Forum Discussion
Hi Kevin,
i have to clarify a few things which I thing I haven't cleared out enough:
We're building up a SSL-VPN service for many different customers. They can login there and use the RDP client, full tunnel or whatever ...
The customer decides which user gets an RSA-token, which user can authenticate via Google authenticator, which one gets an OTP per SMS, and so on. The customer can edit this settings in a webinterface which is putting the appropriate values in an LDAP directory.
Because we do not want to push the RSA service anymore (and because not every customer wants RSA) we store the password of the user in the LDAP directory. He can change it there and can do numerous other things like generate a barcode for google auth, or
and thats the deal - define an RSA token - for his account. So the customer has a bunch of RSA tokens at his place and can take one of it and assign it to a client. Without even having access to the RSA console.
We want to do that via setting the username of the RSA user to the RSA Token Serial Number. So we define for every Token we give to the customer an RSA user, which name is the Token Serial Number.
At the authentication process we're asking for 3 things:
The username (stored in the LDAP directory) The password (stored in the LDAP directory) The Tokencode
We're checking which token the user has assigned (-> stored in LDAP) and authenticating against the RSA server with:
username: the serial number of the Token -> stored in LDAP password (or PIN): deactivated in RSA, there is an option for it tokencode: the tokencode the user entered at the login prompt
The first time it wors like a charm, read out the tokencode entered in by the user, store it in the "last.password" session variable. I also read out the RSA token serial number, which is stored in an ldap session variable and store it as session variable "last.username".
The RSA Server is authenticating and voila - it works.
When the user has failed to enter the tokencode correctly and enters username,password and tokencode again, the variables are not modified again. as written in my last post, it seems that all steps between login-form and RSA authentication are skipped.
So what happens now: In the login Form the user types in username, password and tokencode. Because there is no replacement taking place, the user is authenticated with
username: username as entered in login form tokencode: tokencode as entered in login form
and that is wrong.
I hope I was able to clarify a few things now.
best regards,
Florian