[Solved] LDAP + TOTP authentication failure

[CraigS]

Good day all,

Please help!

I have Opnsense 20.1.9 installed, and configured for Radius and LDAP authentication.

OPNsense 20.1.9-amd64
FreeBSD 11.2-RELEASE-p20-HBSD
OpenSSL 1.1.1g 21 Apr 2020

Authentications that work:
Local user
Local user + TOTP (Google Authenticator)
Radius user
LDAP user

I did have to install opnsense-patch b2affd1 to get LDAP working. (allow CA cert selection under server)

Then imported the ldap user and generated the QR code.

I cannot get LDAP + TOTP to work. Tried token in front and rear of password and using Google Authenticator but tried 2FA Authenticator too.

Tester just gives this error:
The following input errors were detected:    Authentication failed.

The log files do not seem to show any errors regarding ldap or totp.

Am I missing something?

Thank you in advance.

[CraigS]

Hi Guys,

58x views and no answers?

Does anybody successfully use ldap+totp authentication?
If so, on what firmware version? 18.7, 19.1 and 20.1.9 does not work.

Thanks

[mimugmail]

Sure, I have a half dozen Firewalls running a combination of LDAP and TOTP without any issue.
Are you sure LDAP works via tester?

Hard to diagnose from remote. Your time on firewall is correct? It should be since local+totp works ...

[CraigS]

Hello mimugmail,

ldap works 100% from tester and vpn logins.

I tried to verify the time sync by looking at my desktop time and vpn time at same time.
It seems to be fine. Perhaps 1sec difference.

Thanks

[mimugmail]

And the time on your mobile?
So, you say local+totp works and ldap+totp doesnt, really?

[CraigS]

Please see the video:

URL:               https://transfer.csir.co.za/index.php/s/WQ6NYGHiMemazQd
passwd is:     D5M`(!wr,8

link expires 17/07/2020

I would be very happy if I was making a mistake and could have this problem resolved.

[mimugmail]

Screenshot of this server config please ...

[CraigS]

screenshot attached

Also tested totp on a different phone with same failure.

[mimugmail]

And ldap-only config screenshot please?

[CraigS]

screenshot attached

[mimugmail]

Can you switch to plaintext LDAP and port 389, do a tcpdump with -X to watch contents and check if LDAP is really contacted? Hard to debug from remote

[CraigS]

new cleartext ldap server authenticates fine.
Same server with totp fails.

Tcpdump gives "That device doesn't support monitor mode" error - vmxnet3 vmware driver.
Will try tcpdump on different vm with e1000 driver.

[CraigS]

You may be on to something.

The successful ldap auth has about 3x times more packets than the ldap+totp auth.

I tested on cleartext and ssl ldap with same results.

It does seem to do the client hello, server hello, certificate hello and handshake without errors.

I wonder if it is sending the totp to the ldap server as well?

[mimugmail]

No, never ever ...

[CraigS]

Any ideas?

Biggest problem is no logging of errors so I have nowhere to start troubleshooting.