- PrivacyIdea 2.23.5
- Using TOTP with challenge response (1st time enter LDAP/AD credentials, followed by a field to enter solely OTP)
- Via FreeRadius with SSL VPN
Not sure if this is a design or an issue, token fail counter increases when wrong LDAP/AD credentials. But if LDAP/AD credentials is correct and OTP is wrong (no PIN set), the fail counter do not increase. Anybody also having this issue?
Thank you in advance.
Hello and welcome to this community,
I am not sure, if I also have this issue.
But: Is there a reason you are doing challenge response? This allows an attacker to guess the LDAP password. You could also enter both at the same time.
Really appreciate your great work on PrivacyIdea
Challenge response seems simpler for user since they do not have to append the OTP after password. My AD policy will lock out the account when there are 3 failed attempts so not really worried about brute force. But if challenge response has such an issue that failcounter do not increment when wrong OTP then I may have to stick back to your suggestion.
It could be dependent on your PIN and failcounter settings.
With my installed version 3.0.2 after a challenge is sent and the user tries to answer it with the transaction_id and the otp value, the fail counter gets increased when the wront OTP value is sent.
It could however be, that the wrong transaction_id is sent. Then the failcounter would not increase, since the token would not be identified.
- try the config setting “increase failcounter on false pin”.
- update to 3.0.2
It does work after upgrading to 3.0.2!
Another question is why the realm column in pidea_audit table is only 20 characters long while resolver is 50 characters long. This cause the audit log to truncate my realm and I cannot easily click on the username in the audit log view to show my user details.
One day you need to do some decisions. Some DB systems limit the added length of the columns in a table. So you have to make hard decisions.