SMA 500v - Radius Challenge not working in contemporary mode
Hi,
it's just not ending with the contemporary mode, but today I tried to access a portal which is secured by Radius authentication with Challenge-Response. Running a SMA 500v with 10.2.
Username/password gets accepted, but the challenge (token) in the next step gets the red bar on the top showing an error message "You can't do this authentication api". I never tried this before, because the Radius authentication is usually for NetExtender and this is working without problems, but I guess it's broken since 10.0.
Connecting to the portal in classic mode works without a problem, so it's not a Radius issue, it's the /spog again.
Is this a known problem? If not I would probably open up a ticket.
--Michael@BWC
Best Answers
-
DerekYu SonicWall Employee
This is tracked by SMA-1362, and marked as fixed. The fix will be in 10.2.0.2.
5 -
Simon Moderator
@BWC the latest iteration of this issue, SMA-2517 from your case 43661658, indicates it is to be fixed in 10.2.1.0 (in beta - release, predicted normal release is end of May or early June) but I expect it to also be pushed to 10.2.0.8. I have asked engineering that question to get a clean answer. It is in test now - implying they are testing it integrated in a release to confirm this and other engineering issues are resolved and not causing new issues.
I agree this case was ended abruptly and have had a chat with the engineer. He saw it as resolved by the dev image. He understands now it was not.
1
Answers
Hi @BWC ,
I trust you are safe and well!
This sounds similar to the reported issue (SMA-1087). The Engineering team is working on this and the expected version to incorporate this fix is set to 10.2.1.0.
Having said that I would recommend opening a web case with the Support team and get it checked by a Support agent.
Thank You
Knowledge Management Senior Analyst at SonicWall.
In 10.2.0.1 this got even worse, the error message about the authentication API got replaced with an Internal server error, all well in classic mode. Waiting for 10.2.1.0 then.
--Michael@BWC
Hi @DerekYu
any word when 10.2.0.2, which includes the needed fix, will be released? It's very hard to discuss with the customers why it's not working with this cursed contempory mode and they need to switch to classic first. Not so it-savvy endusers don't get it and causing all kinds of trouble.
--Michael@BWC
Hi @DerekYu
one customer reported today a "Internal Server Error" message when trying to login with radius and OTP (C/R). It's all working great in classic mode, but /spog is a mess.
Are there still problems open which will be addressed in 10.2.1.0 and what's the ETA on that?
--Michael@BWC
Hi @BWC
SMA-1087 will be fixed in 10.2.0.3. I do not have a date for predicted release. I expect it to be relatively soon.
If you need a fix immediately, please open a case and ask for the engineering private build of firmware with the fix from SMA-1087.
10.2.1.0 is predicted to be released in early 2021.
Hi @Simon
thanks for the feedback, it's somewhat sobering that it takes 6+ months to get this addressed properly. Looking forward for the next updates.
--Michael@BWC
Hi @BWC
I am not sure why it did not make the 10.2.0.2 release - may have been some issue with the fix they tried when it came to the QA testing prior to release. That happens on occasion.
Hi @BWC
To answer, as much as I can: Are there still problems open which will be addressed in 10.2.1.0 and what's the ETA on that?
It is the nature of software for complex systems that there will be problems fixed in any release. Why else have one? Further 10.2.1.0 is a minor feature release so there are limited function changes in this version as well.
I do not have a list of issues I can provide. There are very few. They are for the most part in QA testing. To have a clean list pull the release notes when the upgrade is published.
I can only give an educated guess for when 10.2.1.0 will be released. My guess is late January to mid February 2021. Until all fixes and new features have cleared QA testing it is not at all certain this is correct.
Just to keep this thread alive in case someone stumbled over it, SMA-1087 does not seem to be related to the Radius/OTP problem after all, because it's marked as fixed in 10.2.0.3 but problem still exists.
Hi @Simon @KaranM @DerekYu
while cleaning up open cases/issues I'am still stumbling over that ongoing Radius-Challenge trouble. It's still there in 10.2.0.3.
Will it be fixed or need I to give up on that?
Radius-Challenge (2FA) is working fine in classic mode.
Radius-Challenge in Contemporary Mode (SPOG) on Firefox is returning to Domain Selection when Access-Challenge got requested from Radius-Server. No further messages in the Developer Console. No Multi-Factor-Login via Radius possible.
Radius-Challenge in SPOG on Google Chrome is showing a red alert box when Access-Challenge got requested. Developer Console in Browser shows a HTTP 500 (Internal Server Error) for requesting /__api__/v1/logon/4865304c6c7a51554272497737657a7552594d5774356f7a3576585067585233/authenticate on the SMA.
Is this is an already known problem or do I need to open a new case?
--Michael@BWC
Hi @Simon @KaranM @DerekYu @Chris @Micah
because MFA got some more attention in the recent days, what about the above? Never got a feedback which is unfortunate because /spog gets forced so hard and users have to adjust the URL manually because there is no switch from contempory to classic mode.
--Michael@BWC
Well' I guess that's a no. I'am officially the one and only having this problem, congrats to me.🍾
--Michael@BWC
And another one, 10.2.0.6 still having the same problem in contempory mode, classic is working fine though (for that matter). If MFA is so important to avoid weak authentication (and having them exposed via sql injection etc), why not fixing this?
BTW, not having a domain selection list at the login throws a 404 for https://mysmahostname.domain/__api__/v1/config/domains
--Michael@BWC
I opened Ticket #43661658 for this dilemma and keep it posted, even noone seems to be interessted.
See you all on the other side.
--Michael@BWC
I've got a private build today 10.2.0.7-34sv-SMA2517v1, unfortunately it's not working, it asks for the first time ever for the OTP, but crashed then with a "Server is currently unreachable", the TSR shows some exception of a Python Script.
But it was the first try, after all these years I hope for the best.
--Michael@BWC
I've got another private build today 10.2.0.7-34sv-SMA2517v2 and it seems that Radius C/R works at first glance, have to do further testing.
But as usual there is a downside on this, Classic Mode (which worked fine before) isn't working anymore with Radius C/R.
Grrrrrrrrrrrrr. 🤦
At least there is some form of progress, thanks to the Engineering. What was the address again where I can send my bill for Bug Hunting and Testing to?
--Michael@BWC
Just another update if anyone cares. It seems that 10.2.0.7-34sv-SMA2517v3 resolves this issue and will be hopefully released in the forseeable future and I can stop self-talking to me on this thread. 🤐
--Michael@BWC
LOL, Case #43661658 just closed without further notice, no information when the fix will be officially release, no ETA, no nothing.
Support is doing ridicules things sometimes, Customer Communication isn't a strong suit to say it mildly.
--Michael@BWC
@BWC,
For me it's usual behaviour from support, without confirming with the customer they are closing the tickets.
@bwc
I checked and engineering management has directed the engineer on SMA-2517 to ensure the fix is integrated in 10.2.0.8 before they can close that engineering ticket.
Unfortunately I still have not even a swag as to when 10.2.0.8 will be released.