Closed Fonta closed 1 year ago
Hi @Fonta ,
If your RADIUS configuration no longer supports append mode, then exclude the -OTPMode
parameter to use challenge
mode:
New-PASSession -Credential $credential -Type RADIUS -OTP 123456 -BaseURI 'https://cyberark.local/'
Hi @pspete,
Will the challenge mode combine the pin from $credential with the OTP? So that the password will become something like 1234123456?
No - first, the username and password would be sent, then the OTP value would subsequently be sent in response to any issued RADIUS challenge.
Just tested the challenge method. It fails to authenticate. Invoke-PASRestMethod : [403] Authentication failure for User [username]. "FullyQualifiedErrorId : PASWS013E,Invoke-PASRestMethod"
How are the required credentials/OTP provided when authenticating to PVWA? Are you still using RADIUS auth for PVWA authentication?
Tried it like this:
$credential = Get-Credential
#username = username
#password = pin
New-PASSession -Credential $credential -Type RADIUS -OTP 123456 -OTPMode Challenge -BaseURI 'https://cyberark.local/'
$credential = Get-Credential
#username = username
#password = pin + token number
New-PASSession -Credential $credential -Type RADIUS -BaseURI 'https://cyberark.local/'
works? with no delimiter?
Yes, that works as it doesn't add a delimiter. But it's not so simple to use that in a script. I have a few long running scripts and the session timeout is rather short, so I need to be able to ask a new OTP during the running of the script. Like this i'd need to ask for complete credentials over and over again instead of just the OTP. I'd be a lot simpler if i could pass an empty delimiter to New-PASSession or a switch like -NoOTPDelimiter which then ommits the default comma.
yes, i understand - that's why the separate parameters exist, I just wanted to understand if that format works. will investigate being able to specify a null delimiter or similar.
Thanks!
Added support for this now, see Example 24
Looking good! Will test later, but fairly certain this will do. Will let you know if I run into issues. Thanks!
Our radius server seems to no longer accept the default ',' which is used during the OTP appending on line 400 of New-PASSession.ps1 in the Functions folder.
The script also doesn't allow to overrule the delimiter with -OTPDelimiter '' added to the New-PASSession command.
Can the default , be removed? Or can you give us an option to not add a delimiter?
Command is used as such: $credential = get-credential -> username + pin New-PASSession -Credential $credential -Type RADIUS -OTP 123456 -OTPMode Append -BaseURI 'https://cyberark.local'