Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

SMA 100 - Firmware 10.2.1.0 breaks Radius C/R (OTP) for NetExtender/MobileConnect

BWCBWC Cybersecurity Overlord ✭✭✭

Hi,

as part of the never ending story "Fix Something / Break Something else", the Radius Challenge/Response for accessing the Portal through /spog got fixed in 10.2.1.0, but the former working Radius C/R got broken for NetExtender/MobileConnect.

Some history can be found here:

This is how it looks like on different Platforms and Clients:

Windows

iOS

macOS

When trying to connect a Browser Windows suddenly pops up trying to access an URL which seems Duo related, but I'am Radius only. The serverreply variable holds the Reply-Message sent from the Radius Server

Reply-Message = "Please enter your passcode (primary: One-Time Password):"


https://sma-address/__api__/v1/logon//duosonicwall?serverreply=UGxlYXNlIGVudGVyIHlvdXIgcGFzc2NvZGUgKHByaW1hcnk6IE9uZS1UaW1lIFBhc3N3b3JkKTo=
 

{

  "documentation_url": "/__api__/v1/doc.json",

  "message": "Not Found"

}

@Simon are you aware of anything about that? Please keep in mind this worked until 10.2.0.7.

--Michael@BWC

Category: Secure Mobile Access Appliances
Reply

Answers

  • SimonSimon Moderator

    @bwc, Michael,

    SMA-2517 Radius Challenge not working in Contemporary Mode, Classis mode works and its clone in 10.2.0.x SMA-2518 fixed this issue in 10.2.1.0-16sv (10.2.1.0-17sv was the released version) and is to fix it in the upcoming 10.2.0.8 respectively.

    That 10.2.1.0-16sv fix should have flowed into 10.2.1.1.

    There is a failure called a regression bug. It is very rare but it is not impossible, at compile time, for a prior fix to fail to be integrated.

    I'd suggest you open a support case and provide this information and your TSR and config along with your captures demonstrating the issue remains. If this is a regression bug they can generate you an engineering image to fix it very quickly.

    ........Michael

  • BWCBWC Cybersecurity Overlord ✭✭✭
    edited July 2021

    Hi @Simon , Classic and Contemporary Mode works just fine, it's the NetExtender/MobileConnect which got messed up. This was working fine for ages so a failed fix at compile-time does not seem very likely?

    My bet is on "DUO Security Authentication Support for NetExtender and Mobile Connect Clients" which seems to break Radius Authentication and would explain why MobileConnect is opening up a Browser Window with some Duo related URL.

    Either way, I guess I have to do the Support Rodeo again.

    --Michael@BWC

  • SimonSimon Moderator

    @BWC I am inclined to agree with you. It is an old theory that if something is broken the last thing touched in that area was what broke it.

    Sorry, but a support case will be required.

  • rhnacrhnac Newbie ✭

    Just opened a ticket with a very similar problem. Web-based authentication is working fine with 2FA but NetExtender hangs at Verifying...instead of prompting for my 2FA code. Loaded the previous firmware and everything is working fine again.

  • rhnacrhnac Newbie ✭

    Response from Support...

    Thank you for contacting SonicWall . I Have taken ownership of your case, I 'll be assisting you further on this case.

    I would like to tell you that currently we have lot of bug been opened for 10.2.1.0 which also included bug for netextender as well.

    I would recommend you to stay on 10.2.0.7 based on my experience as it is the most stable version as of now.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @rhnac That's a honest statement from Support :)

    I'am still in the Phase "Please help me the TSR and Netextender (logs and debug logs) also, so that I can get this checked with Engineering.".

    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Still broken in 10.2.1.1 for all who had some hope.

    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭

    The newly released 10.2.0.8 seems to be working OK. I did not checked Portal Access through /spog but it is mentioned as fixed in the Release Notes. So it's the 10.2.1.x branch which causes all the trouble.

    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭

    We're almost there, Radius C/R got fixed in a developer build I've got, but /spog (Contemporary Mode) got broken in a weird way.

    SNWL is on it, can't wait for a final release with all of my problems resolved and no new bugs included.

    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭

    There is some light at the end of the tunnel, today I've got a developer-build from Engineering (SMA 10.2.1.2-23sv-SMA2935) and it seems to fix the Radius related issue. Hopefully this will be generally available soon.

    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Firmware 10.2.1.2 got released and the private build looked promising, but what the heck, the final version messed things up again. What is going on? I'am glad that I did not allowed to close my ticket until further notice. Ridicules.

    The Duo related Browser window which was appearing on macOS only now pops up on Windows NetExtender and iOS MobileConnect as well.

    This is very frustrating considering all the time I spent with DEV.

    --Michael@BWC

  • SyscareSyscare Newbie ✭

    Similar problem here!

    I am in the process of implementing SMA410 with NPS and Azure MFA.

    Login to the web portal of the SMA worked in 10.2.1.0, 10.2.1.1 and 10.2.1.2 but not Netextender.

    Support wasn't helpful at all!

    Finally I decided to go to 10.2.0.8 and it worked!

    It looks like Sonicwall enineering is just adding new bugs to the products...

    Very frustrating!!!

  • BWCBWC Cybersecurity Overlord ✭✭✭

    I've got a new build which brings back Radius C/R once again, 10.2.1.2-24sv-SMA3228. Hopefully a new version will be released to the public soon.

    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭

    This issue seems to be resolved (again) with the latest Release 10.2.1.3-27sv.

    --Michael@BWC

  • 10.2.1.3 fixed a lot of vulnerabilities. Hope its stable that we can advise customer to upgrade.

Sign In or Register to comment.