privacyIdea and RSA SecureID


#1

Hi,

i’m currently testing, if privacyIdea can replace medium-term our RSA SecureID OTP System.
But first, we need a smooth migration and we have Tokens in use, respectively the’re a lot of tokens valid until middle of 2019.

LDAP Resolver (Windows AD) is configured and successfully tested (radtest / radclient), Client (privacyIdea Server) on RSA System is configured and successfully tested, Freeradius is installed.

auth passthru policy is generated
When i try to test this policy, i get following output from freeradius:

root@pricacyidea1:~# echo “User-Name=user@zteservices.eu, Password=xxxxxxxxxx” | radclient -sx localhost auth XXXXXXX
Sending Access-Request of id 51 to 127.0.0.1 port 1812
User-Name = “user@zteservices.eu”
Password = “xxxxxxxxxxxx”
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=51, length=53
Reply-Message = “The user has no tokens assigned”

       Total approved auths:  0
         Total denied auths:  1
           Total lost auths:  0

The direct Testing of the RSA Radius however is working correctly:

root@pricacyidea1:~# echo “User-Name=user, Password=xxxxxxxxxxxx” | radclient -sx 10.8.224.10 auth XXXXXXXXXX
Sending Access-Request of id 9 to 10.8.224.10 port 1812
User-Name = “user”
Password = “XXXXXXXXXX”
rad_recv: Access-Accept packet from host 10.8.224.10 port 1812, id=9, length=80
Class = 0x53425232434c8c88c9a2aa923542656565645646ddcdf79bcdcaebb0c012800e818c88c9a2aa9191c7dc80808dc1d4

       Total approved auths:  1
         Total denied auths:  0
           Total lost auths:  0

What can i do or look, where the Problem is located ?

################################
EDIT:

If i test the Radius Server Configuration with the WebFrontend, neither the localhost nor the RSA Radius is successfull:

rad_recv: Access-Request packet from host 127.0.0.1 port 42929, id=15, length=61
NAS-Identifier = “privacyIDEA”
User-Name = “user”
User-Password = “OU:\334É\nA7\022\320yF\221\342o”

Executing section authorize from file /etc/freeradius/sites-enabled/privacyidea.save

+group authorize {
++[preprocess] = ok
++[digest] = noop
[suffix] No ‘@’ in User-Name = “user”, looking up realm NULL
[suffix] No such realm “NULL”
++[suffix] = noop
[ntdomain] No ‘’ in User-Name = “user”, looking up realm NULL
[ntdomain] No such realm “NULL”
++[ntdomain] = noop
[files] users: Matched entry DEFAULT at line 1
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No “known good” password found for the user. Authentication may fail because of this.
++[pap] = noop
+} # group authorize = ok
Found Auth-Type = Perl

Executing group from file /etc/freeradius/sites-enabled/privacyidea.save

+group Perl {
rlm_perl: Config File /etc/privacyidea/rlm_perl.ini found!
rlm_perl: Debugging config:
rlm_perl: Default URL https://localhost/validate/check
rlm_perl: Looking for config for auth-type Perl
rlm_perl: Auth-Type: Perl
rlm_perl: url: https://localhost/validate/check
rlm_perl: user sent to privacyidea: user
rlm_perl: realm sent to privacyidea:
rlm_perl: resolver sent to privacyidea:
rlm_perl: client sent to privacyidea: 127.0.0.1
rlm_perl: state sent to privacyidea:
rlm_perl: urlparam pass
rlm_perl: urlparam client
rlm_perl: urlparam user
rlm_perl: Request timeout: 10
rlm_perl: Not verifying SSL certificate!
rlm_perl: privacyIDEA Result status is true!
rlm_perl: privacyIDEA access denied
rlm_perl: return RLM_MODULE_REJECT
rlm_perl: Added pair NAS-IP-Address = 127.0.0.1
rlm_perl: Added pair User-Password = OU:\304▒?\nH7\0342\240yF\342\011o
rlm_perl: Added pair NAS-Identifier = privacyIDEA
rlm_perl: Added pair User-Name = user
rlm_perl: Added pair Reply-Message = The user has no tokens assigned
rlm_perl: Added pair Auth-Type = Perl
++[perl] = reject
+} # group Perl = reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action.
Delaying reject of request 6 for 1 seconds
Going to the next request


If i test the RSA Radius, i’m getting the Dashboard Authentication Activity for that user:

Authetication method failed, passcode format error.

############################################

BR
André


#2

Hi André,

the Reply-Message “The user has no tokens assigned” in the first RADIUS response could mean two things:

  1. the passthru policy is not being applied correctly to the request. How is the policy configured?
  2. the RADIUS authentication request sent from privacyIDEA to the RSA Radius fails.

In any case, the privacyIDEA log file at /var/log/privacyidea/privacyidea.log is a good place to look for clues.

Best Wishes

Friedrich


#3

Hi Friedrich,

thank you for your response.

Yes, I’ve checked the privacyidea.log.
In case of testing the RSA Radius Server, i’m getting

Receiving timeout from remote radius server xx.xx.xx.xx
combined with the “Authetication method failed, passcode format error.” from the RSA Dashboard.

The RSA Radius needs OTP-PIN followed by OTP, so i’ve changed this in the System Config -
“OTP-PIN dem OTP-Wert voranstellen”

In Case of requesting the (local) Freeradius, this happens:

[2018-07-03 11:22:49,158][5835][-1282974912][INFO][privacyidea.lib.user:230] user u’user’ found in resolver u’DOMAIN01’
[2018-07-03 11:22:49,159][5835][-1282974912][INFO][privacyidea.lib.user:231] userid resolved to ‘a36ec65c-6773-4335-8934-fcd90091b9cd’
[2018-07-03 11:22:49,170][5835][-1282974912][WARNING][privacyidea.lib.utils:583] Proxy ::1 not allowed to set IP to 127.0.0.1.
[2018-07-03 11:22:49,170][5835][-1282974912][ERROR][privacyidea.lib.utils:133] Wrong time range format: -:hh:mm-hh:mm

Meanwhile, i’ve lost sight of the wood for the trees :slight_smile:

BR
André


#4

Hi André,

I’m not sure if I understand correctly :slight_smile: Are you referring to the privacyIDEA web frontend, i.e. the “Send test RADIUS request” button on the RADIUS server definition page? Have you added the localhost RADIUS server in the privacyIDEA web frontend, and testing from there?

If yes, this might be a problem: The test button is broken in v2.22, see here, and will always use an invalid RADIUS shared secret, which will result in a timeout from the RADIUS server.

The setting you mentioned only affects tokens which are enrolled in privacyIDEA itself. If the passthru policy is used, privacyIDEA does not split the password into a PIN and OTP part (because it cannot know the length of the OTP part). Instead, it just sends the password verbatim to the specified RADIUS server.

So I would recommend to not rely on the web frontend “test” button for now. Instead, test with radclient and look for interesting log entries. If nothing concerning RADIUS appears in the log, I would guess that the passthru policy is not applied properly.

Best Wishes

Friedrich


#5

Hi André,

here are some thougts of mine:

  1. If you want to get a first idea about what privacyIDEA is doing and why, you should take a look into the audit log. This contains top level information, why an authentication or any other request would succeed or not.
  2. Then you can look into the privacyidea.log
  3. In your case - also the message from the RSA SecurID server is interesting. Could it be:
    1. That you simply have a too complicated password / OTP PIN? Can you please check a user with a simple PIN without special characters?
    2. If the RSA SecurID complains about the password format error: Please check that your RADIUS secrets are correct. The RADIUS secret is configured to only encrypt the User-Password RADIUS parameter. So if you have a wrong secret, you get a password that simply is scrambled.

Kind regards
Cornelius


#6

Hi Cornelius,

everything is working fine now. I did some configuration mistakes … but now it’s solved and the testsystem is running.

BR
André


#7

Now i have some additional questions:

  1. I’m using the 2.22 Version on Ubuntu 16.4 and the setuptool is missing, which comes with 1.3.3
    (privacyidea-appliance) Is this only available in the “Payversion” ?
  2. When i’m installing the mysql Package, Apache2 will be deinstalled and the Configuration for privacyidea is missing. I’m a little bit confudes, because we want to use the mysql-dd. How can i use both ?

When the tests are done and we have verified that freeOTP is running on Android 4.xxx, we want to used it on RHEL anyway.

So much to read, but the system is very cool :slight_smile:

BR
André


#8

Hi André

The privacyIDEA-Appliance is only available in the enterprise repository.
But if it works for You, it can be build from github.

I am not sure what mysql-dd is but the privacyidea-apache2 and privacyidea-mysql packages are primarily meta-packages with some additional setup.
If You have a different database and/or webserver You can use the python-privacyidea package and do the setup manually.

Thanks :slight_smile:

Regards
Paul