Reject users without token

Hello dear community :slightly_smiling_face:
we are using privacyidea for mfa with the vpn service and it is working fine for all users, even without token, since we allow users without token to authenticate against Active Directroy with the AD-credentials.
Now we want to reject all users not having a token.
Is there any way to do this?
Thanks
Amin

Hi Amin,

yes it is possible, please read our Documention about Authentication Polices.
https://privacyidea.readthedocs.io/en/master/policies/authentication.html?highlight=otppin

Br

julio

Dear Julio,
thank you for the quick replyā€¦
Actually we have the action otppin set to userstore, so that the users having a token, shoud give by login to VPN first the Active directory password than the OTP.
Actually, users without a token must only give the Active Directory password, due to the action passthru which is set to userstore.
What I need is the following: Users without Token should be rejected.
Unfortunately I canā€™t find any action that realises my purposeā€¦
Regards,
Amin

Hi Amin,

deactivate your passthru policy

If there are users who do not have a token, they will not be able to log in. These users would have to ask the admin for a token or if there is a self-service, roll out a token themselves.

Br

Julio

Hi Julio,
that is exactly what I did :slight_smile:
Without a passthru policy, the users are no more asked for the OTP, even if they have a token!
The authentication just fails! That why I sent my question :slight_smile:
Regards,
Amin

Hi Amin,

i donā€™t know your setup.
Please check your audit log and the privacyidea log.

i have check passthru, and is working as aspected.

User have no token
passthru=userstore

root@pi4-246:~# echo "User-Name=julio@ucs,User-Password=Test1234" | radclient -x localhost auth testing123
Sent Access-Request Id 36 from 0.0.0.0:42819 to 127.0.0.1:1812 length 49
	User-Name = "julio@ucs"
	User-Password = "Test1234"
	Cleartext-Password = "Test1234"
Received Access-Accept Id 36 from 127.0.0.1:1812 to 127.0.0.1:42819 length 48
	Reply-Message = "privacyIDEA access granted"

User have no token
no passthru policy

root@pi4-246:~# echo "User-Name=julio@ucs,User-Password=Test1234" | radclient -x localhost auth testing123
Sent Access-Request Id 140 from 0.0.0.0:37118 to 127.0.0.1:1812 length 49
	User-Name = "julio@ucs"
	User-Password = "Test1234"
	Cleartext-Password = "Test1234"
Received Access-Reject Id 140 from 127.0.0.1:1812 to 127.0.0.1:37118 length 35
	Reply-Message = "wrong otp pin"
(0) -: Expected Access-Accept got Access-Reject

User have a token
otpin=userstore
No passthru policy

Sent Access-Request Id 28 from 0.0.0.0:44960 to 127.0.0.1:1812 length 49
	User-Name = "julio@ucs"
	User-Password = "Test1234047456"
	Cleartext-Password = "Test1234047456"
Received Access-Accept Id 28 from 127.0.0.1:1812 to 127.0.0.1:44960 length 48
	Reply-Message = "privacyIDEA access granted"

Br

Julio

Dear Julio,
thank you again. Let me have a look again on my policies, I will write backup asap.
Thanks
Amin

Dear Julio, I think I made my own Problem! I had a policy conflict and a typing error by the additional conditions.
Now I solved both problems, but it is still not working as expected!

I defined 2 Authentication-Policies with different priorities, conditions and actions.

Policy1: only for one usergroup, no passthru
{ā€˜nameā€™: ā€˜RZ-2FA-ZWANGā€™, ā€˜activeā€™: True, ā€˜scopeā€™: ā€˜authenticationā€™, ā€˜realmā€™: [ā€˜defrealmā€™], ā€˜adminrealmā€™: [], ā€˜adminuserā€™: [], ā€˜resolverā€™: [ā€˜NPS-ADā€™], ā€˜pinodeā€™: [ā€˜localnodeā€™], ā€˜check_all_resolversā€™: False, ā€˜userā€™: [], ā€˜clientā€™: [], ā€˜timeā€™: ā€˜ā€™, ā€˜conditionsā€™: [(ā€˜userinfoā€™, ā€˜groupā€™, ā€˜containsā€™, ā€˜ā€œCN=rz_user_vpn,OU=groups,OU=rz,OU=einrichtungen,DC=uni-kiel,DC=deā€ā€™, True)], ā€˜priorityā€™: 1, ā€˜actionā€™: {ā€˜challenge_responseā€™: ā€˜otp hotp totp yubikey u2fā€™, ā€˜challenge_textā€™: ā€˜2FA erforderlich! OTP eingeben.ā€™, ā€˜otppinā€™: ā€˜userstoreā€™, ā€˜reset_all_user_tokensā€™: True}},

Policy2: for all user, with passthru
{ā€˜nameā€™: ā€˜NPS-2FA-Authā€™, ā€˜activeā€™: True, ā€˜scopeā€™: ā€˜authenticationā€™, ā€˜realmā€™: [ā€˜defrealmā€™], ā€˜adminrealmā€™: [], ā€˜adminuserā€™: [], ā€˜resolverā€™: [ā€˜NPS-ADā€™], ā€˜pinodeā€™: [ā€˜localnodeā€™], ā€˜check_all_resolversā€™: False, ā€˜userā€™: [], ā€˜clientā€™: [], ā€˜timeā€™: ā€˜ā€™, ā€˜conditionsā€™: [], ā€˜priorityā€™: 3, ā€˜actionā€™: {ā€˜challenge_responseā€™: ā€˜otp hotp totp yubikey u2fā€™, ā€˜challenge_textā€™: ā€˜Bitte die Anmeldung mit Ihrem OTP best.tigen.ā€™, ā€˜otppinā€™: ā€˜userstoreā€™, ā€˜passthruā€™: ā€˜userstoreā€™, ā€˜reset_all_user_tokensā€™: True}},

I am testing with a user having the attribute ā€œgroupā€ as multivalue attribute.

group

[ā€œCN=blablablaā€,ā€œCN=blablablaā€,ā€œCN=rz_user_vpn,OU=groups,OU=rz,OU=einrichtungen,DC=uni-kiel,DC=deā€,ā€œCN=blablablaā€]

I am expecting that policy1 matches due to the additional condition. But this does not happen. Policy2 keeps matching and my user is allowed to login without token.

Any suggestions ?
Best Regards
Amin

Still not getting it working as expected :frowning: Any Tips?
Best Regards
Amin

We do not know your setup.
It is a normal behaviour that a user without a token will not be able to authenticate.

Thus: rejecting a user without a token is the default behaviour!!! ! ! !!!

The policies in PI are not working like firewall-policies! The priority is only used, if 2 policies match the same condition

1 Like

Dear cornelinux, Dear AAuer,
thank you for the quick reply.
@cornelinux: I already know that it is an normal behaviour to reject a user without a token, that is why I was wondering, that my users are beeing able to login, even if they donā€™t have a token.
@AAuer: If I assume that priority is only used when 2 Policies have the same conditions, how should I be able to make some exceptions based on some user attributes?

About my Setup:

  • I am using 2FA with the vpn service
  • Users are stored in Active Directory, in different groups, ā€œgroupā€ is configured as a multivalue attribute
  • Additional User-Info are being sent in the response
  • My Authentication-Policy is havin a passthru-Action, allowing users without a token to authenticate againt activedirectory.

This is working fine!

Now, I need to make an exception. Users from a specific group sould no more be able to login without a token.
To achieve that, I have duplicated my old authentication policy, I have given the new authentication policy additional conditions (userinfo) and a lower priority number and I deleted the passthru-action.
I am expecting that a user from this specific group and not having a token would not be able to login to vpn. But this does not happen.

My 2 authentication policies are the following:

Policy with conditions and without passthru
{ā€˜nameā€™: ā€˜2FA_erforderlichā€™, ā€˜activeā€™: True, ā€˜scopeā€™: ā€˜authenticationā€™, ā€˜realmā€™: [ā€˜defrealmā€™], ā€˜adminrealmā€™: [], ā€˜adminuserā€™: [], ā€˜resolverā€™: [ā€˜NPS-ADā€™], ā€˜pinodeā€™: [ā€˜localnodeā€™], ā€˜check_all_resolversā€™: False, ā€˜userā€™: [], ā€˜clientā€™: [], ā€˜timeā€™: ā€˜ā€™, ā€˜conditionsā€™: [(ā€˜userinfoā€™, ā€˜groupā€™, ā€˜containsā€™, ā€˜CN=rz_user_vpn,OU=groups,OU=rz,OU=einrichtungen,DC=uni-kiel,DC=deā€™, True)], ā€˜priorityā€™: 2, ā€˜actionā€™: {ā€˜challenge_textā€™: ā€˜2FA erforderlich! OTP eingeben.ā€™, ā€˜otppinā€™: ā€˜userstoreā€™}},

Policy without conditions and with passthru
{ā€˜nameā€™: ā€˜NPS-2FA-Authā€™, ā€˜activeā€™: True, ā€˜scopeā€™: ā€˜authenticationā€™, ā€˜realmā€™: [ā€˜defrealmā€™], ā€˜adminrealmā€™: [], ā€˜adminuserā€™: [], ā€˜resolverā€™: [ā€˜NPS-ADā€™], ā€˜pinodeā€™: [ā€˜localnodeā€™], ā€˜check_all_resolversā€™: False, ā€˜userā€™: [], ā€˜clientā€™: [], ā€˜timeā€™: ā€˜ā€™, ā€˜conditionsā€™: [], ā€˜priorityā€™: 3, ā€˜actionā€™: {ā€˜challenge_responseā€™: ā€˜otp hotp totp yubikey u2fā€™, ā€˜challenge_textā€™: ā€˜Bitte die Anmeldung mit Ihrem OTP best.tigen.ā€™, ā€˜otppinā€™: ā€˜userstoreā€™, ā€˜passthruā€™: ā€˜userstoreā€™, ā€˜reset_all_user_tokensā€™: True}},

My Test-user is ā€œszrzs147ā€
To check the user-atrributes I used the following command:

http --verify no POST https://localhost/validate/check user=szrzs147 pass=######
HTTP/1.1 200 OK
Cache-Control: no-cache
Connection: Keep-Alive
Content-Length: 2232
Content-Type: application/json
Date: Tue, 14 Feb 2023 08:42:42 GMT
Keep-Alive: timeout=5, max=100
Server: Apache/2.4.41 (Ubuntu)

{
ā€œdetailā€: {
ā€œmessageā€: ā€œagainst userstore due to ā€˜NPS-2FA-Authā€™ā€,
ā€œthreadidā€: 139834476082944,
ā€œuserā€: {
ā€œemailā€: ######,
ā€œgivennameā€: ######,
ā€œgroupā€: [
ā€œCN=######ā€,
ā€œCN=######ā€,
ā€¦
ā€œCN=rz_user_vpn,OU=groups,OU=rz,OU=einrichtungen,DC=uni-kiel,DC=deā€,
ā€¦,

As you can see, the policy ā€œNPS-2FA-Authā€ keeps matching. In the audit I see the same and the user ist connecting to vpn without OTP.
I am expecting that the policy ā€œ2FA_erforderlichā€ matches due to the usergroup-condition and the lower priority number.

Maybe I am doing something wrong and will be thankfull for any help.
Best Regards
Amin

Hello again,
I solved the problem with adding the following condition to the Policy with the passthru action.

ā€˜conditionsā€™: [(ā€˜userinfoā€™, ā€˜groupā€™, ā€˜!containsā€™, ā€˜CN=rz_user_vpn,OU=groups,OU=rz,OU=einrichtungen,DC=uni-kiel,DC=deā€™, True)],

Users from the specified group and not having a token are now not allowed to connect to vpn.
The received error message is unfortuantely not significant, but this is a response-issue between the NPS and the vpn gateway (Fortigate).

Thank you all for your time and support!
Best Regrads
Amin