Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 3:56 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 5 posts ] 
Author Message
PostPosted: Tue Jan 26, 2010 11:19 am 
Offline

Joined: Tue Jan 26, 2010 11:06 am
Posts: 2
Hi,

I'm trying to setup a VPN with yubikey according to this howto: http://code.google.com/p/yubico-pam/wik ... nVPNviaPAM

And in principle it works fine, i.e. as long as I don't use the OpenVPN supplied GUI. As soon as I do that it seems the not the whole PASSWORD + OTP string gets transmitted. It seems only 48 or 49 characters get transmitted. Do you know of any constraints in this regard? Without a GUI Yubikey can't be used by our customer.

I believe that the problem is the windows password entry field because when I tried PAP (with pptp, freeradius, pam, yubico on the server side) I had the same problem. Shortening the password helps, btw :(.

cu, Adam.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Thu Jan 28, 2010 7:02 am 
Offline
Yubico Team
Yubico Team

Joined: Wed Oct 01, 2008 8:11 am
Posts: 210
We would appreciate if you can provide us the following information:

    1) Details of the operating system where you have installed the OpenVPN and FreeRADIUS server
    2) OpenVPN server and Windows GUI client version
    3) FreeRADIUS server version
    4) Windows operating system details where you have installed OpenVPN GUI client


Top
 Profile  
Reply with quote  
PostPosted: Mon Feb 01, 2010 4:37 pm 
Offline

Joined: Tue Jan 26, 2010 11:06 am
Posts: 2
Hi, sorry for the late reply. The details are as follows.

The server is Debian GNU/Linux 5.0:
  • uname -a: Linux <IP> 2.6.26-2-amd64 #1 SMP Thu Nov 5 02:23:12 UTC 2009 x86_64 GNU/Linux
  • freeradius: 2.0.4+dfsg-6
  • openvpn: 2.1~rc11-1

The client is WindowsXP:
  • Windows XP Professional Version 2002 SP 3
  • OpenVPN(with GUI): 2.1.1


Top
 Profile  
Reply with quote  
PostPosted: Mon May 30, 2011 2:18 pm 
Offline

Joined: Wed May 18, 2011 11:51 am
Posts: 9
I have the same issue - was there a solution? (I know this is an old topic, but, someone...?)

I am trying to use RADIUS at my VPN Server to authenticate to ROPII.
That is, my setup: Client(Win7VPN)----> VPN_ROUTER(VYATTA)--->RADIUS SERVER (ROPII)

I am using the Windows 7 VPN client, and using L2TP with IPSEC. The IPSEC link is connecting, securing my connection. I have the L2TP Authentication mode set to use PAP, and am sending Username@domain.com in the Username field, and password+OTP in the password field.

Via the ROPII logs, I can see that the request is being received by the ROPII server, but the OTP is being truncated - max length of password+OTP is exactly 48 characters - any additional characters are not being received, and hence, the OTP validation is failing.

I have the ROPII machine correctly validating the OTP's when sent to it via a pGina login, but I am trying to set it up so that I can incorporate the OTP into the VPN connection, and remove the need for pGina. I am using Ipsec/L2TP so that IPSEC encrypts the transmission first, so I can use PAP to send the passwords in clear text (so that the OTP is not altered in transmission) without compromising my security.

It is all working, except that, because the OTP is being truncated, I cannot succeed in having the OTP validated by ROPII.

Does anyone know what it is that is truncating my password+OTP to 48 characters? Is it the MSWindows VPN client? The RADIUS protocol? ROPII (surely not!) ?

I suspect the client, however I can find no documentation suggesting a limit on password length, and Adam, (who started this post) has (had?) the same issue with OpenVPN - so, maybe the client is innocent after all?

I am this close to a great solution, and this truncation issue is infuriating... :evil:


Top
 Profile  
Reply with quote  
PostPosted: Tue Jun 07, 2011 11:31 am 
Offline

Joined: Wed May 18, 2011 11:51 am
Posts: 9
Ok, I have checked this with Microsoft, and can confirm that the VPN client is the problem.
They advise that the VPN client accepts a maximum of 48 characters, and this cannot be extended.
http://social.technet.microsoft.com/Forums/en/w7itpronetworking/thread/b71b1d1e-f54c-4481-b27c-63063bcad022

This is rather disappointing. :x


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group