OPNsense Forum
Archive => 20.1 Legacy Series => Topic started by: CraigS on July 25, 2020, 10:52:26 am
-
Good day all,
Please help!
I have Opnsense 20.1.9 installed, and configured for Radius and LDAP authentication.
OPNsense 20.1.9-amd64
FreeBSD 11.2-RELEASE-p20-HBSD
OpenSSL 1.1.1g 21 Apr 2020
Authentications that work:
Local user
Local user + TOTP (Google Authenticator)
Radius user
LDAP user
I did have to install opnsense-patch b2affd1 to get LDAP working. (allow CA cert selection under server)
Then imported the ldap user and generated the QR code.
I cannot get LDAP + TOTP to work. Tried token in front and rear of password and using Google Authenticator but tried 2FA Authenticator too.
Tester just gives this error:
The following input errors were detected: Authentication failed.
The log files do not seem to show any errors regarding ldap or totp.
Am I missing something?
Thank you in advance.
-
Hi Guys,
58x views and no answers?
Does anybody successfully use ldap+totp authentication?
If so, on what firmware version? 18.7, 19.1 and 20.1.9 does not work.
Thanks
-
Sure, I have a half dozen Firewalls running a combination of LDAP and TOTP without any issue.
Are you sure LDAP works via tester?
Hard to diagnose from remote. Your time on firewall is correct? It should be since local+totp works ...
-
Hello mimugmail,
ldap works 100% from tester and vpn logins.
I tried to verify the time sync by looking at my desktop time and vpn time at same time.
It seems to be fine. Perhaps 1sec difference.
Thanks
-
And the time on your mobile?
So, you say local+totp works and ldap+totp doesnt, really?
-
Please see the video:
URL: https://transfer.csir.co.za/index.php/s/WQ6NYGHiMemazQd
passwd is: D5M`(!wr,8
link expires 17/07/2020
I would be very happy if I was making a mistake and could have this problem resolved.
-
Screenshot of this server config please ...
-
screenshot attached
Also tested totp on a different phone with same failure.
-
And ldap-only config screenshot please?
-
screenshot attached
-
Can you switch to plaintext LDAP and port 389, do a tcpdump with -X to watch contents and check if LDAP is really contacted? Hard to debug from remote
-
new cleartext ldap server authenticates fine.
Same server with totp fails.
Tcpdump gives "That device doesn't support monitor mode" error - vmxnet3 vmware driver.
Will try tcpdump on different vm with e1000 driver.
-
You may be on to something.
The successful ldap auth has about 3x times more packets than the ldap+totp auth.
I tested on cleartext and ssl ldap with same results.
It does seem to do the client hello, server hello, certificate hello and handshake without errors.
I wonder if it is sending the totp to the ldap server as well?
-
No, never ever ...
-
Any ideas?
Biggest problem is no logging of errors so I have nowhere to start troubleshooting.
-
When you use LDAP without encryption and via console you do a:
tcpdump port 389 -n -i vmxX -X
Then you can see your password in cleartext and if it only is the password.
-
So it looks like the ldap query is not sent when totp is used.
Nothing in the packet capture.
-
Can you try with IP instead of FQDN and plain 389?
-
It still gives the same error, and no ldap query on tcpdump.
No problems without totp.
Could the ldap function that splits the password and totp be the issue?
-
Reset all to defaults, configured just a ldap server + totp with same results.
Reverted snapshot and updated to 20.7 with same results as before... :-\
-
This is really crazy. Can you install 20.1 without any patches and try again?
-
Apologies mimugmail, my computer blew cpu or motherboard this morning, or I would have tested sooner.
Following your advice:
1. installed fresh 20.1-amd64 from iso on vmware esxi using freebsd 11 template
2. assigned ip addresses - wan + lan (not accessible from internet)
3. assigned port 4443 for admin portal (otherwise it clashes with ssl vpn) and set authentication servers as all local and ldap servers under System -> Settings -> Administration
4. added ldap cleartext server + authenticate successfully with Tester
5. imported 1x user (me), generated qr code and added to google authenticator
6. added ldap + totp cleartext server + authentication failed with Tester
No other modifications done at all.
OPNsense 20.1-amd64
FreeBSD 11.2-RELEASE-p16-HBSD
OpenSSL 1.1.1d 10 Sep 2019
-
No, you first add LDAP+totp server and AFTER this you import and create OTP token in user
-
I did not know the totp server must first be created before creating the qr codes.
I deleted the imported ldap user, re-saved the ldap+totp server (changed code position back to front), then imported user, created qr code, and tested.
Still auth failure.
We use Novell/Microfocus e-Directory for ldap in case it makes a difference...
OpenLDAP template gives the same result.
-
Another test:
1. deleted the ldap-totp server and the imported ldap user.
2. created ldap+totp server
3. imported user
4. generated new secret
5. added qr code to google auth
6. auth fails in tester as before
-
mimugmail,
what opnsense version do you use with ldap+totp?
Perhaps I can try re-create your setup?
-
Like I said in github, I now successfully conntected on 21.1a and 20.1.6, the reason was a time difference of two minutes while grace period is one minute.
For the archives: When you use ldap+totp and you dont see LDAP traffic, your OTP verification already failed.
-
I have confirmed that the vpn server and my mobile with authenticator is 2 second out according to https://time.is/ and our VMWare administrator confirmed that the physical host time is also correct.
So I start again. Just to confirm the sequence:
1. Install opnsense 20.1 and set ip addresses
2. Configure ldap+totp server
3. Import ldap user and create qr code
4. use Tester to verify login.
-
Yep, so better tick reverse order to put the token OTP behind the AD password
-
Installed clean 20.1 - same issue.
If totp was the problem would local+totp not also be broken?
-
Hi mimugmail,
So I set both the local user and the ldap user's otp seed to be the same.
Google authenticator shows the same otp for both users.
local+totp works 100%
ldap+totp fails.
Just ldap works 100%
I would think the totp token is not the problem.
ntpd.log shows this but local+totp still works:
Aug 12 21:09:10 pta-vpn1-2fa ntpd[27650]: ntpd exiting on signal 15 (Terminated)
Aug 12 21:09:10 pta-vpn1-2fa ntpd[27650]: 146.64.x.x local addr 146.64.x.x -> <null>
Aug 12 21:09:10 pta-vpn1-2fa ntpd[27650]: 146.64.x.x local addr 146.64.x.x -> <null>
Aug 12 21:09:10 pta-vpn1-2fa ntpd[57512]: ntpd 4.2.8p15@1.3728-o Tue Jul 28 02:25:36 UTC 2020 (1): Starting
Aug 12 21:09:10 pta-vpn1-2fa ntpd[57512]: Command line: /usr/local/sbin/ntpd -g -c /var/etc/ntpd.conf -p /var/run/ntpd.pid
Aug 12 21:09:10 pta-vpn1-2fa ntpd[57512]: ----------------------------------------------------
Aug 12 21:09:10 pta-vpn1-2fa ntpd[57512]: ntp-4 is maintained by Network Time Foundation,
Aug 12 21:09:10 pta-vpn1-2fa ntpd[57512]: Inc. (NTF), a non-profit 501(c)(3) public-benefit
Aug 12 21:09:10 pta-vpn1-2fa ntpd[57512]: corporation. Support and training for ntp-4 are
Aug 12 21:09:10 pta-vpn1-2fa ntpd[57512]: available at https://www.nwtime.org/support
Aug 12 21:09:10 pta-vpn1-2fa ntpd[57512]: ----------------------------------------------------
Aug 12 21:09:10 pta-vpn1-2fa ntpd[19912]: proto: precision = 0.978 usec (-20)
Aug 12 21:09:10 pta-vpn1-2fa ntpd[19912]: basedate set to 2020-07-16
Aug 12 21:09:10 pta-vpn1-2fa ntpd[19912]: gps base set to 2020-07-19 (week 2115)
Aug 12 21:09:10 pta-vpn1-2fa ntpd[19912]: restrict: 'monitor' cannot be disabled while 'limited' is enabled
Aug 12 21:09:10 pta-vpn1-2fa ntpd[19912]: Listen and drop on 0 v6wildcard [::]:123
Aug 12 21:09:10 pta-vpn1-2fa ntpd[19912]: Listen and drop on 1 v4wildcard 0.0.0.0:123
Aug 12 21:09:10 pta-vpn1-2fa ntpd[19912]: Listen normally on 2 vmx0 146.64.x.x:123
Aug 12 21:09:10 pta-vpn1-2fa ntpd[19912]: Listen normally on 3 vmx0 [fe80::250:56ff:fe9a:d3b8%1]:123
Aug 12 21:09:10 pta-vpn1-2fa ntpd[19912]: Listen normally on 4 lo0 [::1]:123
Aug 12 21:09:10 pta-vpn1-2fa ntpd[19912]: Listen normally on 5 lo0 127.0.0.1:123
Aug 12 21:09:10 pta-vpn1-2fa ntpd[19912]: Listening on routing socket on fd #26 for interface updates
Aug 12 21:09:10 pta-vpn1-2fa ntpd[19912]: kernel reports TIME_ERROR: 0x2041: Clock Unsynchronized
Aug 12 21:09:10 pta-vpn1-2fa ntpd[19912]: kernel reports TIME_ERROR: 0x2041: Clock Unsynchronized
-
The only thing I can offer is that you came to IRC in late August and I have a quick view via Teamviewer
-
Hi mimugmail,
Apologies for the late reply.
I am busy purchasing a business subscription and support hours for this and a few more issues.
Will give feedback when I know what the heck is going on, even if I was flatheaded.
Thank you very much for trying to help.
Regards,
Craig.
-
I'm quite sure the guys will find it :)
-
Hi Mimugmail,
So the entire issue was because our LDAP is case sensitive.
I was using cstrydom instead of CStrydom to login.
Ad look and tested for a while and came up with that brilliant deduction.
I would never have thought about it.
Regards,
Craig.
-
Really? Wasn't it the case that OPN didn't even tried an initial LDAP connection?