Newbie: TOTP authentication works from radclient but not from external Radius client (Cisco ASA)

Question
1

Hello!

I can’t get the RADIUS authentication to FreePBX (with PrivacyIDEA backend
to work). I have a TOTP token which authenticates using the following
command: “echo “User-Name=user, User-Password=pin245734” | radclient -sx
localhost auth testing123”. Yet when my Cisco ASA attempts to authenticate
this same user I get the following errors in the FreeRADIUS log (the full
log is attached):

  • rlm_perl: privacyIDEA request failed: 400 BAD REQUEST
  • rlm_perl: Added pair Reply-Message = ERR905: Missing parameter: ‘pass’

I’ve also attached the PrivacyIDEA Debug file. Also a 2nd Debug file from
the radclient test which is successful.
As a newbie I’d certainly appreciate any help! I’m really impressed with
what I’ve seen so far with PrivacyIDEA - now I just have to get it
connected to my ASA [which I’ve connected to FreeRADIUS & Google
Authenticator open-source in the past]…
Thanks again!
P.S. I followed
https://privacyidea.readthedocs.io/en/latest/installation/ubuntu.html for
my setup.

2

Hello Dave,

you did right to check with the radclient tool.

The Reply-Message “Missing parameter” is directly from privacyIDEA.
It states, that it does not get the parameter pass.
So obviously the RADIUS protocol contains an empty password or no
password?!?

You can verify this e.g. with wireshark.

And I can not help you WHY the RADIUS client does not send the
User-Password parameter.

You might have configurd CHAP or MSCHAP!
You need to configure PAP.

Kind regards
CorneliusAm Donnerstag, den 21.07.2016, 13:04 -0700 schrieb Dave Baddorf:

Hello!

I can’t get the RADIUS authentication to FreePBX (with PrivacyIDEA
backend to work). I have a TOTP token which authenticates using the
following command: “echo “User-Name=user, User-Password=pin245734” |
radclient -sx localhost auth testing123”. Yet when my Cisco ASA
attempts to authenticate this same user I get the following errors in
the FreeRADIUS log (the full log is attached):
* rlm_perl: privacyIDEA request failed: 400 BAD REQUEST
* rlm_perl: Added pair Reply-Message = ERR905: Missing
parameter: ‘pass’
I’ve also attached the PrivacyIDEA Debug file. Also a 2nd Debug file
from the radclient test which is successful.
As a newbie I’d certainly appreciate any help! I’m really impressed
with what I’ve seen so far with PrivacyIDEA - now I just have to get
it connected to my ASA [which I’ve connected to FreeRADIUS & Google
Authenticator open-source in the past]…
Thanks again!
P.S. I
followed 2.2. Ubuntu Packages — privacyIDEA 3.8 documentation for my setup.


Please read the blog post about getting help
Getting help – privacyID3A.

For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - Verschlüsselung

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support Level

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/a404c1d6-159e-40a5-bb6e-2254b5225c80%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

3

Cornelius,
Thanks for your help! After troubleshooting this further I found out
that on the Cisco ASA when the command “password-management” is used then
the RADIUS requests to FreeRADIUS must be using MS-CHAP instead of PAP.
Once I removed that “password-management” command I was able to use
two-factor authentication for the ASA VPN’s, through FreeRADIUS to
PrivacyIDEA.
I appreciate your great product!
DaveOn Thursday, July 21, 2016 at 4:29:07 PM UTC-4, Cornelius Kölbel wrote:

Hello Dave,

you did right to check with the radclient tool.

The Reply-Message “Missing parameter” is directly from privacyIDEA.
It states, that it does not get the parameter pass.
So obviously the RADIUS protocol contains an empty password or no
password?!?

You can verify this e.g. with wireshark.

And I can not help you WHY the RADIUS client does not send the
User-Password parameter.

You might have configurd CHAP or MSCHAP!
You need to configure PAP.

Kind regards
Cornelius

Am Donnerstag, den 21.07.2016, 13:04 -0700 schrieb Dave Baddorf:

Hello!

I can’t get the RADIUS authentication to FreePBX (with PrivacyIDEA
backend to work). I have a TOTP token which authenticates using the
following command: “echo “User-Name=user, User-Password=pin245734” |
radclient -sx localhost auth testing123”. Yet when my Cisco ASA
attempts to authenticate this same user I get the following errors in
the FreeRADIUS log (the full log is attached):
* rlm_perl: privacyIDEA request failed: 400 BAD REQUEST
* rlm_perl: Added pair Reply-Message = ERR905: Missing
parameter: ‘pass’
I’ve also attached the PrivacyIDEA Debug file. Also a 2nd Debug file
from the radclient test which is successful.
As a newbie I’d certainly appreciate any help! I’m really impressed
with what I’ve seen so far with PrivacyIDEA - now I just have to get
it connected to my ASA [which I’ve connected to FreeRADIUS & Google
Authenticator open-source in the past]…
Thanks again!
P.S. I
followed
2.2. Ubuntu Packages — privacyIDEA 3.8 documentation for
my setup.


Please read the blog post about getting help
Getting help – privacyID3A.

For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - Verschlüsselung

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support Level

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/a404c1d6-159e-40a5-bb6e-2254b5225c80%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu…@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel