TOTP set up but cannot test

Started by thefunkygibbon, February 22, 2022, 02:05:48 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 22, 2022, 02:05:48 PM
Hi,

I've set up the TOTP server, created a user and generated a TOTP which I've added to google authenticator using the QR code. 
If i go to the tester, select TOTP and login with

<username>
<password><OTP>
ie
thefunkygibbon
password789412

it always says i've gotten the creds wrong.  (also tried the OTP in front of the password... makes no difference)

Is there some other setting to use to ensure it works?

Both my firewall/phone/laptop are all using the correct time/timezone/date
February 23, 2022, 08:14:35 AM #1
There must be something I can do to troubleshoot this...?  I'm following the guide and there really isn't much to it.   Is there something I can check via cli?
February 23, 2022, 08:26:17 AM #2
I'm sure you already did this, but let me just make sure:

Within the Tester GUI, did you switch the "Authentication Server" to "TOTP-Server"?

For general logon you have to also add this option to "System" - "Settings" - "Administration" - "Authentication" - "Server". You will want to add all the needed "Identity Providers" you want to be able to logon.

Best wishes :)
February 23, 2022, 08:53:42 AM #3
When you enable the auth server, the default is <token><Password>

If you want it to be <password><token> you'll have to go into the two factory auth server config and check "Reverse token order"
February 23, 2022, 09:59:22 AM #4
Quote from: OPNMind on February 23, 2022, 08:26:17 AM
I'm sure you already did this, but let me just make sure:

Within the Tester GUI, did you switch the "Authentication Server" to "TOTP-Server"?

For general logon you have to also add this option to "System" - "Settings" - "Administration" - "Authentication" - "Server". You will want to add all the needed "Identity Providers" you want to be able to logon.

Best wishes :)

thanks for your reply.  yes it's def selected the TOTP server in the tester page.   I'm not changing my authentication for the system to use TOTP until i have tested it and it is proven to be working ok, else i'll be locking myself out. (as per the guides instructions too)
February 23, 2022, 10:00:11 AM #5
Quote from: Dominian on February 23, 2022, 08:53:42 AM
When you enable the auth server, the default is <token><Password>

If you want it to be <password><token> you'll have to go into the two factory auth server config and check "Reverse token order"

yes, I know. I want to use it  password+token but as i say i've tested both ways in terms of testing and in the config.  neither make any difference.
February 24, 2022, 09:15:21 AM #6
Quote from: thefunkygibbon on February 23, 2022, 10:00:11 AM
Quote from: Dominian on February 23, 2022, 08:53:42 AM
When you enable the auth server, the default is <token><Password>

If you want it to be <password><token> you'll have to go into the two factory auth server config and check "Reverse token order"

yes, I know. I want to use it  password+token but as i say i've tested both ways in terms of testing and in the config.  neither make any difference.

Strange, I set it up last night just to test and everything worked for me.
February 28, 2022, 08:43:14 PM #7
any more ideas to troubleshoot please?
March 01, 2022, 08:21:58 AM #8
The only issue it could be is that phone and firewall are not in sync WRT time. The token is only valid for 30 seconds so that might already prevent it from working.

Phones very likely have the correct time so I'd triple-check on the firewall.


Cheers,
Franco
March 01, 2022, 05:50:31 PM #9
thanks, but just checked my phone and my fw and the times are out by maybe a second or 2.
Tue Mar 1 16:48:55 GMT 2022
phone is set to GMT and says much the same

i'll try changing it so that the codes are valid for longer and see if that helps
March 01, 2022, 05:57:34 PM #10
don't know if it means anything or not but i changed it to 120 seconds time window and 30 seconds grace.  created a new secret/seed for the user. deleted the old one in authenticator and scanned the new QR.  Still doesn't work.   But the code still seems to change every 30 seconds.  is that normal behaviour (ie does it basically allow any of the last 4 codes in a 120 time window?)?
March 02, 2022, 09:14:35 AM #11
Maybe try another app and check the phone's time. Something is definitely not right.

I'm using "Authenticator" on iOS and it works fine.


Cheers,
Franco
March 02, 2022, 10:38:30 AM #12
tried on yubikey too.  can you answer a few questions just to make sure i'm not doing something dumb

a) when i add it, it tells me its a 30 second time period despite the TOTP server being set to a time window of 120 at the moment.  Is this expected behaviour?

b) there doesn't really seem to be any way to tell OPNSense that a specific user should use a specific type of authentication method.   ie i could in theory have multiple  TOTP servers created.  I know in the tester it gives you the option to select the method. but from a created user perspective it doesn't seem to allow to say "this user must use this auth method"

c) when the QR is imported into the auth app it lists it as username@firewallname  is that the username i should be using to log in or is it just username?
Print
Go Up Pages1
User actions