Yubico Forum
https://forum.yubico.com/

YubiRADIUS 3.6 - assinging new tokens issue
https://forum.yubico.com/viewtopic.php?f=4&t=903
Page 1 of 1

Author:  HardKnoX [ Fri Jan 04, 2013 4:32 am ]
Post subject:  YubiRADIUS 3.6 - assinging new tokens issue

Hi;

I'm trying to use the new YubiRADIUS 3.6 build, freshly installed from scratch. Newly installed because the upgrade from 3.5.4 to 3.6 failed.

Now with the freshly installed 3.6 I'm getting the following error when I'm trying to assign a token to a user account;

Code:
Error in adding the key mapping : Unknown error


We can add a domain (eg: acme.local), we can set AD import and successfully import users however no matter what we do we cannot assign a token to an acme.local user.

I got the same error yesterday while we were playing with 3.5.4 and I had the DNS server misconfigured however it took longer to show, where as under 3.6 the DNS settings are correct and the MS AD user accounts imported all as expected.

Is this a known issue with 3.6 and if so are there any fixes available for it?

I think I'm going to stick with 3.5.4 for now.

Author:  samir [ Fri Jan 04, 2013 12:26 pm ]
Post subject:  Re: YubiRADIUS 3.6 - assinging new tokens issue

Hello,

We have never heard of such a problem before, we are very interested to diagnose any potential failures. Can you please send us the following logs to "support@yubico.com" to analyze the issue?

1. Please configure the log files with the following settings from the webmin console:
1. Login to webmin
2. Go to "System" >> "System Logs"
3. Click on log file (ykropval.log ,etc. mentioned below)
4. Select "all" option in "priorities" field of "Message types to log" section
5. Please click on "save" button to save the changes.
6. Please repeat step 3, 4 and 5 for other log files mentioned below.
7. Please click on "Apply Changes" button on System Logs page
8. Go to "Servers" >> "YubiRADIUS Virtual Appliance"
9. Navigate 'Global Configuration' >> 'FreeRADIUS' menu, please enable FreeRADIUS Logging
10. Could you please ssh to the YRVA instance and restart the rsyslog process by executing the following command:
/etc/init.d/rsyslog restart
11. Please try to add the user and test the user with YubiKey credentials.

Please send us the following log files:
/var/log/syslog
/var/log/messages
/var/log/ykval.log
/var/log/ykropval.log
/var/log/ykmap.log
/var/log/freeradius/radius.log
/var/log/postgresql/postgresql-8.4-main.log
/var/log/apache2/error.log
/var/log/apache2/access.log
/var/log/debug

2. If you have already configure the webmin logs, please send "webmin.debug" file available at /var/webmin/webmin.debug

If not please configure the log file with the following settings from the webmin console:
1. Login to webmin
2. Go to "Webmin" >> "Webmin Configuration"
3. Please Click on "Debugging Log File"
4. Please Click on "yes" option of "Debug log enabled?"
5. Please click on "save" button to save the changes.
6. Please once again Import Users.

Please find the "webmin.debug" file at /var/webmin/webmin.debug

3. Please brief on any other observations and please send the screen shots, error messages observed.

Thanks and best regards,
Samir.

Author:  HardKnoX [ Sun Jan 06, 2013 11:11 pm ]
Post subject:  Re: YubiRADIUS 3.6 - assinging new tokens issue

Do you need the whole log files or just the last 100 lines shortly after the token assigned attempt was done?

Also we noticed the following error when we used the troubleshooting tool;

Code:
Troubleshoot – Validate OTP

Validate OTP Response:
Last Client Query:
http://127.0.0.1/wsapi/2.0/verify?id=1&nonce=f54266b6ff59faee493a1504b4b1d22d&otp=[token removed]&h=EYhPUCUuS4XFRCB2GsEPtS2nV6s=
Server Responses:
Authentication Failed!
Error message: NO_VALID_ANSWER


I removed the token from the message above ( ignore [token removed])

The "127.0.0.1" bit is api.yubico.com on our 3.5.4 Radius server which would explain why it failing as its using itself to verify the token instead of the cloud service.

Author:  HardKnoX [ Mon Jan 14, 2013 8:26 pm ]
Post subject:  Re: YubiRADIUS 3.6 - assinging new tokens issue

Hi;

I have figured out some more since the last post I found that the default configuration of the 3.6 Radius VM is to verify the token key against it self I have changed that and and I also noticed that the customer ID was set to 1 instead of 4233, now I get the following message;

Code:
Validate OTP Response:
Last Client Query:
http://api.yubico.com/wsapi/2.0/verify?id=4233&nonce=(-Removed-)=
Server Responses:
Authentication Failed!
Error message: NO_VALID_ANSWER


We looked for any other default misconfigured properties but could not find any that could explain why it is failing.

Are there any new updates available that would fix this issue are does anybody know what I need to do to get it fixed?

Author:  samir [ Wed Apr 10, 2013 4:05 pm ]
Post subject:  Re: YubiRADIUS 3.6 - assinging new tokens issue

Hello,

The Client ID and API key will need to be provided as per the selected validation server.

For Local Validation Server on YubiRADIUS Virtual Appliance:
Client ID: 1
API Key: "IXazp2MoffwFYj/pfcc+v20SMVc=" (without quotes)

For YubiCloud - Online Validation Server:
Client ID: 4233
API Key: "H9xX7BeTIbhYK3xCb/PSEeRVNvY=" (without quotes)

If you are using Local Validation Server then you need to import the YubiKeys in YubiRADIUS and no need to import the YubiKeys in YubiRADIUS if you are using YubiCloud - Online Validation Server.

To import the YubiKeys in YubiRADIUS local validation server please follow the steps below:
Go to YubiRADIUS >> click on "Import YubiKeys" tab >> select the "Log file source" >> locate the appropriate log file >> click on "Upload" button.

Go to "List YubiKeys" tab which contains all the imported YubiKey public id and confirm that the YubiKey which you want to use with YubiRADIUS is imported.

To check for OTP validation:
Go to YubiRADIUS >> click on "Troubleshoot" >> go to "Validate OTP" section >> Enter the OTP in "YubiKey OTP" field >> click on "Validate" button.

If OTP validation is successful then import the users from AD/LDAP and assign the YubiKey to the user.

To assign the YubiKey to user:
Go to YubiRADIUS >> click on "Domain" >> select the domain name >> select the user from the user list >> click on "Assign a new YubiKey" option >> enter the Login name in "Login Name" field >> enter the YubiKey OTP in "YubiKey OTP" field >> click on "create" button.

To check two factor authentication:
Go to YubiRADIUS >> click on "Troubleshoot" >> enter the username in "Username" field (if you have multiple domains then please enter the username as "username@domainname" (without quotes)) >> enter the password in the "Password" field >> enter the YubiKey OTP in "YubiKey OTP" field >> click on "Send Request" button.

To generate Temporary Token:
Go to YubiRADIUS >> click on "Domain" >> select the domain name >> select the user from the user list >> click on "Temporary token settings" >> select "Enable Temporary Token" option to "Yes" >> click on "Generate" button >> enter the expiry date of token in "Temporary Token Expiry After" field >> enter the "Maximum Authentications Allowed" as per your requirement >> click on "Save" button.

Please write to "support@yubico.com" if you have further questions.

Thanks and best regards,
Samir.

Author:  tommy [ Thu Aug 29, 2013 10:14 am ]
Post subject:  Re: YubiRADIUS 3.6 - assinging new tokens issue

I have the same problem with 3.6.1 :cry:

  • user import from active directory works without a problem.
  • "Validate OTP" from the troubleshoot works also.

But if I try to assign a new yubikey I got this error message:
Code:
Error in adding the key mapping : Unknown error

Auto-provisioning is not working too.

I did setup yubiradius last year about 10 times without a problem, but this time with this version I am going crazy.

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/