql> select * from tokeninfo;
±—±-------------------±--------------------±-----±------------±---------+
| id | Key | Value | Type | Description |
token_id |
±—±-------------------±--------------------±-----±------------±---------+
| 13 | hashlib | sha1 | |
| 4 |
| 14 | hashlib | sha1 | |
| 5 |
| 15 | hashlib | sha1 | |
| 6 |
| 16 | hashlib | sha1 | |
| 7 |
| 17 | hashlib | sha1 | |
| 8 |
| 18 | hashlib | sha1 | |
| 9 |
| 19 | hashlib | sha1 | | |
10 |
| 20 | hashlib | sha1 | | |
11 |
| 26 | hashlib | sha1 | | |
17 |
| 27 | count_auth | 50 | NULL | NULL |
17 |
| 28 | count_auth_success | 15 | NULL | NULL |
17 |
| 29 | last_auth | 2016-05-26 15:22:48 | NULL | NULL |
17 |
| 38 | hashlib | sha1 | | |
20 |
| 39 | count_auth | 2 | NULL | NULL |
20 |
| 40 | count_auth_success | 2 | NULL | NULL |
20 |
| 41 | last_auth | 2016-05-25 15:43:45 | NULL | NULL |
20 |
±—±-------------------±--------------------±-----±------------±---------+
16 rows in set (0.00 sec)

On Thursday, May 26, 2016 at 8:54:39 AM UTC-7, Aaron McCrea wrote:
I am trying to test the auto resync function and am not
finding success. I can resync manually just fine, but if I
click through 15 OTPs on my HOTP token (FreeOTP), it will fail
and I haven’t been able to get it to resync while just
authenticating. I always have to go and do a resync from the
WebUI

    I am using this for my authentication
    testing: https://<ServerIP>/validate/check?user=<username>&pass=<OTP+PIN>
    
    
    I believe I have the appropriate options set in the config, am
    I missing something?:
    
    
    mysql> select * from config;
    +--------------------------+---------------------+--------+-------------+
    | Key                      | Value               | Type   |
    Description |
    +--------------------------+---------------------+--------+-------------+
    | AutoResync               | 1                   | None   |
    None        |
    | AutoResyncTimeout        | 300                 | None   |
    None        |
    | IncFailCountOnFalsePin   | 1                   | None   |
    None        |
    | PrependPin               | 0                   | public |
    None        |
    | ReturnSamlAttributes     | 1                   | None   |
    None        |
    | splitAtSign              | 1                   | None   |
    None        |
    | UiLoginDisplayHelpButton | 0                   | None   |
    None        |
    | UiLoginDisplayRealmBox   | 0                   | None   |
    None        |
    | __timestamp__            | 2016-05-26 08:50:47 |        |
    |
    +--------------------------+---------------------+--------+-------------+
    9 rows in set (0.00 sec)
    
    
    mysql> select * from policy;
    +----+--------+-------------------------+----------------+------------------------------------------------------+-------+------------+----------+------+--------+------+-----------+
    | id | active | name                    | scope          |
    action                                               | realm |
    adminrealm | resolver | user | client | time | condition |
    +----+--------+-------------------------+----------------+------------------------------------------------------+-------+------------+----------+------+--------+------+-----------+
    |  1 |      1 | WebUIPolicy             | webui          |
    logout_time=900, tokenwizard, default_tokentype=hotp |
    |            |          |      |        |      |         0 |
    |  2 |      1 | enroll_tokenlabel       | enrollment     |
    tokenlabel=CompanyName/<s>                            |
    |            |          |      |        |      |         0 |
    |  3 |      1 | RadiusPassThroughPolicy | authentication |
    passthru=radiusserver01                                 |
    |            |          |      |        |      |         0 |
    |  4 |      1 | AllowResync             | user           |
    resync                                               |
    |            |          |      |        |      |         0 |
    +----+--------+-------------------------+----------------+------------------------------------------------------+-------+------------+----------+------+--------+------+-----------+
    4 rows in set (0.00 sec)
    
    
    
    
    
    4.3.1.5. AutoResync
    Auto resync defines if the system should try to resync a token
    if a user provides a wrong OTP value. AutoResync works like
    this:
    
          * If the counter of a wrong OTP value is within
            the resync window, the system remembers the counter of
            the OTP value for this token in the token info
            fieldotp1c.
          * Now the user needs to authenticate a second time
            within auto resync timeoutwith the next successive OTP
            value.
          * The system checks if the counter of the second OTP
            value is the successive value tootp1c.
          * If it is, the token counter is set and the user is
            successfully authenticated.
    Note
    
    AutoResync works for all HOTP and TOTP based tokens including
    SMS and Email tokens.


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/293f6c80-7fcc-4ba2-9a24-7754fd4fb16d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)