AW: Re: newbie: TOTP authentication works from radclient but not from external Radius client (Cisco ASA)

Hi Dave ,Thanks a lot for your feedback. Glad to hear, that it works out for you.
Kind regards Cornelius

Cornelius Kölbel +49 151 2960 1417
NetKnights GmbHHttp://NetKnights. It
+49 561 3166 797

Cornelius, Thanks for your help! After troubleshooting this further I found out that on the Cisco ASA when the command “password-management” is used then the RADIUS requests to FreeRADIUS must be using MS-CHAP instead of PAP. Once I removed that “password-management” command I was able to use two-factor authentication for the ASA VPN’s, through FreeRADIUS to PrivacyIDEA. I appreciate your great product!Dave

On Thursday, July 21, 2016 at 4:29:07 PM UTC-4, Cornelius Kölbel wrote:Hello Dave,

you did right to check with the radclient tool.

The Reply-Message “Missing parameter” is directly from privacyIDEA.

It states, that it does not get the parameter pass.

So obviously the RADIUS protocol contains an empty password or no

password?!?

You can verify this e.g. with wireshark.

And I can not help you WHY the RADIUS client does not send the

User-Password parameter.

You might have configurd CHAP or MSCHAP!

You need to configure PAP.

Kind regards

Cornelius -------- Ursprüngliche Nachricht --------Von: Dave Baddorf dbaddorf@icepts.com Datum: 25.07.16 16:31 (GMT+01:00) An: privacyidea privacyidea@googlegroups.com Betreff: Re: [privacyidea] newbie: TOTP authentication works from radclient but not from external Radius client (Cisco ASA)

Am Donnerstag, den 21.07.2016, 13:04 -0700 schrieb Dave Baddorf:

Hello!

I can’t get the RADIUS authentication to FreePBX (with PrivacyIDEA

backend to work). I have a TOTP token which authenticates using the

following command: "echo “User-Name=user, User-Password=pin245734” |

radclient -sx localhost auth testing123". Yet when my Cisco ASA

attempts to authenticate this same user I get the following errors in

the FreeRADIUS log (the full log is attached):

  * rlm_perl: privacyIDEA request failed: 400 BAD REQUEST
  * rlm_perl: Added pair Reply-Message = ERR905: Missing
    parameter: 'pass' 

I’ve also attached the PrivacyIDEA Debug file. Also a 2nd Debug file

from the radclient test which is successful.

As a newbie I’d certainly appreciate any help! I’m really impressed

with what I’ve seen so far with PrivacyIDEA - now I just have to get

it connected to my ASA [which I’ve connected to FreeRADIUS & Google

Authenticator open-source in the past]…

Thanks again!

P.S. I

followed https://privacyidea.readthedocs.io/en/latest/installation/ubuntu.html for my setup.

Please read the blog post about getting help

https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor

authentication please visit

https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT

which suites your needs for SECURITY, AVAILABILITY and LIABILITY:

https://netknights.it/en/leistungen/service-level-agreements/


You received this message because you are subscribed to the Google

Groups “privacyidea” group.

To unsubscribe from this group and stop receiving emails from it, send

an email to privacyidea...@googlegroups.com.

To post to this group, send email to priva...@googlegroups.com.

Visit this group at https://groups.google.com/group/privacyidea.

To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/a404c1d6-159e-40a5-bb6e-2254b5225c80%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Cornelius Kölbel

corneliu…@netknights.it

+49 151 2960 1417

NetKnights GmbH

http://www.netknights.it

Landgraf-Karl-Str. 19, 34131 Kassel, Germany

Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405

Geschäftsführer: Cornelius Kölbel

Please read the blog post about getting help

https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor authentication please visit

https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT which suites your needs for SECURITY, AVAILABILITY and LIABILITY:

https://netknights.it/en/leistungen/service-level-agreements/


You received this message because you are subscribed to the Google Groups “privacyidea” group.

To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea+unsubscribe@googlegroups.com.

To post to this group, send email to privacyidea@googlegroups.com.

Visit this group at https://groups.google.com/group/privacyidea.

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/35aa8cab-cf7f-4bd5-8608-2c84bcd514de%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.