Wrong OTP PIN after upgrade but valid from the server itself / issue with specific case/letter?

Hello,

Context

Remote Access user connects throught OpenVPN with Active Directory and TOTP.
We have more than 90 employees connecting throught this method since COVID pandemic.

Explain the issue

Yesterday, I finally upgrade our PI server version from 3.5.2 to 3.6.3.
I did a backup + snapshot before to be sure in case it will failed.

Since the upgrade, no issue was found.

But this morning we have many users that can not connect anymore.
2 users for example:

  • password 1: 3litsàMontagne!
  • password 2: Hercule45698*

One password have 2 specific characters and the second one only 1.

Testing

First the log tell me “WRONG OTP PIN”
Audit log when trying to login

But when I test it from the PI Server it self, it tells me “Successfully authenticated”

Test token with OTP

I found out that Newpassword1% is working. I wanted to test if the issue was the “!”.

I modified first 3litsàMontagne! to 3litsàMontagne% with no success
Then 3litsàMontagne! with 3litsaMontagne% and this is working.

Did something change in the parsing method / verification of userstore password and OTP PIN ?
I continue my testing of this bug to have more data and will keep update this post.

Could be this.

I assume that you are using RADIUS. Please ensure to also update the freeradius plugin.

Yes I use the FreeRadius plugin along with PI.

The latest version of Freeradius available in the official Ubuntu 20.04 APT repository is the 3.0.20 (14 nov 2019).

I will update manually next week with the v3.0.25 to see if it fix the issue and update this thread to let you know.

Thanks for the help @cornelinux

I was not talking about updating freeradius but the privacyide freeradius plugin!
Stay with your current freeradius and update the plugin!

Ah sorry, I misunderstood what you said.

It is already at le latest version: privacyidea-radius is already the newest version (3.4.1-2focal)

Do I need to update it manually ?

yes, you should.

However, there should be a version 3.4.2 in the repos.

Do you know when the 3.4.2 will be available in the repos ?
To install it manually, i need to follow this guide: Radius plugin ?

Thanks

Hi,

currently it is only available in the devel repository.
If you want to test it, change the repository entry from stable to devel:
Example for ubuntu 20 (focal)

from
deb

deb http://lancelot.netknights.it/community/focal/stable focal main

to
deb http://lancelot.netknights.it/community/focal/devel focal main


apt update
apt search privacyidea-radius
privacyidea-radius/devel,devel 3.4.2-1focal all [upgradable from: 3.4.1-2focal]

br

Julio

Thank you @julio !

If it is in devel repo, does that mean it is not stable yet ?

It is not that I want test it, I intend to fix my password encoding issue.

Hi s0p4L1n,

yes, please consider this package as development package

br

Julio

So if I understand, the last stable version of privacyidea-radius (3.4.1) is not compatible/(result with the password encoding error) with the latest stable version of privacyIdea ?

In order to fix the issue, I need to use a version that is not a stable one, on the production server ?

Do you know when the stable version will be released ?

fyi

privacyidea-radius 3.4.2 package was released to stable-repo

br

julio