Yubico Forum
https://forum.yubico.com/

YubiRadius 3.5 - problems authenticating users
https://forum.yubico.com/viewtopic.php?f=5&t=759
Page 1 of 1

Author:  Neal [ Fri Feb 24, 2012 12:44 pm ]
Post subject:  YubiRadius 3.5 - problems authenticating users

Hi all,

I have been trying to get the YubiRadius 3.5 virtual appliance to work and not having much luck. I am currently using YubiRadius 3.0 which is working perfectly but decided it was time to upgrade. With 3.5 I can install the virtual machine and add the domain however can not get it to authenticate users..

First I found two problems with the setup - not sure the best place to report these if anyone knows a better way please let me know:

The user import seems to only import users if they belong to a group under the Base DN I enter. for example if I enter "ou=users, dc=example, dc=com" and all my groups are in "ou=groups, dc=example, dc=com" nothing is imported even if all my users are in the "users" OU. If I enter the Base DN as "dc=example, dc=com" then all users are imported. It might be worth changing point 3g on page 27 of the guide to read "...hierarchy under which the users and groups are located..."

When I deploy the appliance the time is always off by 5.5 hours from the hardware clock - which will prevent the AD password being accepted. Not sure if this is due to my VMWare infrastructure or in the image itself - it will cause a lot of frustration for people if its not just me!

Now to the problems I'm still stuck on.

When I do the import from the Base DN "dc=example, dc=com" the users tab in the Webmin module lists all the GROUPS from my AD, and I can then click on those to see the users. This is despite the fact that I have "(objectClass=person)" in the filter box of the import. I have tried other options like filtering to a specific group but that has no effect. Whatever I do I can not get just users (as shown in the screenshots) to import. Not sure if this is how 3.5 is intended to work but for my domain (SBS 2003) I have more groups than users which makes things a bit messy.

My main problem is that I can assign a yubikey to a user however the test page always returns access-reject:
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=70, length=20
I can successfully validate the OTP on the troubleshooting page, I know the password is working because I used it to import the users from AD, I've changed the AD password so it does not include any special chars and is only 9 char long.

The Radius log shows this which so far I have not been able to decipher (despite what I suspect is a big hint in No "Known good" password...):
Code:
Ready to process requests.
Waking up in 0.9 seconds.
Thread 2 got semaphore
Thread 2 handling request 1, (1 handled so far)
[<thread>] # Executing section authorize from file /etc/freeradius/sites-enabled/default
[<thread>] +- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
++[files] returns noop
[ldap] Setting Auth-Type = LDAP
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = LDAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group LDAP {...}
++[ldap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]    expand: %{User-Name} -> yubitest
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Thread 2 waiting to be assigned a request
Sending delayed reject for request 1
Waking up in 4.9 seconds.
Cleaning up request 1 ID 165 with timestamp +127
Ready to process requests.


Any hints or suggestions greatly appreciated.
Cheers,
Neal Harrington

Author:  Neal [ Fri Feb 24, 2012 1:43 pm ]
Post subject:  Re: YubiRadius 3.5 - problems authenticating users

Well I finally figured it out so I'm updating this post in case somebody else has the same issues.

When I added my domain I entered it as EXAMPLE.com - and authentication always failed. I started changing everything one by one and when I entered it in lowercase (example.com) it suddenly started working so the domain name is obviously case sensitive.

I also found that my main password was always rejected because it contained an ampersand "&" - since that was in the password I was using most for trying to troubleshoot this it took me longer than it should to figure out the main problem. I think this ampersand issue has been mentioned before but since you can't search the forum for single chars and the word "password" is ignored as too common I could not find it so decided to add it here in case it helps anyone.

All seems to be working now. Cheers to the Yubico team for the excellent appliance. :) I'm going to see if I can hack it to return an IP address for VPN clients back to my Netscreen firewall now.

Regards,
Neal Harrington.

Author:  Neal [ Fri Mar 09, 2012 3:47 pm ]
Post subject:  Re: YubiRadius 3.5 - problems authenticating users

I'm having issues with special chars in passwords. If any of these symbols are in a password then authentication always fails via the YubiRadius virtual appliance: ¬ £ % & + \

However all others I have tried work fine: ` ! " $ ^ * ( ) _ - = | { } [ ] : @ ~ ; ' # < > ? , . /

I get the failure via the troubleshooting page in the YubiRadius server which checks the password via LDAP on my SBS 2003 domain controller. Windows logins and webmail logins work fine with any of these chars so I believe it is something within the YubiRadius that is not handling these chars properly, not something in the LDAP/SBS end.

Has anyone else seen this problem or can anyone else report that these special chars are working for them?

Cheers, Neal.

Author:  byteorder [ Mon Mar 12, 2012 2:41 am ]
Post subject:  Re: YubiRadius 3.5 - problems authenticating users

Neal wrote:
Has anyone else seen this problem or can anyone else report that these special chars are working for them?

I have the same problem with passwords with some special chars in them. Especially "URL special chars" like "+" which will be understood as " " by the apache webserver. As a result the PHP script which checks LDAP binding gets a wrong password and binding fails.

I guess something went wrong in the pam.d/radiusd python script or somewhere near by when password and OTP are send as a HTTP POST request to the /wsapi/ropverify.php script.

Author:  josh_richard [ Thu May 17, 2012 8:01 pm ]
Post subject:  Re: YubiRadius 3.5 - problems authenticating users

I too have been bitten by the HTML escape issue for the pw check. Anyone within yubico acknowledge this? This seems like a patch that could be provided to ensure proper escaping of special characters.

Thanks,
Josh

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/