Thank you for the quick response.
@clembo wrote:
Can you explain a little more what you mean by:
"if I download the profile with two factor authentication turned off on the radius, it succeeds. If I then turn on two factor authentication again, The radius sends the challenge correctly and the controller responds to the correct radius and everything works as it should"
On the radius server I can choose to append the token pin after the password like (password + PIN) instead of entering the PIN in a seperate field.
If I do this, the authentication is successfull and the profile is downloaded correctly. If I then change the radius server to issue a challenge after loging in with username and password, this also works as expected.
So I DO have a working connection to the radius using PAP and the token functionality works, just not when downloading the profile.
It is not an option for my client to use the password-appended option.
See under for a snip from the security authmgr logs from the login process that fails:
Feb 7 14:10:09 :124004: <DBUG> |authmgr| VIA Authentication Profile is 'via-lab-open'
Feb 7 14:10:09 :124004: <DBUG> |authmgr| aal_authenticate user:testuser vpnflags:0
Feb 7 14:10:09 :124004: <DBUG> |authmgr| unknown user=172.16.120.174, method=VIA-WEB
Feb 7 14:10:09 :124004: <DBUG> |authmgr| aal_authenticate server_group:default
Feb 7 14:10:09 :124004: <DBUG> |authmgr| Select server for method=VIA-WEB, user=testuser, essid=<>, server-group=SecurEnvoy, last_srv <>
Feb 7 14:10:09 :124004: <DBUG> |authmgr| server=SecurEnvoy, ena=1, ins=1 (1)
Feb 7 14:10:09 :124038: <INFO> |authmgr| Selected server SecurEnvoy for method=VIA-WEB; user=testuser, essid=<>, domain=<>, server-group=SecurEnvoy
Feb 7 14:10:09 :121031: <DBUG> |authmgr| |aaa| [rc_api.c:339] Radius authenticate user (testuser) PAP using server SecurEnvoy
...
Feb 7 14:10:09 :121031: <DBUG> |authmgr| |aaa| [rc_api.c:972] Challenge from server
Feb 7 14:10:09 :121031: <DBUG> |authmgr| |aaa| [rc_api.c:974] RADIUS RESPONSE ATTRIBUTES:
Feb 7 14:10:09 :121031: <DBUG> |authmgr| |aaa| [rc_api.c:989] Reply-Message: Enter Your 6 Digit Passcode
Feb 7 14:10:09 :121031: <DBUG> |authmgr| |aaa| [rc_api.c:989] State: SE63FD6CBA9C09E05668A0C67B660140DEFA8C66BA
Feb 7 14:10:09 :121031: <DBUG> |authmgr| |aaa| [rc_api.c:989] PW_RADIUS_ID: C
Feb 7 14:10:09 :121031: <DBUG> |authmgr| |aaa| [rc_api.c:989] Rad-Length: 93
Feb 7 14:10:09 :121031: <DBUG> |authmgr| |aaa| [rc_api.c:989] PW_RADIUS_CODE: \013
Feb 7 14:10:09 :121031: <DBUG> |authmgr| |aaa| [rc_api.c:989] PW_RAD_AUTHENTICATOR: \012\361\262L\206nC\340\334n/\261\370BX*
Feb 7 14:10:09 :124003: <INFO> |authmgr| Authentication result=Challenge from server(6), method=VIA-WEB, server=SecurEnvoy, user=172.16.120.174
Feb 7 14:10:09 :124004: <DBUG> |authmgr| Auth server 'SecurEnvoy' response=6
...
Feb 7 14:10:26 :124004: <DBUG> |authmgr| VIA Authentication Profile is ''
Feb 7 14:10:26 :124004: <DBUG> |authmgr| aal_authenticate user:testuser vpnflags:0
Feb 7 14:10:26 :124004: <DBUG> |authmgr| unknown user=172.16.120.174, method=VIA-WEB
Feb 7 14:10:26 :124004: <DBUG> |authmgr| aal_authenticate server_group:default
Feb 7 14:10:26 :124004: <DBUG> |authmgr| Select server for method=VIA-WEB, user=testuser, essid=<>, server-group=default, last_srv <>
Feb 7 14:10:26 :124004: <DBUG> |authmgr| server=Domenekontroller, ena=1, ins=1 (1)
Feb 7 14:10:26 :124038: <INFO> |authmgr| Selected server Domenekontroller for method=VIA-WEB; user=testuser, essid=<>, domain=<>, server-group=default
Feb 7 14:10:26 :121031: <DBUG> |authmgr| |aaa| [rc_api.c:339] Radius authenticate user (testuser) PAP using server Domenekontroller
As you can see, first I am given the Via authentication profile Via-lab-open.
Then when the VIA client sends the PIN for the challenge, the Via authentication profile is blank and I am sent to the default server group and the authentication fails.
For the VIA WEB authentication profile, I only have one profile defined which is the via-lab-open profile.
Thanks a lot again!! :smileyhappy: