| Yubico Forum https://forum.yubico.com/ |
|
| YubiRADIUS 3.6 fail to assign yubikey to user https://forum.yubico.com/viewtopic.php?f=29&t=985 |
Page 1 of 1 |
| Author: | kore [ Sun Mar 03, 2013 10:06 am ] |
| Post subject: | YubiRADIUS 3.6 fail to assign yubikey to user |
Hi I'm trying to set up YRVA and I have successfully imported users from my LDAP but when I try to assign a yubikey to a user I get: Error in adding the key mapping : Unknown error Not sure what log files you need for debugging this but from the webmin log I can see that it validates against yubicloud but when it tries to add the mapping it fails: yubico-RoP adding mapping "urlhttp://127.0.0.1/wsapi/ user:kore@pwny.se yubikey_id:ccccccbhlvcf" yubico-RoP ykmap_add_mapping: "http://127.0.0.1/wsapi/map-store?find=yubikey_prefix&record=ccccccbhlvcf&keyword=username&value=kore%40pwny.se" yubico-RoP adding mapping "Error in adding the key mapping" I'm confused about this URL, should there be some daemon running and listening on 127.0.0.1:80? Regards |
|
| Author: | samir [ Mon Mar 04, 2013 6:35 am ] |
| Post subject: | Re: YubiRADIUS 3.6 fail to assign yubikey to user |
Hello, Please send the following log files to "support@yubico.com". 1. Please configure the log files with the following settings from the webmin console: 1. Login to webmin 2. Go to "System" >> "System Logs" 3. Click on log file (ykropval.log ,etc. mentioned below) 4. Select "all" option in "priorities" field of "Message types to log" section 5. Please click on "save" button to save the changes. 6. Please repeat step 3, 4 and 5 for other log files mentioned below. 7. Please click on "Apply Changes" button on System Logs page 8. Go to "Servers" >> "YubiRADIUS Virtual Appliance" 9. Navigate 'Global Configuration' >> 'FreeRADIUS' menu, please enable FreeRADIUS Logging 10. Could you please ssh to the YRVA instance and restart the rsyslog process by executing the following command: /etc/init.d/rsyslog restart 11. Please try to add the user and test the user with YubiKey credentials. Please send us the following log files: /var/log/syslog /var/log/messages /var/log/ykval.log /var/log/ykropval.log /var/log/ykmap.log /var/log/freeradius/radius.log /var/log/postgresql/postgresql-8.4-main.log /var/log/apache2/error.log /var/log/apache2/access.log /var/log/debug 2. If you have already configure the webmin logs, please send "webmin.debug" file available at /var/webmin/webmin.debug If not please configure the log file with the following settings from the webmin console: 1. Login to webmin 2. Go to "Webmin" >> "Webmin Configuration" 3. Please Click on "Debugging Log File" 4. Please Click on "yes" option of "Debug log enabled?" 5. Please click on "save" button to save the changes. 6. Please once again Import Users. Please find the "webmin.debug" file at /var/webmin/webmin.debug FYI, To map the username with YubiKey please follow the steps: "YubiRADIUS Virtual Appliance" webmin interface >> select domain under "Domain" tab >> select user under "Users/Groups" tab >> click on "Assign a new YubiKey" >> put "Login Name" (do not add domain name with your username, only "Login Name" eg. "user1") >> emit OTP to "Yubico OTP" field >> click on "Create". Hope this helps! Thanks and best regards, Samir. |
|
| Author: | kore [ Mon Mar 04, 2013 10:03 am ] |
| Post subject: | Re: YubiRADIUS 3.6 fail to assign yubikey to user |
Done. |
|
| Author: | cjl [ Tue Mar 05, 2013 2:26 pm ] |
| Post subject: | Re: YubiRADIUS 3.6 fail to assign yubikey to user |
Any updates regarding this issue? I'm in the exact same situation. When I add the login-uid: foob2 Error in adding the key mapping : Unknown error If I'm adding the "login name": foo bar Error in adding the key mapping : Failed to find the user with login name 'foo bar' |
|
| Author: | samir [ Wed Mar 06, 2013 7:41 am ] |
| Post subject: | Re: YubiRADIUS 3.6 fail to assign yubikey to user |
Hello, You can assign YubiKey in two ways: (1) Assign YubiKey to the user through "Users/Groups" tab: 1. Go to the YubiRADIUS VA webmin interface >> click on "YubiRADIUS Virtual Appliance" on the left side links 2. Click on "Domain" tab >> select domain 3. Under "Users/Groups" tab select user >> click on "Assign a new YubiKey" 4. Input the "User Details" as 'Login Name" (Do not add domain name with login name; eg. "user1") >> emit "YubiKey OTP" >> click on "Create" button. (2) Assign YubiKey to the user through "List YubiKeys" tab: 1. Go to the YubiRADIUS VA webmin interface >> click on "YubiRADIUS Virtual Appliance" on the left side links 2. Click on "List YubiKeys" tab >> select the "YubiKey" >> click on "Assign a YubiKey to User" 3. Input the "User Details" as "Login Name@domain.com" (Please add domain name with login name; eg. "user1@domain.com") >> emit "YubiKey OTP" >> click on "Create" button. Hope this helps! Please write to "support@yubico.com" if you have further questions. Thanks and best regards, Samir. |
|
| Author: | cjl [ Thu Mar 07, 2013 6:25 am ] |
| Post subject: | Re: YubiRADIUS 3.6 fail to assign yubikey to user |
Sorry, but that gives the exact same result as before. Error in adding the key mapping : Unknown error |
|
| Author: | cjl [ Thu Mar 07, 2013 7:14 am ] |
| Post subject: | Re: YubiRADIUS 3.6 fail to assign yubikey to user |
Here's the steps I have gone through. 1, install YRVA 2, configure LDAP import 2.1 Verified imported user(s). I can see the imported user in the list " Username = Foo Bar Login Name/ Group/OU = foob2 3, Assign Yubkey to user - I've tested with both the username and Login name the are getting two different errors, see above. 4, Logfiles says that it cannot find "foob2" but it's still in the list of users, and I can re-import the user from ldap. Mar 7 06:05:28 yrva36 ykmap[11199]: LOG_INFO:ykmap-query:[127.0.0.1] Request: find=username&record=foob2%40ldapdomain.local&keyword=yubikey_prefix Mar 7 06:05:28 yrva36 ykmap[11199]: LOG_INFO:ykmap-query:[127.0.0.1] found protocol version 1 Mar 7 06:05:28 yrva36 ykmap[11199]: LOG_INFO:ykmap-query:dsi:searching for keyword : username in db Mar 7 06:05:28 yrva36 ykmap[11199]: LOG_DEBUG:ykmap-query:dsi:db:DB query is: SELECT * FROM ykmaps WHERE keyword = 'username' and value = 'foob2@ldapdomain.local' Mar 7 06:05:28 yrva36 ykmap[11199]: LOG_NOTICE:ykmap-query:dsi:no recors for keyword : username Mar 7 06:05:28 yrva36 ykmap[11199]: LOG_CRIT:ykmap-query:[127.0.0.1] No records exists! When I'm importing the users I'm using this a a filter; (memberOf=CN=VPN_Users,ou=Groups,ou=ldapdomain,DC=ldapdomain,DC=local) And Login Name Identifier = samAccountName Could there be a mismatch between the import usernames and what username is in the local YRVA-db? |
|
| Author: | samir [ Fri Mar 22, 2013 1:11 pm ] |
| Post subject: | Re: YubiRADIUS 3.6 fail to assign yubikey to user |
Hello, Please perform the following steps: 1. Go to YubiRADIUS webmin interface >> click on "Troubleshoot" tab >> go to "Validate OTP" section >> emit OTP from your YubiKey to "YubiKey OTP" >> click on "Validate" If you YubiKey OTP is authenticated successfully you can proceed further to step 2. If the OTP is not authenticated successfully please import the YubiKey to YubiRADIUS please refer step 3 2. You can assign YubiKey in two ways: (1) Assign YubiKey to the user through "Users/Groups" tab: 1. Go to the YubiRADIUS VA webmin interface >> click on "YubiRADIUS Virtual Appliance" on the left side links 2. Click on "Domain" tab >> select domain 3. Under "Users/Groups" tab select user >> click on "Assign a new YubiKey" 4. Input the "User Details" as 'Login Name" (Do not add domain name with login name eg. user@domain.com) >> emit "YubiKey OTP" >> click on "Create" button. (2) Assign YubiKey to the user through "List YubiKeys" tab: 1. Go to the YubiRADIUS VA webmin interface >> click on "YubiRADIUS Virtual Appliance" on the left side links 2. Click on "List YubiKeys" tab >> select the "YubiKey" >> click on "Assign a YubiKey to User" 3. Input the "User Details" as "Login Name@domain.com" (Please add domain name with login name eg. user@domain.com) >> emit "YubiKey OTP" >> click on "Create" button. 3. YubiKey is a write-only device so there is no way one can read the configuration from programmed YubiKeys. If you have the log file created by the personalization tool, you can find these parameters in the log file. Please refer section 5.2.5 of "YubiRADIUS configuration Guide" available at http://www.yubico.com/wp-content/upload ... _3_6_0.pdf As per this section you need to configure your YubiKey with with the help of "Cross Platform Personalization tool" by keeping log file enable. Please follow the steps to use Cross Platform Personalization tool with logfile. For your convenience, please find the step-by-step instructions below on how to reprogram a YubiKey in OTP mode and upload the AES key to YubiCloud servers so you can validate the OTPs from your reprogrammed YubiKey against the YubiCloud service (if you choose your Validation Server as "Online Validation Server"). 1) Download and install the latest Cross Platform Personalization Tool for Windows from the link below: http://www.yubico.com/products/services ... tools/use/ and look for section "Cross platform personalization tools" 2) Start the YubiKey Personalization Tool 3) Insert your YubiKey in to the USB port 4) Click on "Settings" tab >> "Logging Settings" >> check (enable) "Log configuration output" >> set path for the "Log output file". It will automatically save settings. 5) From the "Yubico OTP" tab, click on "Quick" button 6) In the "Quick" mode, select the configuration slot which you want to program 7) All other parameters will be randomly generated. Generate the parameters again if you want by clicking on "Regenerate" button 8) Click on the "Write Configuration" button, and leave the YubiKey Personalization tool running If you want to use "Local Validation Server", please go to "Import YubiKeys" >> select "Log File Source" as "Cross-Platform Personalization tool" >> click on "Choose file" button >> locate the "Log output file" created by personalization tool while programming YubiKey >> click on "Upload" button. You will find the YubiKeys imported under "List YubiKeys" and try testing YubiRADIUS with the help of "troubleshoot" tab. Please note - if you select "online validation server" there will be no "YubiKey import" option, you have to upload AES key of YubiKey to YubiCloud then you can use YubiKey with YubiRADIUS for authentication. Please contact "support@yubico.com" if you have further questions. Thanks and best regards, Samir. |
|
| Page 1 of 1 | All times are UTC + 1 hour |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|