Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

SMA 100 - Firmware 10.2.1.0 breaks Radius C/R (OTP) for NetExtender/MobileConnect

BWCBWC Cybersecurity Overlord ✭✭✭

Hi,

as part of the never ending story "Fix Something / Break Something else", the Radius Challenge/Response for accessing the Portal through /spog got fixed in 10.2.1.0, but the former working Radius C/R got broken for NetExtender/MobileConnect.

Some history can be found here:

This is how it looks like on different Platforms and Clients:

Windows

iOS

macOS

When trying to connect a Browser Windows suddenly pops up trying to access an URL which seems Duo related, but I'am Radius only. The serverreply variable holds the Reply-Message sent from the Radius Server

Reply-Message = "Please enter your passcode (primary: One-Time Password):"


https://sma-address/__api__/v1/logon//duosonicwall?serverreply=UGxlYXNlIGVudGVyIHlvdXIgcGFzc2NvZGUgKHByaW1hcnk6IE9uZS1UaW1lIFBhc3N3b3JkKTo=
 

{

  "documentation_url": "/__api__/v1/doc.json",

  "message": "Not Found"

}

@Simon are you aware of anything about that? Please keep in mind this worked until 10.2.0.7.

--Michael@BWC

Category: Secure Mobile Access Appliances
Reply

Answers

  • SimonSimon Moderator

    @bwc, Michael,

    SMA-2517 Radius Challenge not working in Contemporary Mode, Classis mode works and its clone in 10.2.0.x SMA-2518 fixed this issue in 10.2.1.0-16sv (10.2.1.0-17sv was the released version) and is to fix it in the upcoming 10.2.0.8 respectively.

    That 10.2.1.0-16sv fix should have flowed into 10.2.1.1.

    There is a failure called a regression bug. It is very rare but it is not impossible, at compile time, for a prior fix to fail to be integrated.

    I'd suggest you open a support case and provide this information and your TSR and config along with your captures demonstrating the issue remains. If this is a regression bug they can generate you an engineering image to fix it very quickly.

    ........Michael

  • BWCBWC Cybersecurity Overlord ✭✭✭
    edited July 21

    Hi @Simon , Classic and Contemporary Mode works just fine, it's the NetExtender/MobileConnect which got messed up. This was working fine for ages so a failed fix at compile-time does not seem very likely?

    My bet is on "DUO Security Authentication Support for NetExtender and Mobile Connect Clients" which seems to break Radius Authentication and would explain why MobileConnect is opening up a Browser Window with some Duo related URL.

    Either way, I guess I have to do the Support Rodeo again.

    --Michael@BWC

  • SimonSimon Moderator

    @BWC I am inclined to agree with you. It is an old theory that if something is broken the last thing touched in that area was what broke it.

    Sorry, but a support case will be required.

  • rhnacrhnac Newbie ✭

    Just opened a ticket with a very similar problem. Web-based authentication is working fine with 2FA but NetExtender hangs at Verifying...instead of prompting for my 2FA code. Loaded the previous firmware and everything is working fine again.

  • rhnacrhnac Newbie ✭

    Response from Support...

    Thank you for contacting SonicWall . I Have taken ownership of your case, I 'll be assisting you further on this case.

    I would like to tell you that currently we have lot of bug been opened for 10.2.1.0 which also included bug for netextender as well.

    I would recommend you to stay on 10.2.0.7 based on my experience as it is the most stable version as of now.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @rhnac That's a honest statement from Support :)

    I'am still in the Phase "Please help me the TSR and Netextender (logs and debug logs) also, so that I can get this checked with Engineering.".

    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Still broken in 10.2.1.1 for all who had some hope.

    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭

    The newly released 10.2.0.8 seems to be working OK. I did not checked Portal Access through /spog but it is mentioned as fixed in the Release Notes. So it's the 10.2.1.x branch which causes all the trouble.

    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭

    We're almost there, Radius C/R got fixed in a developer build I've got, but /spog (Contemporary Mode) got broken in a weird way.

    SNWL is on it, can't wait for a final release with all of my problems resolved and no new bugs included.

    --Michael@BWC

Sign In or Register to comment.