Closed tronatore closed 4 years ago
Forgot to mention that already tried the examples on how to use OTP (Challenge or Append) but still cannot figure out how to . Seems like -OTP is my grid cards' ID (six figures) but it does not work yet.
Hola @tronatore
As you are using 9.9.5 the current logic may not quite support the scenario you have; maybe this command is the closest:
New-PASSession -Credential $cred -BaseURI https://PVWA -UseClassicAPI -useRadiusAuthentication $True -OTP passcode -OTPMode Challenge
This should prompt you for the OTP after the primary auth method has passed.
Please share results if still an issue (Debug & verbose output will help)
Thx for the quick response! I have tried these: 1.- PS C:\Users\userX> New-PASSession -Credential $cred -BaseURI https://my.company.com -type RADIUS -RadiusChallenge Password -UseClassicAPI Invoke-PASRestMethod : [403] Failed to logon. Reason: Authentication failure for User [userX].
2.- PS C:\Users\userX> New-PASSession -Credential $cred -BaseURI https://my.company.com -UseClassicAPI -useRadiusAuthentication $True -OTP passcode -OTPMode Challenge Invoke-PASRestMethod : [403] Authentication failure.
Pete, I am using as $cred object: $User = "userX" ; $Password = ConvertTo-SecureString -String "_____ge" -AsPlainText -Force $cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User,$Password
Is passcode the grid card's code (6 digits)?
The closest I got was using the following line and it failed when requesting to enter the grid card's coordinates provided in the error: PS C:\Users\userX> New-PASSession -Credential $cred -BaseURI https://my.company.com -type RADIUS -OTP 829450 Invoke-PASRestMethod : [500] Enter a response to the grid challenge [C2] [I1] [K4] using a card with serial number 829450.
After this above message, I do not know how to pass the C2,I1,K4 coordenates.
I forgot to comment, 829450 is my actual grid card's serial number... do not know if this is the data it is expecting to be passed as part of the -OTP flag... actually I do not know what to put as -OTP ???????
I do not know Grid Card - it will not be the serial number, but the values from your coordinates: https://www.entrust.com/gridcard/
Agreed! They must be coordinates! So, when I run: "New-PASSession -Credential $cred -BaseURI https://my.company.com -type RADIUS -OTP <>" and enter <> = 3R7 (as the resulting codes [C2] [I1] [K4]) fails again.
So far, the logic supports:
OTP
parameter must be the literal value "passcode
" to recieve the promptOTPMode
must be "Challenge"What appears is missing from psPAS currently for your scenario is being able to see the details for the specific information being requested by your radius solution.
You can see from previous discussions #245 #195 , different implementations have different requirements - this may require some updates.....
Ok! I am going to check #245 #195 #206 , etc., to see if I understand how this works. I seem not to understand how this works. OTP using a mobile phone in which getting the code is something the client does not use. The test method they gave me is based on using a grid card. Once the user and password are entered in (eg pvwa) then an additional popup window requests the coordinates from the grid card. In this case, using NEW-PAS seems like I should re-run NEW-PAS: the first time collect the grid's coordinates requested (during the error) and then, retry the "NEW_PAS" command, this time adding the 3 coordinates to the password string (eg. $password = "Password,3R7"). This is what I get from all of this... There is no way to foresee the coordinates so I can pass them during the first NEW-PASS call... Hopefully, I am going to be on the right track soon...
For your scenario this "Enter OTP" prompt needs to include the message from the exception which asks for the specific information.
@tronatore
Please try the code updated in the issue-283 branch - New-PASSession
should now relay the radius requirements to you via the Read-Host
prompt.
Syntax:
New-PASSession -Credential $cred -BaseURI $url -type RADIUS -OTPMode Challenge -OTP passcode
Hi! Grabbed your code in #283 and will try soon (execution policy may have changed in my laptop therefore, I cannot now import psPAS 4.0.0... If I solve this and make my PS reach psPAS functions, will carry on with your #283 code and see if I get your solution working at my end). Be back soon.
Hi.
I tried the New-PASSession command in both versions:
Original v4.0.0. psPAS: PS C:\Users\UserX> New-PASSession -Credential $cred -BaseURI https://my.company.com -UseClassicAPI -useRadiusAuthentication $True -OTP 123456 -OTPMode Challenge Get-PASParameter : The term 'Get-PASParameter' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
I created a new New-PASSession_RAD with the code posted on #283 based upon the v4.0.0 psPAS (called New-PASSession_RAD.ps1): PS C:\Users\userX> New-PASSession_RAD -Credential $cred -BaseURI https://my.company.com -type RADIUS -OTPMode Challenge -OTP passcode Get-PASParameter : The term 'Get-PASParameter' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
I believe something got mixed up when I imported the v4.0.0. I am rolling back all the changes and will try to get a fresh v4.0.0 psPAS imported and will try to run the original New-PASSession command. Otherwise, I will over-write New-PASSession with the #283 code you posted.
Please advise on this.
You could overwrite the module files (or onlyNew-PASSession
),
or import the updated module from whereever it is:
import-module D:\psPAS-issue-283\psPAS\psPAS.psd1
If the update works for you, I'll get the dev branch updated and the fix will be part of the next release.
Yes, I did both yesterday, but both methods keep stating the same error: Get-PASParameter : The term 'Get-PASParameter' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
I will keep trying (I'm deleting manually all psPAS instances in my laptop and will manually paste them everywhere where PS modules reside and see what is going on...)
WIll keep you posted!
The change is now merged into the dev branch - it will be part of the next release. Simplified the command also.
-------------------------- EXAMPLE 19 --------------------------
PS > New-PASSession -Credential $cred -BaseURI https://PVWA -type RADIUS
Perform initial authentication and supply OTP value for RADIUS challenge when prompted.
I re-imported psPAS v4.0.0 and tried the last line you posted:
PS C:\Users\userX> New-PASSession -Credential $cred -BaseURI https://my.company.com -type RADIUS -Verbose VERBOSE: Performing the operation "Logon" on target "https://my.company.com/PasswordVault". VERBOSE: POST https://my.company.com/PasswordVault/api/Auth/RADIUS/Logon with -1-byte payload Invoke-PASRestMethod : [500] Enter a response to the grid challenge [G4] [G6] [H1] using a card with serial number 223820. At line:642 char:19
+ CategoryInfo : NotSpecified: ({"ErrorCode":"I...umber 223820."}:ErrorRecord) [Invoke-PASRestMethod], Exception
+ FullyQualifiedErrorId : ITATS542I,Invoke-PASRestMethod
It errors out with the same behavior as before. It shows a correct grid card's serial number and coordinates, but I do not know how to enter these 3 values or pass them on...
I tried also: New-PASSession -Credential $cred -BaseURI https://my.company.com -type RADIUS -OTP 7vf -verbose with the same results.
Am I passing the values wrong?
P.S.: I read somewhere that the Grid Card's value should be passed with the password value, something like this: $Password = "MyPassword,7vf" (password and grid card's coordinates separated by ",") Is this true?
Please advise on this.
psPAS v4.0.0 does not have the fix for the issue reported in this thread.
The fix is present in either the dev branch or build 4.0.10 from AppVeyor
The password used to authenticate must be provided via the credential object provided to the -Credential
parameter of New-PASSession
.
The value to be used for the OTP
must be either provided as the value for the -OTP
parameter of New-PASSession
, or provided when prompted by the function.
If you know already the OTP to be used for the authentication (i.e. the code is displayed in a soft token), and your RADIUS supports "append mode", -OTPMode Append
can be specified to send Password,OTP
to your RADIUS.
If you do not know which OTP to provide until after the initial password auth has happened, OTP is delivered via SMS for instance, or in your case , RADIUS instructs you how to decipher the value to provide, then enter the details at the prompt once the OTP is known.
This is how it looks:
I updated the NEW-PASSession with the code in the dev branch and re-imported the module. Now my New-PASSession.ps1 contains the code from the dev branch's.
Then I tried: 1. New-PASSession -Credential $cred -BaseURI https://my.company.com -type RADIUS New-PASSession -Credential $credentials -BaseURI https://my.company.com -type RADIUS -OTPMode Append New-PASSession -Credential $credentials -BaseURI https://my.company.com -type RADIUS -Verbose and the same result as before: [500] Enter a response to the grid challenge [E1] [H1] [H5] using a card with serial number 223820.
2. Then knowing the values corresponding to [E1] [H1] [H5], I entered: New-PASSession -Credential $credentials -BaseURI https://my.company.com -type RADIUS -OTP 7vf -OTPMode Append Reason: Authentication failure for User [userX].
3. and (knowing the values corresponding to [E1] [H1] [H5] again) New-PASSession -Credential $credentials -BaseURI https://my.company.com -type RADIUS -OTP 7vf [500] Enter a response to the grid challenge [G4] [G6] [H1] using a card with serial number 223820.
Note: I entered into the thick client using the same userX account with the grid card's validations requested by Radius and worked. I don't know if there is a configuration on the account/user that is not allowing me to do the Radius thing.
See the previous answer & screenshot
Only 1 invocation of New-PASSession
should be required
It is doubtful your RADIUS will allow the use of an OTP from a previous authentication attempt....
this is what you should expect:
> New-PASSession -Credential $cred -BaseURI https://my.company.com -type RADIUS
[500] Enter a response to the grid challenge [E1] [H1] [H5] using a card with serial number 223820.:: 7vf
If it is not working for you like this, please set $VerbosePreference
& $DebugPreference
to Continue
, and provide the full output you see when you try to authenticate.
If [500] Enter a response to the grid challenge [E1] [H1] [H5] using a card with serial number 223820.
is getting displayed to you as an error (in red), please also provide the output of $Error[0]
Ok, set the two *Preference variables = 'Continue' and ran the base command as follows:
1.
PS C:\Users\userX> New-PASSession -Credential $credentials -BaseURI https://my.company.com -type RADIUS
DEBUG: [Body] {
"password": "******",
"username": "userX"
}
VERBOSE: POST https://my.company.com/PasswordVault/api/Auth/RADIUS/Logon with -1-byte payload
Invoke-PASRestMethod : [500] Enter a response to the grid challenge [E1] [H1] [H5] using a card with serial number 223820.
At line:642 char:19
+ $PASSession = Invoke-PASRestMethod @LogonRequest
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: ({"ErrorCode":"I...umber 223820."}:ErrorRecord) [Invoke-PASRestMethod], Exception
+ FullyQualifiedErrorId : ITATS542I,Invoke-PASRestMethod
2.
PS C:\Users\userX> $Error[0]
Invoke-PASRestMethod : [500] Enter a response to the grid challenge [E1] [H1] [H5] using a card with serial number 223820.
At line:642 char:19
+ $PASSession = Invoke-PASRestMethod @LogonRequest
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: ({"ErrorCode":"I...umber 223820."}:ErrorRecord) [Invoke-PASRestMethod], Exception
+ FullyQualifiedErrorId : ITATS542I,Invoke-PASRestMethod
From the information posted - it looks like the latest code is not being used.
Your error has the ITATS542I
errorcode, which is expected for RADIUS auth.
Compared to how it looks in 4.0.0 You can see in the code how the fix changes the way this error is caught so that the prompt is the exception message.
If you are using the latest dev version, there is no way the function can continue until it has a value for the OTP.
ITATS542I
is caught and prompt appears as expected in the development environment.
Check that the updated code is definitely being used.
It will be in the next module release anyway - likely later today/tomorrow.
psPAS 4.1.11 now released:
Available via the usual channels:
@tronatore - please try the new version of the module. It can be installed side-by-side with previous versions, no need to mix & match or replace any files.
comment here to let me know if it is working or not - issue can be reopened if required.
Great Pete! 1. Now yesterday I cleaned up my laptop of all old versions and stuff that may interfere with the psPAS v4.1.11 (with the new New-PASSession code). I downloaded it from https://github.com/pspete/psPAS/releases/tag/v4.1.11
After cleaning of remaining old psPAS files, I unzipped the recently downloaded v4.1.11 and grabbed the contents - it had no psPAS folder in it, just:
/Functions
/Private
/xml
about....txt
psPAS.psd1
psPAS.psm1
I created a "psPAS" folder within "C:\Users\user\Documents\WindowsPowerShell\Modules" folder and pasted /Function, /Private, ..., psPAS.psm1 in
Ran: Get-Module -ListAvailable psPAS Directory: C:\Users\vassalla\Documents\WindowsPowerShell\Modules ModuleType Version Name ExportedCommands
Script 4.1.11 psPAS {New-PASSession, Close-PASSession, Add-PASPublicSSHKey, Get-PASPublicSSHKey...}
OK!!!!
Ran: Import-Module psPAS Import-Module : The following error occurred while loading the extended type data file: , C:\Users\user\Documents\WindowsPowerShell\Modules\psPAS\xml\psPAS.CyberArk.Vault.User.Type.ps1xml: The file was skipped because of the following validation exception: File C:\Users\user\Documents\WindowsPowerShell\Modules\psPAS\xml\psPAS.CyberArk.Vault.User.Type.ps1xml cannot be loaded. The file C:\Users\user\Documents\WindowsPowerShell\Modules\psPAS\xml\psPAS.CyberArk.Vault.User.Type.ps1xml is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at https:/go.microsoft.com/fwlink/?LinkID=135170.. , C:\Users\user\Documents\WindowsPowerShell\Modules\psPAS\xml\psPAS.CyberArk.Vault.Account.Type.ps1xml: The file was skipped because of the following validation exception: File C:\Users\user\Documents\WindowsPowerShell\Modules\psPAS\xml\psPAS.CyberArk.Vault.Account.Type.ps1xml cannot be loaded. The file C:\Users\user\Documents\WindowsPowerShell\Modules\psPAS\xml\psPAS.CyberArk.Vault.Account.Type.ps1xml is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at https:/go.microsoft.com/fwlink/?LinkID=135170.. , C:\Users\user\Documents\WindowsPowerShell\Modules\psPAS\xml\psPAS.CyberArk.Vault.Credential.Type.ps1xml: The file was skipped because of the following validation exception: File C:\Users\user\Documents\WindowsPowerShell\Modules\psPAS\xml\psPAS.CyberArk.Vault.Credential.Type.ps1xml cannot be loaded. The file C:\Users\user\Documents\WindowsPowerShell\Modules\psPAS\xml\psPAS.CyberArk.Vault.Credential.Type.ps1xml is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at https:/go.microsoft.com/fwlink/?LinkID=135170.. , C:\Users\user\Documents\WindowsPowerShell\Modules\psPAS\xml\psPAS.CyberArk.Vault.Safe.Type.ps1xml: The file was skipped because of the following validation exception: File C:\Users\user\Documents\WindowsPowerShell\Modules\psPAS\xml\psPAS.CyberArk.Vault.Safe.Type.ps1xml cannot be loaded. The file C:\Users\user\Documents\WindowsPowerShell\Modules\psPAS\xml\psPAS.CyberArk.Vault.Safe.Type.ps1xml is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at https:/go.microsoft.com/fwlink/?LinkID=135170.. , C:\Users\user\Documents\WindowsPowerShell\Modules\psPAS\xml\psPAS.CyberArk.Vault.ACL.Type.ps1xml: The file was skipped because of the following validation exception: File C:\Users\user\Documents\WindowsPowerShell\Modules\psPAS\xml\psPAS.CyberArk.Vault.ACL.Type.ps1xml cannot be loaded. The file C:\Users\user\Documents\WindowsPowerShell\Modules\psPAS\xml\psPAS.CyberArk.Vault.ACL.Type.ps1xml is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at https:/go.microsoft.com/fwlink/?LinkID=135170.. At line:1 char:1
My current execution policy is: Get-ExecutionPolicy -List
Scope ExecutionPolicy
----- ---------------
MachinePolicy RemoteSigned UserPolicy Undefined Process Undefined CurrentUser RemoteSigned LocalMachine Unrestricted
Sounds like blocked files. Try to right click the downloaded zip and select Properties > "Unblock" or Unblock your module files: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7#example-2--unblock-multiple-files
Hello, Yesterday I got back to the radius thing and tried a fresh psPAS module install. After issuing the proposed command, yes, the grid card's coordinates are prompted. After carefully entering them, I get the error "403 Authentication Failure". It is not the real issue since this is my production access (with grid card, password, and username) and I basically log in at least twice a day with the same card and password. After this test, I logged in with the exact same parameters and it got me in OK. I will have to keep investigating why this is not working. If I get any useful news I will post it here. Thanks a lot! Will keep you updated.
Describe the issue When issuing psPAS's NEW-PASSession, I need to understand (or get an example) of how to: a) know which coordinates os RADIUS are to be requested to the user b) how to pass these coordinates to the psPAS code
To Reproduce Steps to reproduce the behavior:
Expected behavior None. Just need to know how to use RADIUS NEW-PASSSession
Screenshots & Console Output NA
Console Output Code Block: PS C:\Users\userX> New-PASSession -Credential $cred -BaseURI https://my.company.com -type RADIUS Invoke-PASRestMethod : [500] Enter a response to the grid challenge [B4] [C2] [D1] using a card with serial number 829450. At line:510 char:19
Your Environment
Additional context Add any other context about the problem here.