We've been trying to get 2-factor radius authentication working. We want to send users a One Time Password (OTP) by SMS. Judging by the connection server debug log the server knows we use a challenge/response but we don't get a popup where we can type the response code.
My question is 'what does the connection server expect as a response from the radius server to actually ask for the response code'? So far the view administration guide and google left us clueless.
Snippet from connection server log:
The "[OTP Challenge: DEMO ONLY!. Your password is xoqocuk46]" is a print that comes from the perl script we're using just to see if we can get data back to the connection server; that password would be send to the user's phone by SMS.
2012-10-02T12:34:28.420+02:00 DEBUG (0ADC-0BD0) <TP-Processor5> [XmlRequestProcessor] (SESSION:e611-***-4960) added: submit-authentication
2012-10-02T12:34:28.420+02:00 DEBUG (0ADC-0BD0) <TP-Processor5> [XmlAuthFilter] (SESSION:e611-***-4960) Pre-Auth Processing: submit-authentication
2012-10-02T12:34:28.420+02:00 DEBUG (0ADC-0BD0) <TP-Processor5> [ProcessorSubmitAuthentication] (SESSION:e611-***-4960) Setting auth request screen name: authType-securid-passcode=true
2012-10-02T12:34:28.421+02:00 DEBUG (0ADC-0BD0) <TP-Processor5> [RadiusAuthFilter] (SESSION:e611-***-4960) Setting label('HANradiusToken') and sub type ('') in request
2012-10-02T12:34:28.421+02:00 DEBUG (0ADC-0BD0) <TP-Processor5> [ProperoAuthFilter] (SESSION:e611-***-4960) Attempting to authenticate against RADIUS
2012-10-02T12:34:28.421+02:00 DEBUG (0ADC-0BD0) <TP-Processor5> [RadiusAuthSessionState] (SESSION:e611-***-4960) RADIUS bound, username: N/A
2012-10-02T12:34:28.422+02:00 DEBUG (0ADC-0BD0) <TP-Processor5> [RadiusAuthFilter] (SESSION:e611-***-4960) RADIUS authentication: user credentials supplied for user loonv
2012-10-02T12:34:28.422+02:00 DEBUG (0ADC-0BD0) <TP-Processor5> [RadiusAuthFilter] (SESSION:e611-***-4960) RADIUS authentication attempt #0
2012-10-02T12:34:28.422+02:00 DEBUG (0ADC-0BD0) <TP-Processor5> [RadiusClientImpl] (SESSION:e611-***-4960) create RadiusClient
2012-10-02T12:34:28.423+02:00 DEBUG (0ADC-0BD0) <TP-Processor5> [RadiusServerConfig] (SESSION:e611-***-4960) username 'loonv' mapped to 'loonv'
2012-10-02T12:34:28.423+02:00 DEBUG (0ADC-0BD0) <TP-Processor5> [RadiusClientImpl] (SESSION:e611-***-4960) authenticate: loonv
2012-10-02T12:34:28.424+02:00 DEBUG (0ADC-0BD0) <TP-Processor5> [RadiusClientImpl] (SESSION:e611-***-4960) create RADIUS client: 10.0.0.101:1812, 3000
2012-10-02T12:34:28.426+02:00 DEBUG (0ADC-0BD0) <TP-Processor5> [RadiusClientImpl] (SESSION:e611-***-4960) attempt #0 (using MSCHAP2)
2012-10-02T12:34:28.437+02:00 DEBUG (0ADC-0BD0) <TP-Processor5> [RadiusClientImpl] (SESSION:e611-***-4960) Login for loonv challenged
2012-10-02T12:34:28.437+02:00 DEBUG (0ADC-0BD0) <TP-Processor5> [RadiusClientImpl] (SESSION:e611-***-4960) State attribute list:
2012-10-02T12:34:28.438+02:00 DEBUG (0ADC-0BD0) <TP-Processor5> [RadiusClientImpl] (SESSION:e611-***-4960) Message attribute list: Reply-Message (18), Length: 55, Data: [OTP Challenge: DEMO ONLY!. Your password is xoqocuk46], 0x4F5450204368616C6C656E67653A2044454D4F204F4E4C59212E20596F75722070617373776F726420697320786F716F63756B3436
2012-10-02T12:34:28.438+02:00 DEBUG (0ADC-0BD0) <TP-Processor5> [RadiusAuthFilter] (SESSION:e611-***-4960) 1 connection attempt(s) to 10.0.0.101
2012-10-02T12:34:28.438+02:00 DEBUG (0ADC-0BD0) <TP-Processor5> [RadiusAuthFilter] (SESSION:e611-***-4960) authentication challenge
2012-10-02T12:34:28.438+02:00 DEBUG (0ADC-0BD0) <TP-Processor5> [RadiusAuthFilter] (SESSION:e611-***-4960) RADIUS authentication took 16 ms
2012-10-02T12:34:28.439+02:00 DEBUG (0ADC-0BD0) <TP-Processor5> [RadiusAuthFilter] (SESSION:e611-***-4960) Delaying failure response by additional 14984 ms
The RADIUS Access Challenge should use attribute 18 and 24.
Mark
Thanks Mark! It would be helpful if this was documented somewhere.
wally wrote:
Thanks Mark! It would be helpful if this was documented somewhere.
I think you're right. I've now added the attribute details to the setup guide here - http://communities.vmware.com/docs/DOC-19448
Mark