I’m very new to privacyIDEA-- we are testing it as a email/sms OTP addition to our windows AD radius deployment of cisco anyconnect clients–as privacyIDEA will be used as the secondary AAA server, user pins will not be set and we will rely on the emailed OTP exclusively.
I’ve enrolled privacyIDEA tokens to a few test users emails and have had success in testing the radius functionally. we send the radius authentication request first with username only, then get an email with the OTP. Response in testing seems to show that the freeradius plugin is working correctly:
sending authentication request to server ..**.18:1812
Transmitting packet, code=1 id=32 length=49
received response from the server in 78miliseconds
reply packet code=2 id=32 length=48
response: Access-Accept
------------------------attribute dump-------------------------
Relply-Message=privacyIDEA access granted
When connecting to the FTD1120 as secondary AAA server we get the following in the logs–
2021-11-06 13:12:39 Info AAA unable to complete the request Error : reason = Invalid response received from server : user = r***
2021-11-06 13:12:21 Info AAA challenge received for user r*** from server ...18 <–privacyidea server
2021-11-06 13:12:20 Info AAA user authentication successful : server = ...3 : user = r*** ← primary AD with NPS
I can tell you that the freeradius server seems to be granting access correctly (although there seems to be some errors)
(19) perl-privacyidea: &request:Cisco-AVPair += $RAD_REQUEST{‘Cisco-AVPair’} → ‘coa-push=true’
(19) perl-privacyidea: &request:ASA-ClientType = $RAD_REQUEST{‘ASA-ClientType’} → ‘AnyConnect-Client-SSL-VPN’
(19) perl-privacyidea: ERROR: Failed to create pair - Unknown name “privacyIDEA-Serial”
(19) perl-privacyidea: ERROR: &reply:privacyIDEA-Serial += $RAD_REPLY{‘privacyIDEA-Serial’} → ‘PIEM00003C93’
(19) perl-privacyidea: &reply:Reply-Message = $RAD_REPLY{‘Reply-Message’} → ‘privacyIDEA access granted’
(19) perl-privacyidea: ERROR: Internal failure creating pair &reply:Class += $RAD_REPLY{‘Class’} → ‘undef’
(19) perl-privacyidea: &control:Auth-Type = $RAD_CHECK{‘Auth-Type’} → ‘Perl’
(19) [perl-privacyidea] = ok
(19) } # Auth-Type Perl = ok
(19) Sent Access-Accept Id 30 from ...18:1812 to ...253:10575 length 0
(19) Reply-Message = “privacyIDEA access granted”
(19) Finished request
Waking up in 4.9 seconds.
(19) Cleaning up request packet ID 30 with timestamp +4885
Ready to process requests
Is my problem related to a bug with the cisco FTD?? Maybe the privacyIDEA radius plugin needs a config that i missed? Any help appreciated