Wireless Access

Hi.

I am implementing a VIA two factor authentication.

When I authenticate to download the profile, it authenticates username and password successfully and the radius gives me a challenge.

When I enter the challenge the VIA authentication profile that the controller recieves is blank, which causes it to try and complete the authentication against the Default server group.

Using the default server group for authenticating is not an option.

The strange thing is that if I download the profile with two factor authentication turned off on the radius, it succeeds.

If I then turn on two factor authentication again, The radius sends the challenge correctly and the controller responds to the correct radius and everything works as it should.. :smileyfrustrated:

Do anyone know what might cause the second part of the authentication process to return a blank VIA authentication profile to the controller and cause me to try and authenticate against the wrong controller?

Thanks a lot!

Can you explain a little more what you mean by:

"if I download the profile with two factor authentication turned off on the radius, it succeeds.  If I then turn on two factor authentication again, The radius sends the challenge correctly and the controller responds to the correct radius and everything works as it should"

The downloading of the profile does not really use two-factor authentication per se.  It does support the use of tokens however, if that is what you mean.  In doing so, it sends the request as a PAP authentication request, so make sure your token server supports PAP via RADIUS (RSA and Quest both support it).    

The server used at this point is defined under the VIA Web Authentication profile.  There is only a default profile   You can add one or more VIA Authentication Profiles to use here.  If there is only 1 defined, it will not prompt in any way; if there are more than 1, you will get presented with a prompt, for example:

Thank you for the quick response.

---

@clembo wrote:

Can you explain a little more what you mean by:

"if I download the profile with two factor authentication turned off on the radius, it succeeds.  If I then turn on two factor authentication again, The radius sends the challenge correctly and the controller responds to the correct radius and everything works as it should"

---

On the radius server I can choose to append the token pin after the password like (password + PIN) instead of entering the PIN in a seperate field.

If I do this, the authentication is successfull and the profile is downloaded correctly. If I then change the radius server to issue a challenge after loging in with username and password, this also works as expected.

So I DO have a working connection to the radius using PAP and the token functionality works, just not when downloading the profile.

It is not an option for my client to use the password-appended option.

See under for a snip from the security authmgr logs from the login process that fails:

Feb 7 14:10:09 :124004:  <DBUG> |authmgr|  VIA Authentication Profile is 'via-lab-open'
Feb 7 14:10:09 :124004:  <DBUG> |authmgr|  aal_authenticate user:testuser vpnflags:0
Feb 7 14:10:09 :124004:  <DBUG> |authmgr|  unknown user=172.16.120.174, method=VIA-WEB
Feb 7 14:10:09 :124004:  <DBUG> |authmgr|  aal_authenticate server_group:default
Feb 7 14:10:09 :124004:  <DBUG> |authmgr|  Select server for method=VIA-WEB, user=testuser, essid=<>, server-group=SecurEnvoy, last_srv <>
Feb 7 14:10:09 :124004:  <DBUG> |authmgr|   server=SecurEnvoy, ena=1, ins=1 (1)
Feb 7 14:10:09 :124038:  <INFO> |authmgr|  Selected server SecurEnvoy for method=VIA-WEB; user=testuser,  essid=<>, domain=<>, server-group=SecurEnvoy
Feb 7 14:10:09 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:339] Radius authenticate user (testuser) PAP using server SecurEnvoy

...

Feb 7 14:10:09 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:972] Challenge from server
Feb 7 14:10:09 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:974] RADIUS RESPONSE ATTRIBUTES:
Feb 7 14:10:09 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:989]  Reply-Message: Enter Your 6 Digit Passcode
Feb 7 14:10:09 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:989]  State: SE63FD6CBA9C09E05668A0C67B660140DEFA8C66BA
Feb 7 14:10:09 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:989]  PW_RADIUS_ID: C
Feb 7 14:10:09 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:989]  Rad-Length: 93
Feb 7 14:10:09 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:989]  PW_RADIUS_CODE: \013
Feb 7 14:10:09 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:989]  PW_RAD_AUTHENTICATOR: \012\361\262L\206nC\340\334n/\261\370BX*
Feb 7 14:10:09 :124003:  <INFO> |authmgr|  Authentication result=Challenge from server(6), method=VIA-WEB, server=SecurEnvoy, user=172.16.120.174
Feb 7 14:10:09 :124004:  <DBUG> |authmgr|  Auth server 'SecurEnvoy' response=6


...


Feb 7 14:10:26 :124004:  <DBUG> |authmgr|  VIA Authentication Profile is ''
Feb 7 14:10:26 :124004:  <DBUG> |authmgr|  aal_authenticate user:testuser vpnflags:0
Feb 7 14:10:26 :124004:  <DBUG> |authmgr|  unknown user=172.16.120.174, method=VIA-WEB
Feb 7 14:10:26 :124004:  <DBUG> |authmgr|  aal_authenticate server_group:default
Feb 7 14:10:26 :124004:  <DBUG> |authmgr|  Select server for method=VIA-WEB, user=testuser, essid=<>, server-group=default, last_srv <>
Feb 7 14:10:26 :124004:  <DBUG> |authmgr|   server=Domenekontroller, ena=1, ins=1 (1)
Feb 7 14:10:26 :124038:  <INFO> |authmgr|  Selected server Domenekontroller for method=VIA-WEB; user=testuser,  essid=<>, domain=<>, server-group=default
Feb 7 14:10:26 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:339] Radius authenticate user (testuser) PAP using server Domenekontroller

 As you can see, first I am given the Via authentication profile Via-lab-open.

Then when the VIA client sends the PIN for the challenge, the Via authentication profile is blank and I am sent to the default server group and the authentication fails.

For the VIA WEB authentication profile, I only have one profile defined which is the via-lab-open profile.

Thanks a lot again!! :smileyhappy:

Sorry, not sure I can be of more assistance with your specific issue.    I've used tokens and VIA, but always with the user just entering their passcode (they issue PIN locally and are not challenged or enter PIN  + TokenCode).    I've not had to set it up with a challenge as you are trying.   If you get a response from TAC, please post the result here for future consideration.

Add the authetication profie against which you want authentication done in the VIA connection profile. 

vpatil:

The authentication profile is allready set in the connection profile. As you can see from the Authmgr log, this is successful on the first factor of authenticating (Username / password ) but after the second factor ( code from sms) the authentication profile is empty..

-Nesvik

What is the AOS version you are using?

I am currently running 6.1.4.1 on that controller

Can u add the token authtication server into default server group and check if it works ?