We are currently introducing PrivacyIdea for the 2fa. We would like to use the autoassign function to roll out the system. We are currently encountering strange problems.
To the Background:
Currently, we have integrated our VPN (Fortigate) and the Radius.
For the autoassigment we have enrolled some tokens (Yubikey) for testing in PrivacyIdea but have not assigned them to the users. The aim is for them to carry out this job themselves.
For that we have create 2 policies:
1.) scope: authentication
Currently, I don’t know why, but the assignment doesn’t always work. I also cannot determine what the problem is. But some users could assign their token and the login/authentication worked and others not.
The error message appears on the FortiClient: Incorrect user name or password
In PrivacyIdea the attempt cannot be found at all. I would have thought that at least PIN and OTP values should be separated here, but there are no logs (not in the audit log and not in the PrivacyIdea debug log).
Are we missing something? Where can I get more information about the error?
Unfortunately, a day of further research did not help me. The autoassignment works now and then.
Looking the the logs of Freeradius I found chap-request and chap-response. But we are using any Windows clients. If the autoassignment is successful then these chap entries are missing.
below the logs of a failed autoassigment authentication
Another issue that I have found in the logs is, that the fortigate is sending multiple requests for 1 authentication.
Do we have a misconfiguration at out fortigate or need we more power for the privacy/freeradius system? Currently both application are running on a vm with 2 vCPU und 4GB Ram