Closed tronatore closed 4 years ago
tronatore
commented
4 years ago Forgot to mention that already tried the examples on how to use OTP (Challenge or Append) but still cannot figure out how to . Seems like -OTP is my grid cards' ID (six figures) but it does not work yet.
pspete
commented
4 years ago Hola @tronatore
As you are using 9.9.5 the current logic may not quite support the scenario you have; maybe this command is the closest:
New-PASSession -Credential $cred -BaseURI https://PVWA -UseClassicAPI -useRadiusAuthentication $True -OTP passcode -OTPMode ChallengeThis should prompt you for the OTP after the primary auth method has passed.
Please share results if still an issue (Debug & verbose output will help)
tronatore
commented
4 years ago Thx for the quick response! I have tried these: 1.- PS C:\Users\userX> New-PASSession -Credential $cred -BaseURI https://my.company.com -type RADIUS -RadiusChallenge Password -UseClassicAPI Invoke-PASRestMethod : [403] Failed to logon. Reason: Authentication failure for User [userX].
2.- PS C:\Users\userX> New-PASSession -Credential $cred -BaseURI https://my.company.com -UseClassicAPI -useRadiusAuthentication $True -OTP passcode -OTPMode Challenge Invoke-PASRestMethod : [403] Authentication failure.
Pete, I am using as $cred object: $User = "userX" ; $Password = ConvertTo-SecureString -String "_____ge" -AsPlainText -Force $cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User,$Password
Is passcode the grid card's code (6 digits)?
The closest I got was using the following line and it failed when requesting to enter the grid card's coordinates provided in the error: PS C:\Users\userX> New-PASSession -Credential $cred -BaseURI https://my.company.com -type RADIUS -OTP 829450 Invoke-PASRestMethod : [500] Enter a response to the grid challenge [C2] [I1] [K4] using a card with serial number 829450.
After this above message, I do not know how to pass the C2,I1,K4 coordenates.
tronatore
commented
4 years ago I forgot to comment, 829450 is my actual grid card's serial number... do not know if this is the data it is expecting to be passed as part of the -OTP flag... actually I do not know what to put as -OTP ???????
pspete
commented
4 years ago I do not know Grid Card - it will not be the serial number, but the values from your coordinates: https://www.entrust.com/gridcard/
tronatore
commented
4 years ago Agreed! They must be coordinates! So, when I run: "New-PASSession -Credential $cred -BaseURI https://my.company.com -type RADIUS -OTP <>" and enter <> = 3R7 (as the resulting codes [C2] [I1] [K4]) fails again.
pspete
commented
4 years ago So far, the logic supports:
OTP parameter must be the literal value "passcode" to recieve the promptOTPMode must be "Challenge"What appears is missing from psPAS currently for your scenario is being able to see the details for the specific information being requested by your radius solution.
You can see from previous discussions #245 #195 , different implementations have different requirements - this may require some updates.....
tronatore
commented
4 years ago Ok! I am going to check #245 #195 #206 , etc., to see if I understand how this works. I seem not to understand how this works. OTP using a mobile phone in which getting the code is something the client does not use. The test method they gave me is based on using a grid card. Once the user and password are entered in (eg pvwa) then an additional popup window requests the coordinates from the grid card. In this case, using NEW-PAS seems like I should re-run NEW-PAS: the first time collect the grid's coordinates requested (during the error) and then, retry the "NEW_PAS" command, this time adding the 3 coordinates to the password string (eg. $password = "Password,3R7"). This is what I get from all of this... There is no way to foresee the coordinates so I can pass them during the first NEW-PASS call... Hopefully, I am going to be on the right track soon...
pspete
commented
4 years ago For your scenario this "Enter OTP" prompt needs to include the message from the exception which asks for the specific information.
pspete
commented
4 years ago @tronatore
Please try the code updated in the issue-283 branch - New-PASSession should now relay the radius requirements to you via the Read-Host prompt.
Syntax:
New-PASSession -Credential $cred -BaseURI $url -type RADIUS -OTPMode Challenge -OTP passcodeHi! Grabbed your code in #283 and will try soon (execution policy may have changed in my laptop therefore, I cannot now import psPAS 4.0.0... If I solve this and make my PS reach psPAS functions, will carry on with your #283 code and see if I get your solution working at my end). Be back soon.
tronatore
commented
4 years ago Hi.
I tried the New-PASSession command in both versions:
Original v4.0.0. psPAS: PS C:\Users\UserX> New-PASSession -Credential $cred -BaseURI https://my.company.com -UseClassicAPI -useRadiusAuthentication $True -OTP 123456 -OTPMode Challenge Get-PASParameter : The term 'Get-PASParameter' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
I created a new New-PASSession_RAD with the code posted on #283 based upon the v4.0.0 psPAS (called New-PASSession_RAD.ps1): PS C:\Users\userX> New-PASSession_RAD -Credential $cred -BaseURI https://my.company.com -type RADIUS -OTPMode Challenge -OTP passcode Get-PASParameter : The term 'Get-PASParameter' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
I believe something got mixed up when I imported the v4.0.0. I am rolling back all the changes and will try to get a fresh v4.0.0 psPAS imported and will try to run the original New-PASSession command. Otherwise, I will over-write New-PASSession with the #283 code you posted.
Please advise on this.
pspete
commented
4 years ago You could overwrite the module files (or onlyNew-PASSession),
or import the updated module from whereever it is:
import-module D:\psPAS-issue-283\psPAS\psPAS.psd1
If the update works for you, I'll get the dev branch updated and the fix will be part of the next release.
tronatore
commented
4 years ago Yes, I did both yesterday, but both methods keep stating the same error: Get-PASParameter : The term 'Get-PASParameter' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
I will keep trying (I'm deleting manually all psPAS instances in my laptop and will manually paste them everywhere where PS modules reside and see what is going on...)
WIll keep you posted!
pspete
commented
4 years ago The change is now merged into the dev branch - it will be part of the next release. Simplified the command also.
-------------------------- EXAMPLE 19 --------------------------
PS > New-PASSession -Credential $cred -BaseURI https://PVWA -type RADIUS
Perform initial authentication and supply OTP value for RADIUS challenge when prompted.I re-imported psPAS v4.0.0 and tried the last line you posted:
PS C:\Users\userX> New-PASSession -Credential $cred -BaseURI https://my.company.com -type RADIUS -Verbose VERBOSE: Performing the operation "Logon" on target "https://my.company.com/PasswordVault". VERBOSE: POST https://my.company.com/PasswordVault/api/Auth/RADIUS/Logon with -1-byte payload Invoke-PASRestMethod : [500] Enter a response to the grid challenge [G4] [G6] [H1] using a card with serial number 223820. At line:642 char:19
+ CategoryInfo : NotSpecified: ({"ErrorCode":"I...umber 223820."}:ErrorRecord) [Invoke-PASRestMethod], Exception
+ FullyQualifiedErrorId : ITATS542I,Invoke-PASRestMethodIt errors out with the same behavior as before. It shows a correct grid card's serial number and coordinates, but I do not know how to enter these 3 values or pass them on...
I tried also: New-PASSession -Credential $cred -BaseURI https://my.company.com -type RADIUS -OTP 7vf -verbose with the same results.
Am I passing the values wrong?
P.S.: I read somewhere that the Grid Card's value should be passed with the password value, something like this: $Password = "MyPassword,7vf" (password and grid card's coordinates separated by ",") Is this true?
Please advise on this.
pspete
commented
4 years ago psPAS v4.0.0 does not have the fix for the issue reported in this thread.
The fix is present in either the dev branch or build 4.0.10 from AppVeyor
The password used to authenticate must be provided via the credential object provided to the -Credential parameter of New-PASSession.
The value to be used for the OTP must be either provided as the value for the -OTP parameter of New-PASSession, or provided when prompted by the function.
If you know already the OTP to be used for the authentication (i.e. the code is displayed in a soft token), and your RADIUS supports "append mode", -OTPMode Append can be specified to send Password,OTP to your RADIUS.
If you do not know which OTP to provide until after the initial password auth has happened, OTP is delivered via SMS for instance, or in your case , RADIUS instructs you how to decipher the value to provide, then enter the details at the prompt once the OTP is known.
This is how it looks:
tronatore
commented
4 years ago I updated the NEW-PASSession with the code in the dev branch and re-imported the module. Now my New-PASSession.ps1 contains the code from the dev branch's.
Then I tried: 1. New-PASSession -Credential $cred -BaseURI https://my.company.com -type RADIUS New-PASSession -Credential $credentials -BaseURI https://my.company.com -type RADIUS -OTPMode Append New-PASSession -Credential $credentials -BaseURI https://my.company.com -type RADIUS -Verbose and the same result as before: [500] Enter a response to the grid challenge [E1] [H1] [H5] using a card with serial number 223820.
2. Then knowing the values corresponding to [E1] [H1] [H5], I entered: New-PASSession -Credential $credentials -BaseURI https://my.company.com -type RADIUS -OTP 7vf -OTPMode Append Reason: Authentication failure for User [userX].
3. and (knowing the values corresponding to [E1] [H1] [H5] again) New-PASSession -Credential $credentials -BaseURI https://my.company.com -type RADIUS -OTP 7vf [500] Enter a response to the grid challenge [G4] [G6] [H1] using a card with serial number 223820.
Note: I entered into the thick client using the same userX account with the grid card's validations requested by Radius and worked. I don't know if there is a configuration on the account/user that is not allowing me to do the Radius thing.
pspete
commented
4 years ago See the previous answer & screenshot
Only 1 invocation of New-PASSession should be required
It is doubtful your RADIUS will allow the use of an OTP from a previous authentication attempt....
this is what you should expect:
> New-PASSession -Credential $cred -BaseURI https://my.company.com -type RADIUS
[500] Enter a response to the grid challenge [E1] [H1] [H5] using a card with serial number 223820.:: 7vfIf it is not working for you like this, please set $VerbosePreference & $DebugPreference to Continue, and provide the full output you see when you try to authenticate.
If [500] Enter a response to the grid challenge [E1] [H1] [H5] using a card with serial number 223820. is getting displayed to you as an error (in red), please also provide the output of $Error[0]
tronatore
commented
4 years ago Ok, set the two *Preference variables = 'Continue' and ran the base command as follows:
1.
PS C:\Users\userX> New-PASSession -Credential $credentials -BaseURI https://my.company.com -type RADIUS
DEBUG: [Body] {
"password": "******",
"username": "userX"
}
VERBOSE: POST https://my.company.com/PasswordVault/api/Auth/RADIUS/Logon with -1-byte payload
Invoke-PASRestMethod : [500] Enter a response to the grid challenge [E1] [H1] [H5] using a card with serial number 223820.
At line:642 char:19
+ $PASSession = Invoke-PASRestMethod @LogonRequest
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: ({"ErrorCode":"I...umber 223820."}:ErrorRecord) [Invoke-PASRestMethod], Exception
+ FullyQualifiedErrorId : ITATS542I,Invoke-PASRestMethod2.
PS C:\Users\userX> $Error[0]
Invoke-PASRestMethod : [500] Enter a response to the grid challenge [E1] [H1] [H5] using a card with serial number 223820.
At line:642 char:19
+ $PASSession = Invoke-PASRestMethod @LogonRequest
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: ({"ErrorCode":"I...umber 223820."}:ErrorRecord) [Invoke-PASRestMethod], Exception
+ FullyQualifiedErrorId : ITATS542I,Invoke-PASRestMethodFrom the information posted - it looks like the latest code is not being used.
Your error has the ITATS542I errorcode, which is expected for RADIUS auth.
Compared to how it looks in 4.0.0 You can see in the code how the fix changes the way this error is caught so that the prompt is the exception message.
If you are using the latest dev version, there is no way the function can continue until it has a value for the OTP.
ITATS542I is caught and prompt appears as expected in the development environment.
Check that the updated code is definitely being used.
It will be in the next module release anyway - likely later today/tomorrow.
pspete
commented
4 years ago psPAS 4.1.11 now released:
Available via the usual channels:
pspete
commented
4 years ago @tronatore - please try the new version of the module. It can be installed side-by-side with previous versions, no need to mix & match or replace any files.
comment here to let me know if it is working or not - issue can be reopened if required.
tronatore
commented
4 years ago Great Pete! 1. Now yesterday I cleaned up my laptop of all old versions and stuff that may interfere with the psPAS v4.1.11 (with the new New-PASSession code). I downloaded it from https://github.com/pspete/psPAS/releases/tag/v4.1.11
After cleaning of remaining old psPAS files, I unzipped the recently downloaded v4.1.11 and grabbed the contents - it had no psPAS folder in it, just:
/Functions
/Private
/xml
about....txt
psPAS.psd1
psPAS.psm1
I created a "psPAS" folder within "C:\Users\user\Documents\WindowsPowerShell\Modules" folder and pasted /Function, /Private, ..., psPAS.psm1 in
Ran: Get-Module -ListAvailable psPAS Directory: C:\Users\vassalla\Documents\WindowsPowerShell\Modules ModuleType Version Name ExportedCommands
Script 4.1.11 psPAS {New-PASSession, Close-PASSession, Add-PASPublicSSHKey, Get-PASPublicSSHKey...}
OK!!!!
Ran: Import-Module psPAS Import-Module : The following error occurred while loading the extended type data file: , C:\Users\user\Documents\WindowsPowerShell\Modules\psPAS\xml\psPAS.CyberArk.Vault.User.Type.ps1xml: The file was skipped because of the following validation exception: File C:\Users\user\Documents\WindowsPowerShell\Modules\psPAS\xml\psPAS.CyberArk.Vault.User.Type.ps1xml cannot be loaded. The file C:\Users\user\Documents\WindowsPowerShell\Modules\psPAS\xml\psPAS.CyberArk.Vault.User.Type.ps1xml is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at https:/go.microsoft.com/fwlink/?LinkID=135170.. , C:\Users\user\Documents\WindowsPowerShell\Modules\psPAS\xml\psPAS.CyberArk.Vault.Account.Type.ps1xml: The file was skipped because of the following validation exception: File C:\Users\user\Documents\WindowsPowerShell\Modules\psPAS\xml\psPAS.CyberArk.Vault.Account.Type.ps1xml cannot be loaded. The file C:\Users\user\Documents\WindowsPowerShell\Modules\psPAS\xml\psPAS.CyberArk.Vault.Account.Type.ps1xml is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at https:/go.microsoft.com/fwlink/?LinkID=135170.. , C:\Users\user\Documents\WindowsPowerShell\Modules\psPAS\xml\psPAS.CyberArk.Vault.Credential.Type.ps1xml: The file was skipped because of the following validation exception: File C:\Users\user\Documents\WindowsPowerShell\Modules\psPAS\xml\psPAS.CyberArk.Vault.Credential.Type.ps1xml cannot be loaded. The file C:\Users\user\Documents\WindowsPowerShell\Modules\psPAS\xml\psPAS.CyberArk.Vault.Credential.Type.ps1xml is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at https:/go.microsoft.com/fwlink/?LinkID=135170.. , C:\Users\user\Documents\WindowsPowerShell\Modules\psPAS\xml\psPAS.CyberArk.Vault.Safe.Type.ps1xml: The file was skipped because of the following validation exception: File C:\Users\user\Documents\WindowsPowerShell\Modules\psPAS\xml\psPAS.CyberArk.Vault.Safe.Type.ps1xml cannot be loaded. The file C:\Users\user\Documents\WindowsPowerShell\Modules\psPAS\xml\psPAS.CyberArk.Vault.Safe.Type.ps1xml is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at https:/go.microsoft.com/fwlink/?LinkID=135170.. , C:\Users\user\Documents\WindowsPowerShell\Modules\psPAS\xml\psPAS.CyberArk.Vault.ACL.Type.ps1xml: The file was skipped because of the following validation exception: File C:\Users\user\Documents\WindowsPowerShell\Modules\psPAS\xml\psPAS.CyberArk.Vault.ACL.Type.ps1xml cannot be loaded. The file C:\Users\user\Documents\WindowsPowerShell\Modules\psPAS\xml\psPAS.CyberArk.Vault.ACL.Type.ps1xml is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at https:/go.microsoft.com/fwlink/?LinkID=135170.. At line:1 char:1
My current execution policy is: Get-ExecutionPolicy -List
Scope ExecutionPolicy
----- ---------------MachinePolicy RemoteSigned UserPolicy Undefined Process Undefined CurrentUser RemoteSigned LocalMachine Unrestricted
pspete
commented
4 years ago Sounds like blocked files. Try to right click the downloaded zip and select Properties > "Unblock" or Unblock your module files: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7#example-2--unblock-multiple-files
tronatore
commented
4 years ago Hello, Yesterday I got back to the radius thing and tried a fresh psPAS module install. After issuing the proposed command, yes, the grid card's coordinates are prompted. After carefully entering them, I get the error "403 Authentication Failure". It is not the real issue since this is my production access (with grid card, password, and username) and I basically log in at least twice a day with the same card and password. After this test, I logged in with the exact same parameters and it got me in OK. I will have to keep investigating why this is not working. If I get any useful news I will post it here. Thanks a lot! Will keep you updated.
Describe the issue When issuing psPAS's NEW-PASSession, I need to understand (or get an example) of how to: a) know which coordinates os RADIUS are to be requested to the user b) how to pass these coordinates to the psPAS code
To Reproduce Steps to reproduce the behavior:
Expected behavior None. Just need to know how to use RADIUS NEW-PASSSession
Screenshots & Console Output NA
Console Output Code Block: PS C:\Users\userX> New-PASSession -Credential $cred -BaseURI https://my.company.com -type RADIUS Invoke-PASRestMethod : [500] Enter a response to the grid challenge [B4] [C2] [D1] using a card with serial number 829450. At line:510 char:19
Your Environment
Additional context Add any other context about the problem here.