Hello dear community
we are using privacyidea for mfa with the vpn service and it is working fine for all users, even without token, since we allow users without token to authenticate against Active Directroy with the AD-credentials.
Now we want to reject all users not having a token.
Is there any way to do this?
Thanks
Amin
Hi Amin,
yes it is possible, please read our Documention about Authentication Polices.
https://privacyidea.readthedocs.io/en/master/policies/authentication.html?highlight=otppin
Br
julio
Dear Julio,
thank you for the quick replyā¦
Actually we have the action otppin set to userstore, so that the users having a token, shoud give by login to VPN first the Active directory password than the OTP.
Actually, users without a token must only give the Active Directory password, due to the action passthru which is set to userstore.
What I need is the following: Users without Token should be rejected.
Unfortunately I canāt find any action that realises my purposeā¦
Regards,
Amin
Hi Amin,
deactivate your passthru policy
If there are users who do not have a token, they will not be able to log in. These users would have to ask the admin for a token or if there is a self-service, roll out a token themselves.
Br
Julio
Hi Julio,
that is exactly what I did
Without a passthru policy, the users are no more asked for the OTP, even if they have a token!
The authentication just fails! That why I sent my question
Regards,
Amin
Hi Amin,
i donāt know your setup.
Please check your audit log and the privacyidea log.
i have check passthru, and is working as aspected.
User have no token
passthru=userstore
root@pi4-246:~# echo "User-Name=julio@ucs,User-Password=Test1234" | radclient -x localhost auth testing123
Sent Access-Request Id 36 from 0.0.0.0:42819 to 127.0.0.1:1812 length 49
User-Name = "julio@ucs"
User-Password = "Test1234"
Cleartext-Password = "Test1234"
Received Access-Accept Id 36 from 127.0.0.1:1812 to 127.0.0.1:42819 length 48
Reply-Message = "privacyIDEA access granted"
User have no token
no passthru policy
root@pi4-246:~# echo "User-Name=julio@ucs,User-Password=Test1234" | radclient -x localhost auth testing123
Sent Access-Request Id 140 from 0.0.0.0:37118 to 127.0.0.1:1812 length 49
User-Name = "julio@ucs"
User-Password = "Test1234"
Cleartext-Password = "Test1234"
Received Access-Reject Id 140 from 127.0.0.1:1812 to 127.0.0.1:37118 length 35
Reply-Message = "wrong otp pin"
(0) -: Expected Access-Accept got Access-Reject
User have a token
otpin=userstore
No passthru policy
Sent Access-Request Id 28 from 0.0.0.0:44960 to 127.0.0.1:1812 length 49
User-Name = "julio@ucs"
User-Password = "Test1234047456"
Cleartext-Password = "Test1234047456"
Received Access-Accept Id 28 from 127.0.0.1:1812 to 127.0.0.1:44960 length 48
Reply-Message = "privacyIDEA access granted"
Br
Julio
Dear Julio,
thank you again. Let me have a look again on my policies, I will write backup asap.
Thanks
Amin
Dear Julio, I think I made my own Problem! I had a policy conflict and a typing error by the additional conditions.
Now I solved both problems, but it is still not working as expected!
I defined 2 Authentication-Policies with different priorities, conditions and actions.
Policy1: only for one usergroup, no passthru
{ānameā: āRZ-2FA-ZWANGā, āactiveā: True, āscopeā: āauthenticationā, ārealmā: [ādefrealmā], āadminrealmā: [], āadminuserā: [], āresolverā: [āNPS-ADā], āpinodeā: [ālocalnodeā], ācheck_all_resolversā: False, āuserā: [], āclientā: [], ātimeā: āā, āconditionsā: [(āuserinfoā, āgroupā, ācontainsā, āāCN=rz_user_vpn,OU=groups,OU=rz,OU=einrichtungen,DC=uni-kiel,DC=deāā, True)], āpriorityā: 1, āactionā: {āchallenge_responseā: āotp hotp totp yubikey u2fā, āchallenge_textā: ā2FA erforderlich! OTP eingeben.ā, āotppinā: āuserstoreā, āreset_all_user_tokensā: True}},
Policy2: for all user, with passthru
{ānameā: āNPS-2FA-Authā, āactiveā: True, āscopeā: āauthenticationā, ārealmā: [ādefrealmā], āadminrealmā: [], āadminuserā: [], āresolverā: [āNPS-ADā], āpinodeā: [ālocalnodeā], ācheck_all_resolversā: False, āuserā: [], āclientā: [], ātimeā: āā, āconditionsā: [], āpriorityā: 3, āactionā: {āchallenge_responseā: āotp hotp totp yubikey u2fā, āchallenge_textā: āBitte die Anmeldung mit Ihrem OTP best.tigen.ā, āotppinā: āuserstoreā, āpassthruā: āuserstoreā, āreset_all_user_tokensā: True}},
I am testing with a user having the attribute āgroupā as multivalue attribute.
group
[āCN=blablablaā,āCN=blablablaā,āCN=rz_user_vpn,OU=groups,OU=rz,OU=einrichtungen,DC=uni-kiel,DC=deā,āCN=blablablaā]
I am expecting that policy1 matches due to the additional condition. But this does not happen. Policy2 keeps matching and my user is allowed to login without token.
Any suggestions ?
Best Regards
Amin
Still not getting it working as expected Any Tips?
Best Regards
Amin
We do not know your setup.
It is a normal behaviour that a user without a token will not be able to authenticate.
Thus: rejecting a user without a token is the default behaviour!!! ! ! !!!
The policies in PI are not working like firewall-policies! The priority is only used, if 2 policies match the same condition
Dear cornelinux, Dear AAuer,
thank you for the quick reply.
@cornelinux: I already know that it is an normal behaviour to reject a user without a token, that is why I was wondering, that my users are beeing able to login, even if they donāt have a token.
@AAuer: If I assume that priority is only used when 2 Policies have the same conditions, how should I be able to make some exceptions based on some user attributes?
About my Setup:
- I am using 2FA with the vpn service
- Users are stored in Active Directory, in different groups, āgroupā is configured as a multivalue attribute
- Additional User-Info are being sent in the response
- My Authentication-Policy is havin a passthru-Action, allowing users without a token to authenticate againt activedirectory.
This is working fine!
Now, I need to make an exception. Users from a specific group sould no more be able to login without a token.
To achieve that, I have duplicated my old authentication policy, I have given the new authentication policy additional conditions (userinfo) and a lower priority number and I deleted the passthru-action.
I am expecting that a user from this specific group and not having a token would not be able to login to vpn. But this does not happen.
My 2 authentication policies are the following:
Policy with conditions and without passthru
{ānameā: ā2FA_erforderlichā, āactiveā: True, āscopeā: āauthenticationā, ārealmā: [ādefrealmā], āadminrealmā: [], āadminuserā: [], āresolverā: [āNPS-ADā], āpinodeā: [ālocalnodeā], ācheck_all_resolversā: False, āuserā: [], āclientā: [], ātimeā: āā, āconditionsā: [(āuserinfoā, āgroupā, ācontainsā, āCN=rz_user_vpn,OU=groups,OU=rz,OU=einrichtungen,DC=uni-kiel,DC=deā, True)], āpriorityā: 2, āactionā: {āchallenge_textā: ā2FA erforderlich! OTP eingeben.ā, āotppinā: āuserstoreā}},
Policy without conditions and with passthru
{ānameā: āNPS-2FA-Authā, āactiveā: True, āscopeā: āauthenticationā, ārealmā: [ādefrealmā], āadminrealmā: [], āadminuserā: [], āresolverā: [āNPS-ADā], āpinodeā: [ālocalnodeā], ācheck_all_resolversā: False, āuserā: [], āclientā: [], ātimeā: āā, āconditionsā: [], āpriorityā: 3, āactionā: {āchallenge_responseā: āotp hotp totp yubikey u2fā, āchallenge_textā: āBitte die Anmeldung mit Ihrem OTP best.tigen.ā, āotppinā: āuserstoreā, āpassthruā: āuserstoreā, āreset_all_user_tokensā: True}},
My Test-user is āszrzs147ā
To check the user-atrributes I used the following command:
http --verify no POST https://localhost/validate/check user=szrzs147 pass=######
HTTP/1.1 200 OK
Cache-Control: no-cache
Connection: Keep-Alive
Content-Length: 2232
Content-Type: application/json
Date: Tue, 14 Feb 2023 08:42:42 GMT
Keep-Alive: timeout=5, max=100
Server: Apache/2.4.41 (Ubuntu)
{
ādetailā: {
āmessageā: āagainst userstore due to āNPS-2FA-Authāā,
āthreadidā: 139834476082944,
āuserā: {
āemailā: ######,
āgivennameā: ######,
āgroupā: [
āCN=######ā,
āCN=######ā,
ā¦
āCN=rz_user_vpn,OU=groups,OU=rz,OU=einrichtungen,DC=uni-kiel,DC=deā,
ā¦,
As you can see, the policy āNPS-2FA-Authā keeps matching. In the audit I see the same and the user ist connecting to vpn without OTP.
I am expecting that the policy ā2FA_erforderlichā matches due to the usergroup-condition and the lower priority number.
Maybe I am doing something wrong and will be thankfull for any help.
Best Regards
Amin
Hello again,
I solved the problem with adding the following condition to the Policy with the passthru action.
āconditionsā: [(āuserinfoā, āgroupā, ā!containsā, āCN=rz_user_vpn,OU=groups,OU=rz,OU=einrichtungen,DC=uni-kiel,DC=deā, True)],
Users from the specified group and not having a token are now not allowed to connect to vpn.
The received error message is unfortuantely not significant, but this is a response-issue between the NPS and the vpn gateway (Fortigate).
Thank you all for your time and support!
Best Regrads
Amin