Can not log-in with AD userstore even with policy otppin = userstore

Hello, I am testing right now privacyIdea, in order to get work 2FA with Active Directory over OpenVPN.

My configuration is working as far as I know, unless for Active Directory password authentication method.

  • LDAP and Machines resolvers are connected properly.

  • I’ve followed this topic to setup privacy idea: [privacyIdeaold_Thread (Privacyidea + radius + fortigate)

My problem is that, even with otpping = userstore selected, when I try authenticating, ( AD password + TOTP code concatenated ) it says “wrong otp pin” in the audit log.

While if I try to authenticate with Token Pin Code + TOTP concatenated, it success.

Did I miss something ?

Thanks !

Hello @s0p4L1n
welcome to the privacyIDEA community.

I could be, that the otppin policy which you configured for the LDAP password does not match.

Take a look in the audit log

image

In the column “action” you can filter for “validate” and you should see the action validate/check of the login attempt.

image

In the far right column “policies” you will see, which policy matched this authentication attempt.
I guess your policy is not displayed there, so you need to look into your policy.
You might have configured conditions for the policies, that do not match.

Read this:
https://privacyidea.readthedocs.io/en/latest/policies/index.html

and then explicitly this:
https://privacyidea.readthedocs.io/en/latest/policies/authentication.html

Regards
Cornelius

Hello cornelinux,

After a new checking of my policy and what I setted, I figure it out what was the issue.

I setted the client IP thinking that it was the IP of VPN Server, but no, because it is the FreeRadius itself (127.0.0.1) that is the client.

The policy match now, and I can log in with Active Directory password + OTP pin :slight_smile: !!

image

Thanks for the help !