Default OTPDelimiter (no longer/not) accepted by radius server

pspete / psPAS

PowerShell module for CyberArk Privileged Access Security REST API

https://pspas.pspete.dev

MIT License

286 stars 90 forks source link

Default OTPDelimiter (no longer/not) accepted by radius server #446

Closed Fonta closed 1 year ago

Fonta commented 1 year ago

Our radius server seems to no longer accept the default ',' which is used during the OTP appending on line 400 of New-PASSession.ps1 in the Functions folder.

The script also doesn't allow to overrule the delimiter with -OTPDelimiter '' added to the New-PASSession command.

Can the default , be removed? Or can you give us an option to not add a delimiter?

Command is used as such: $credential = get-credential -> username + pin New-PASSession -Credential $credential -Type RADIUS -OTP 123456 -OTPMode Append -BaseURI 'https://cyberark.local'

pspete commented 1 year ago

Hi @Fonta ,

If your RADIUS configuration no longer supports append mode, then exclude the -OTPMode parameter to use challenge mode:

New-PASSession -Credential $credential -Type RADIUS -OTP 123456 -BaseURI 'https://cyberark.local/'

Fonta commented 1 year ago

Hi @pspete,

Will the challenge mode combine the pin from $credential with the OTP? So that the password will become something like 1234123456?

pspete commented 1 year ago

No - first, the username and password would be sent, then the OTP value would subsequently be sent in response to any issued RADIUS challenge.

Fonta commented 1 year ago

Just tested the challenge method. It fails to authenticate. Invoke-PASRestMethod : [403] Authentication failure for User [username]. "FullyQualifiedErrorId : PASWS013E,Invoke-PASRestMethod"

pspete commented 1 year ago

How are the required credentials/OTP provided when authenticating to PVWA? Are you still using RADIUS auth for PVWA authentication?

Fonta commented 1 year ago

Tried it like this:

$credential = Get-Credential
#username = username
#password = pin

New-PASSession -Credential $credential -Type RADIUS -OTP 123456 -OTPMode Challenge -BaseURI 'https://cyberark.local/'

pspete commented 1 year ago

$credential = Get-Credential
#username = username
#password = pin + token number
New-PASSession -Credential $credential -Type RADIUS -BaseURI 'https://cyberark.local/'

works? with no delimiter?

Fonta commented 1 year ago

Yes, that works as it doesn't add a delimiter. But it's not so simple to use that in a script. I have a few long running scripts and the session timeout is rather short, so I need to be able to ask a new OTP during the running of the script. Like this i'd need to ask for complete credentials over and over again instead of just the OTP. I'd be a lot simpler if i could pass an empty delimiter to New-PASSession or a switch like -NoOTPDelimiter which then ommits the default comma.

pspete commented 1 year ago

yes, i understand - that's why the separate parameters exist, I just wanted to understand if that format works. will investigate being able to specify a null delimiter or similar.

Fonta commented 1 year ago

Thanks!

pspete commented 1 year ago

Added support for this now, see Example 24

Fonta commented 1 year ago

Looking good! Will test later, but fairly certain this will do. Will let you know if I run into issues. Thanks!