search

theinvisible / openfortigui

VPN-GUI to connect to Fortigate-Hardware, based on openfortivpn
https://hadler.me/linux/openfortigui/
GNU General Public License v3.0
490 stars 54 forks source link

Two Factor authentication not working for radius type authentication #85

Closed absmith82 closed 4 years ago

absmith82 commented 5 years ago

we are testing out a cloud 2fa system that uses radius to authenticate and have 2fa on the fortigate. When using 2fa through this type of system the openfortigui does not prompt for the OTP. I checked using the fortigate client as well as the openfortivpn cli client and both of these work as expected. I assume the problem is something with the openfortigui receiving a slightly different OTP message. on openfortivpn after entering my password this is the cli prompt that I get

Please enter one-time password:

2fa that is enabled directly from the fortigate gets this message from the script

Two-factor authentication token:

theinvisible commented 5 years ago

Hi,

thats true, the prompt for OTP is triggered by keywords from openfortivpn output.

As you can see in vpnlogger.cpp your mentioned keywords should already be recognized by OpenFortiGUI. Maybe you can send the relevant output from OpenFortiGUI (just rightclick the specific VPN and click Logs) and post it here.

Cheers

absmith82 commented 5 years ago

These are the only logs that I get

INFO: Start tunnel. INFO: Connected to gateway.

theinvisible commented 5 years ago

Please enable debug mode in settings and vpn profile and try again, should be alot more verbose.

absmith82 commented 5 years ago

this is all the more info I received. for reference the server and gateway address and ports are correct.

INFO: Start tunnel. DEBUG: server_addr: DEBUG: server_port: DEBUG: gateway_addr: DEBUG: gateway_port: DEBUG: Gateway certificate validation succeeded. INFO: Connected to gateway.

tiagolo commented 4 years ago

This is also happening to me, with version 0.7.3.1 I'm able to connect to my VPN, but with 0.8.0 an OTP Token is show and before a can type anything the connection is closed.

Main debug log:

===============================================
ago 5 11:28:09 openfortiGUI::Debug: active-tab:: 0
ago 5 11:28:09 openfortiGUI::Debug: start vpn: "MVRec - vpn" active-tab:: 0
ago 5 11:28:09 openfortiGUI::Debug: Start vpn:: "MVRec - vpn"
ago 5 11:28:09 openfortiGUI::Debug: Start vpn:: "MVRec - vpn"
tigui/main.conf"
ago 5 11:28:09 openfortiGUI::Debug: "start-vpn process::" "MVRec - vpn"
ago 5 11:28:09 openfortiGUI::Debug: "start-vpn process::config_file::" "/root/.openfortigui/main.conf"
ago 5 11:28:09 openfortiGUI::Debug: vpnProcess::startVPN::slot
ago 5 11:28:09 openfortiGUI::Debug: vpnManager::onClientConnected()
ago 5 11:28:09 openfortiGUI::Debug: client api helo command:: 0 ::name:: "MVRec - vpn"
ago 5 11:28:09 openfortiGUI::Debug: tiConfVpnProfile::readVpnProfiles() -> vpnprofile found: "/root/.openfortigui/vpnprofiles/MVRec - vpn.conf"
ago 5 11:28:09 openfortiGUI::Debug: tiConfVpnProfile::readVpnProfiles() -> vpnprofile found: "/root/.openfortigui/vpnprofiles/MVRec - vpn1.conf"
ago 5 11:28:09 openfortiGUI::Debug: tiConfVpnProfile::readVpnProfiles() -> vpnprofile found: "/root/.openfortigui/vpnprofiles/MVRec - vpn2.conf"
ago 5 11:28:09 openfortiGUI::Debug: tiConfVpnProfile::readVpnProfiles() -> vpnprofile found: "/root/.openfortigui/vpnprofiles/MVFor.conf"
ago 5 11:28:09 openfortiGUI::Debug: vpnWorker::process::slot
ago 5 11:28:09 openfortiGUI::Debug: 1565015289925 bytes avail:: 190
ago 5 11:28:10 openfortiGUI::Debug: 1565015290125 bytes avail:: 133
ago 5 11:28:10 openfortiGUI::Debug: vpnProcess::onObserverUpdate::status_update "MVRec - vpn" state 1
ago 5 11:28:10 openfortiGUI::Debug: vpnProcess::onObserverUpdate::status_update2 "MVRec - vpn" state 1
ago 5 11:28:10 openfortiGUI::Debug: vpnManager::onClientVPNStatusChanged() "MVRec - vpn" status 1
ago 5 11:28:10 openfortiGUI::Debug: MainWindow::onClientVPNStatusChanged:: "MVRec - vpn" ::status:: 1
ago 5 11:28:10 openfortiGUI::Debug: 1565015290325 bytes avail:: 591
ago 5 11:28:10 openfortiGUI::Debug: 1565015290526 bytes avail:: 44
ago 5 11:28:10 openfortiGUI::Debug: 1565015290727 bytes avail:: 44
ago 5 11:28:10 openfortiGUI::Debug: 1565015290928 bytes avail:: 103
ago 5 11:28:11 openfortiGUI::Debug: shutting down vpn process:: "MVRec - vpn"
ago 5 11:28:11 openfortiGUI::Debug: 1565015291128 bytes avail:: 845
ago 5 11:28:11 openfortiGUI::Debug: otprequest from vpnmanager
ago 5 11:28:11 openfortiGUI::Debug: 1565015291329 bytes avail:: 44
ago 5 11:28:11 openfortiGUI::Debug: 1565015291530 bytes avail:: 103
ago 5 11:28:11 openfortiGUI::Debug: 1565015291730 bytes avail:: 20
ago 5 11:28:13 openfortiGUI::Warning: QThread::start: Thread termination error: Processo inexistente
ago 5 11:28:13 openfortiGUI::Debug: client disconnected:: "MVRec - vpn"
ago 5 11:28:13 openfortiGUI::Debug: vpnManager::onClientVPNStatusChanged() "MVRec - vpn" status 0
ago 5 11:28:13 openfortiGUI::Debug: MainWindow::onClientVPNStatusChanged:: "MVRec - vpn" ::status:: 0

VPN Connection debug log:

================================================
INFO:   Start tunnel.
DEBUG:  server_addr: 131.0.226.69
DEBUG:  server_port: 10443
DEBUG:  gateway_addr: 131.0.226.69
DEBUG:  gateway_port: 10443
DEBUG:  Setting min proto version to: 0x301
DEBUG:  Gateway certificate validation failed.
DEBUG:  Gateway certificate digest found in white list.
INFO:   Connected to gateway.
DEBUG:  Cookie: SVPNCOOKIE--------------------------------------------------------
INFO:   Authenticated.
DEBUG:  Cookie: SVPNCOOKIE--------------------------------------------------------
INFO:   Remote gateway has allocated a VPN.
DEBUG:  server_addr: 131.0.226.69
DEBUG:  server_port: 10443
DEBUG:  gateway_addr: 131.0.226.69
DEBUG:  gateway_port: 10443
DEBUG:  Setting min proto version to: 0x301
DEBUG:  Gateway certificate validation failed.
DEBUG:  Gateway certificate digest found in white list.
DEBUG:  ppp_path: /usr/sbin/pppd
DEBUG:  pppd_read thread
DEBUG:  ssl_read thread
DEBUG:  ssl_write thread
DEBUG:  if_config thread
Couldn't open the /dev/ppp device: No such device or address
/usr/sbin/pppd: Please load the ppp_generic kernel module.

ERROR:  read: Erro de entrada/saída
INFO:   Cancelling threads...
DEBUG:  Waiting for pppd to exit...
DEBUG:  waitpid: pppd exit status code 4
ERROR:  pppd: The kernel does not support PPP, for example, the PPP kernel driver is not included or cannot be loaded.
INFO:   Terminated pppd.
INFO:   Closed connection to gateway.
INFO:   Setting ppp interface down.
INFO:   Restoring routes...
DEBUG:  Route to vpn server was not added
INFO:   Removing VPN nameservers...
DEBUG:  server_addr: 131.0.226.69
DEBUG:  server_port: 10443
DEBUG:  gateway_addr: 131.0.226.69
DEBUG:  gateway_port: 10443
DEBUG:  Setting min proto version to: 0x301
DEBUG:  Gateway certificate validation failed.
DEBUG:  Gateway certificate digest found in white list.
INFO:   Logged out.
tiagolo commented 4 years ago

So, after updating my kernel from 4.19 to 5.2.5 and cleaning up all certificates It worked fine again.

theinvisible commented 4 years ago

Good to hear, will close this.