My problem is that, even with otpping = userstore selected, when I try authenticating, ( AD password + TOTP code concatenated ) it says “wrong otp pin” in the audit log.
While if I try to authenticate with Token Pin Code + TOTP concatenated, it success.
Hello @s0p4L1n
welcome to the privacyIDEA community.
It could be, that the otppin policy which you configured for the LDAP password does not match.
Take a look in the audit log
In the column “action” you can filter for “validate” and you should see the action validate/check of the login attempt.
In the far right column “policies” you will see, which policy matched this authentication attempt.
I guess your policy is not displayed there, so you need to look into your policy.
You might have configured conditions for the policies, that do not match.
Hello everybody,
this is my first participation in this forum and I hope that I am in the right place with my issue.
I am trying to configure 2FA for VPN.
As VPN-Gateway I am using a fortigate and the users are beeing against an NPS-Server authenticated. This is working fine.
To do the 2FA I installed privacyidea and connect it to the NPS. I followed this documentation:
This part is also working fine. In privacyidea I already defined a userresolver and a realm and I am getting my users polled from the NPS.
Now I cofigured a yubikey 5c in OATH-HOTP mode and I rolled it in Privacyidea as yubikey: AES mode out. I assigned it to a user and configured an authentication policy.
My Policy looks like that:
When connecting VPN with FortiClient I am giving the username “xeext584” ans as Password I am giving the AD-Password and pushing the yubikey to generate the OTP behind the password. The connection does not succeed.
I am doing something wrong? am I using the right mode for the yubikey?
It would be great if you can help me. @s0p4L1n : I am very interested to see your policy.
Thanks a lot in advance,
Amin
In my case I abandonned the use of Windows NPS because PrivacyIdea already serve as Radius Server.
So our firewall connects to privacyIdea directly to authenticate AD users (privacyIdea already request AD with the resolver)
Adding an intermediate like NPS Windows is useless (my opinion).
On the firewall, I setup the Radius with my privacyIdea ip address and shared secret
On the privacyidea server, I set in /etc/freeradius/3.0/clients.conf
Thank you for the quick reply. Unfortunately I can’t ignore the NPS, since it is used for many other services in the university.
What I tried now: I disassociate the yubikey from my test user and I modified the authentication policy to be applied for any user and added the action “passthru” to allow access with the AD-Password. The VPN-login does also not succeed and the policy seems not to be matching. I am filtering in the audit and looking for “valid” in the action-column…so no entries are found!
Hello Cornelinux,
thank you for your reply.
When I run “freeradius -X” on the Privacyidea-Server I become the following error:
Failed binding to auth address * port 1812: Address already in use
/etc/freeradius/3.0/sites-enabled/privacyidea[15]: Error binding to port for 0.0.0.0 port 1812
Between Fortigate and NPS we are doing mschapv2. As user-resolver in Privacy-Idea I configured an LDAP-Resolver, where I communicate directly with the Active Directory behind the NPS via LDAPS, and this supports by default PAP.
Any idea, how to get this solved?
Thanks in advance
Hello again,
I stoped the freeradius deamon and started it again in debug mode.
When connecting I see the following:
Listening on auth address * port 1812
Listening on proxy address * port 57184
Ready to process requests
Ignoring request to auth address * port 1812 from unknown client 134.245.13.71 port 64811 proto udp
Ready to process requests
Ignoring request to auth address * port 1812 from unknown client 134.245.13.71 port 64811 proto udp
Ready to process requests
But in my client-file I already defined the NPS as radius client
Hello and thank you for the reply. I found the answer in similar topics in the community.
Only PAP is supported!
We are now also running PAP between FGT and NPS, but the Privacyidea Server still does not find the user in any relam.
(7) perl-privacyidea: &request:Packet-Src-IP-Address = $RAD_REQUEST{‘Packet-Src-IP-Address’} → ‘134.245.13.71’
(7) perl-privacyidea: &request:Calling-Station-Id = $RAD_REQUEST{‘Calling-Station-Id’} → ‘87.123.202.172’
(7) perl-privacyidea: &request:Acct-Session-Id = $RAD_REQUEST{‘Acct-Session-Id’} → ‘0ab74858’
(7) perl-privacyidea: &request:NAS-Identifier = $RAD_REQUEST{‘NAS-Identifier’} → ‘FORTIGATE-VM’
(7) perl-privacyidea: &request:NAS-Port-Type = $RAD_REQUEST{‘NAS-Port-Type’} → ‘Virtual’
(7) perl-privacyidea: &request:NAS-Port = $RAD_REQUEST{‘NAS-Port’} → ‘8’
(7) perl-privacyidea: &request:Proxy-State = $RAD_REQUEST{‘Proxy-State’} → ‘0x86f50d4700000055’
(7) perl-privacyidea: &request:Fortinet-Vdom-Name = $RAD_REQUEST{‘Fortinet-Vdom-Name’} → ‘VPN-SSL’
(7) perl-privacyidea: &request:Framed-IP-Address = $RAD_REQUEST{‘Framed-IP-Address’} → ‘87.123.202.172’
(7) perl-privacyidea: &request:User-Name = $RAD_REQUEST{‘User-Name’} → ‘xeext584’
(7) perl-privacyidea: &request:CHAP-Password = $RAD_REQUEST{‘CHAP-Password’} → ‘0x86efd1a66fcba6ddb54cbde945f620aa0a’
(7) perl-privacyidea: &request:Connect-Info = $RAD_REQUEST{‘Connect-Info’} → ‘vpn-ssl’
(7) perl-privacyidea: &reply:Reply-Message = $RAD_REPLY{‘Reply-Message’} → ‘ERR904: The user can not be found in any resolver in this realm!’
(7) perl-privacyidea: &control:Auth-Type = $RAD_CHECK{‘Auth-Type’} → ‘Perl’
(7) [perl-privacyidea] = notfound
(7) } # Auth-Type Perl = notfound
(7) Failed to authenticate the user
(7) Using Post-Auth-Type Reject
(7) Post-Auth-Type sub-section not found. Ignoring.
(7) Delaying response for 1.000000 seconds
Waking up in 0.2 seconds.
Waking up in 0.7 seconds.
(7) Sending delayed response
(7) Sent Access-Reject Id 8 from 134.245.6.5:1812 to 134.245.13.71:64811 length 96
(7) Reply-Message = “ERR904: The user can not be found in any resolver in this realm!”
(7) Proxy-State = 0x86f50d4700000055
But if I search in the realm I find the user, as you can see.
!!
