7018657: Get logout page when executing Radius login where LDAP password is invalid and token is valid

This document (7018657) is provided subject to the disclaimer at the end of this document.

Environment

NetIQ Access Manager 4.3
NetIQ Access Manager 4.2
NetIQ Access Manager 4.1

Situation

Access Manager 4.2.2 setup where Radius based authentication enabled at Identity Server.
If the user submits the correct password but incorrect token during radius challenge, they are returned to login page with a login failure and asked to re-enter credentials. This would be the expected behaviour.
If the use has the incorrect password but correct radius token when challenged, they are taken to logout page instead of login failed page.

Resolution

Make sure the ‘user lookup attribute’ is populated with an LDAP attribute.
The issue is caused by a blank value for the ‘user lookup attribute’. By default it is populated with the value cn. In the customers config it was blank for some reason. If it is blank the IDP will do a ldap call first and then attempts to do a radius call.

Cause

When no LDAP attribute exists for ‘user lookup mapping’ the sequence of LDAP events are different – with no attributes defined, the LDAP request is done before the Radius request and even though we get a successful radius-accept response back identifying the user, the LDAP bind failed.
// Failing flow – the LDAP auth fails before sending a radius request across.
<amLogEntry> 2017-02-09T23:51:30Z INFO NIDS Application: AM#500105014: AMDEVICEID#0F201A1A1F3575BA: AMAUTHID#03F3237988C56B1FC224AF373989E81C: Attempting to authenticate user CN=user1,o=novell with provided credentials. </amLogEntry>
:
<amLogEntry> 2017-02-09T23:51:30Z DEBUG NIDS Application:
Method: JNDILogEventListener.accept
Thread: http-nio-10.50.27.12-8443-exec-23
AuthenticationException: Connection: 01e8dd96-6ba4-46e1-a91d-ab76c9f13255, Attempting to create InitialDirContext for replica: 10.252.132.121 </amLogEntry>
<amLogEntry> 2017-02-09T23:51:30Z DEBUG NIDS Application:
Method: JNDILogEventListener.accept
Thread: http-nio-10.50.27.12-8443-exec-23
Exception while attempting to create ldap connection! </amLogEntry>
com.novell.nam.common.ldap.jndi.JNDIExceptionIncorrectPassword: [LDAP: error code 49 – 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece ] Root Cause: javax.naming.AuthenticationException: [LDAP:
at com.novell.nam.common.ldap.jndi.LDAPStorePluginActiveDirectory.onCreateConnectionException(LDAPStorePluginActiveDirectory.java:81)
at com.novell.nam.common.ldap.jndi.JNDIUserStore.onCreateConnectionException(JNDIUserStore.java:2418)
at com.novell.nam.common.ldap.jndi.JNDIUserStoreReplicaConnection.<init>(JNDIUserStoreReplicaConnection.java:241)
at com.novell.nam.common.ldap.jndi.JNDIUserStoreReplicaConnectionPool.getUserConnection(JNDIUserStoreReplicaConnectionPool.java:667)
at com.novell.nam.common.ldap.jndi.JNDIUserStoreReplica.getUserConnection(JNDIUserStoreReplica.java:786)
at com.novell.nam.common.ldap.jndi.JNDIUserStore.getNextConnection(JNDIUserStore.java:2020)
at com.novell.nam.common.ldap.jndi.JNDIUserStore.authenticateUser(JNDIUserStore.java:1836)
at com.novell.nam.common.ldap.jndi.JNDIUserStore.authenticateUser(JNDIUserStore.java:1807)
at com.novell.nidp.common.authority.ldap.LDAPUserAuthority.authenticate(y:1725)
at com.novell.nidp.authentication.local.LocalAuthenticationClass.A(y:1069)
at com.novell.nidp.authentication.local.LocalAuthenticationClass.authenticateWithPassword(y:1552)
<amLogEntry> 2017-02-09T23:51:30Z DEBUG NIDS Application:
Method: PageToShow.addAttribute
Thread: http-nio-10.50.27.12-8443-exec-23
Attribute added to page [radiuslogin] is [url]=[https://extranetidpamdev.stg.com/nidp/idff/sso?sid=0]. </amLogEntry>
<amLogEntry> 2017-02-09T23:51:30Z DEBUG NIDS Application:
Method: PageToShow.addAttribute
Thread: http-nio-10.50.27.12-8443-exec-23
Attribute added to page [radiuslogin] is [loginError]=[Login failed, please try again.]. </amLogEntry>
<amLogEntry> 2017-02-09T23:51:30Z DEBUG NIDS Application:
Method: RadiusClient.authenticate
Thread: http-nio-10.50.27.12-8443-exec-23
authenticate(userName,) = L031009 </amLogEntry>
<amLogEntry> 2017-02-09T23:51:30Z DEBUG NIDS Application:
Method: RadiusClient.A
Thread: http-nio-10.50.27.12-8443-exec-23
Sending packet to failover server </amLogEntry>
<amLogEntry> 2017-02-09T23:51:30Z DEBUG NIDS Application:
Method: RadiusClient.A
Thread: http-nio-10.50.27.12-8443-exec-23
Waiting for packet from failover server </amLogEntry>
// 2 secs later, after LDAP fail, we send the Radius request, which succeeds based on radius accept. Since the LDAP part was used to identify the user, which failed despite radius succeeding, the user is logged out.
<amLogEntry> 2017-02-09T23:51:32Z VERBOSE NIDS Application: Authentication method Default Radius Test Method succeeded </amLogEntry>
<amLogEntry> 2017-02-09T23:51:32Z VERBOSE NIDS Application: Authentication method Default Radius Test Method failed, as it did not identify a user </amLogEntry>
// LAN trace showing 2 radius requests where Radius server does NOT respond to initial request …
Working flow
a) Authenticate with password succeeds
<amLogEntry> 2017-02-09T23:46:12Z DEBUG NIDS Application:
Method: RadiusClass.X
Thread: http-nio-10.50.27.12-8443-exec-1
username=L031009, token=***** </amLogEntry>
<amLogEntry> 2017-02-09T23:46:12Z DEBUG NIDS Application:
Method: LocalAuthenticationClass.authenticateWithPassword
Thread: http-nio-10.50.27.12-8443-exec-1
Attempted authenticateWithPassword – id = L031009 </amLogEntry>
b) Send Radius request
<amLogEntry> 2017-02-09T23:46:12Z DEBUG NIDS Application:
Method: RadiusClient.authenticate
Thread: http-nio-10.50.27.12-8443-exec-1
authenticate(userName,) = L031009 </amLogEntry>
<amLogEntry> 2017-02-09T23:46:12Z DEBUG NIDS Application:
Method: RadiusClient.A
Thread: http-nio-10.50.27.12-8443-exec-1
Sending packet to failover server </amLogEntry>
<amLogEntry> 2017-02-09T23:46:12Z DEBUG NIDS Application:
Method: RadiusClient.A
Thread: http-nio-10.50.27.12-8443-exec-1
Waiting for packet from failover server </amLogEntry>
c) Send Radius Request again 2 secs later where we get a radius –reject response
<amLogEntry> 2017-02-09T23:46:14Z DEBUG NIDS Application:
Method: RadiusClient.A
Thread: http-nio-10.50.27.12-8443-exec-1
Sending packet to failover server </amLogEntry>
<amLogEntry> 2017-02-09T23:46:14Z DEBUG NIDS Application:
Method: RadiusClient.A
Thread: http-nio-10.50.27.12-8443-exec-1
Waiting for packet from failover server </amLogEntry>
<amLogEntry> 2017-02-09T23:46:14Z DEBUG NIDS Application:
Method: RadiusClient.authenticate
Thread: http-nio-10.50.27.12-8443-exec-1
User L031009 NOT authenticated </amLogEntry>
<amLogEntry> 2017-02-09T23:46:14Z DEBUG NIDS Application:
Method: PageToShow.addAttribute
Thread: http-nio-10.50.27.12-8443-exec-1
Attribute added to page [radiuslogin] is [url]=[https://extranetidpamdev.stg.com/nidp/idff/sso?sid=0]. </amLogEntry>
<amLogEntry> 2017-02-09T23:46:14Z DEBUG NIDS Application:
Method: PageToShow.addAttribute
Thread: http-nio-10.50.27.12-8443-exec-1
Attribute added to page [radiuslogin] is [loginError]=[Login failed, please try again.]. </amLogEntry>
<amLogEntry> 2017-02-09T23:46:14Z VERBOSE NIDS Application: Authentication contract ‘Default Radius Test Contract’ failed in method ‘Default Radius Test Method’ for session 47665A48F36B29BEC0A51B95C8B7708B. Radius authentication failed for user </amLogEntry>

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Related:

Leave a Reply