Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

SMA 500v - Radius Challenge not working in contemporary mode

BWCBWC Cybersecurity Overlord ✭✭✭

Hi,

it's just not ending with the contemporary mode, but today I tried to access a portal which is secured by Radius authentication with Challenge-Response. Running a SMA 500v with 10.2.

Username/password gets accepted, but the challenge (token) in the next step gets the red bar on the top showing an error message "You can't do this authentication api". I never tried this before, because the Radius authentication is usually for NetExtender and this is working without problems, but I guess it's broken since 10.0.

Connecting to the portal in classic mode works without a problem, so it's not a Radius issue, it's the /spog again.

Is this a known problem? If not I would probably open up a ticket.

--Michael@BWC

Category: Secure Mobile Access Appliances
Reply

Best Answer

Answers

  • KaranMKaranM Administrator

    Hi @BWC ,

    I trust you are safe and well!

    This sounds similar to the reported issue (SMA-1087). The Engineering team is working on this and the expected version to incorporate this fix is set to 10.2.1.0.

    Having said that I would recommend opening a web case with the Support team and get it checked by a Support agent.


    Thank You

    Knowledge Management Senior Analyst at SonicWall.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    In 10.2.0.1 this got even worse, the error message about the authentication API got replaced with an Internal server error, all well in classic mode. Waiting for 10.2.1.0 then.

    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @DerekYu

    any word when 10.2.0.2, which includes the needed fix, will be released? It's very hard to discuss with the customers why it's not working with this cursed contempory mode and they need to switch to classic first. Not so it-savvy endusers don't get it and causing all kinds of trouble.

    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @DerekYu

    one customer reported today a "Internal Server Error" message when trying to login with radius and OTP (C/R). It's all working great in classic mode, but /spog is a mess.

    Are there still problems open which will be addressed in 10.2.1.0 and what's the ETA on that?

    --Michael@BWC

  • SimonSimon Moderator

    Hi @BWC

    SMA-1087 will be fixed in 10.2.0.3. I do not have a date for predicted release. I expect it to be relatively soon.

    If you need a fix immediately, please open a case and ask for the engineering private build of firmware with the fix from SMA-1087.

    10.2.1.0 is predicted to be released in early 2021.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @Simon

    thanks for the feedback, it's somewhat sobering that it takes 6+ months to get this addressed properly. Looking forward for the next updates.

    --Michael@BWC

  • SimonSimon Moderator

    Hi @BWC

    I am not sure why it did not make the 10.2.0.2 release - may have been some issue with the fix they tried when it came to the QA testing prior to release. That happens on occasion.

  • SimonSimon Moderator

    Hi @BWC

    To answer, as much as I can: Are there still problems open which will be addressed in 10.2.1.0 and what's the ETA on that?

    It is the nature of software for complex systems that there will be problems fixed in any release. Why else have one? Further 10.2.1.0 is a minor feature release so there are limited function changes in this version as well.

    I do not have a list of issues I can provide. There are very few. They are for the most part in QA testing. To have a clean list pull the release notes when the upgrade is published.

    I can only give an educated guess for when 10.2.1.0 will be released. My guess is late January to mid February 2021. Until all fixes and new features have cleared QA testing it is not at all certain this is correct.

  • BWCBWC Cybersecurity Overlord ✭✭✭
    edited November 2020

    Just to keep this thread alive in case someone stumbled over it, SMA-1087 does not seem to be related to the Radius/OTP problem after all, because it's marked as fixed in 10.2.0.3 but problem still exists.


  • BWCBWC Cybersecurity Overlord ✭✭✭
    edited January 8

    Hi @Simon @KaranM @DerekYu

    while cleaning up open cases/issues I'am still stumbling over that ongoing Radius-Challenge trouble. It's still there in 10.2.0.3.

    Will it be fixed or need I to give up on that?

    Radius-Challenge (2FA) is working fine in classic mode.

    Radius-Challenge in Contemporary Mode (SPOG) on Firefox is returning to Domain Selection when Access-Challenge got requested from Radius-Server. No further messages in the Developer Console. No Multi-Factor-Login via Radius possible.

    Radius-Challenge in SPOG on Google Chrome is showing a red alert box when Access-Challenge got requested. Developer Console in Browser shows a HTTP 500 (Internal Server Error) for requesting /__api__/v1/logon/4865304c6c7a51554272497737657a7552594d5774356f7a3576585067585233/authenticate on the SMA.

    Is this is an already known problem or do I need to open a new case?

    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @Simon @KaranM @DerekYu @Chris @Micah

    because MFA got some more attention in the recent days, what about the above? Never got a feedback which is unfortunate because /spog gets forced so hard and users have to adjust the URL manually because there is no switch from contempory to classic mode.

    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Well' I guess that's a no. I'am officially the one and only having this problem, congrats to me.🍾

    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭
    edited February 20

    And another one, 10.2.0.6 still having the same problem in contempory mode, classic is working fine though (for that matter). If MFA is so important to avoid weak authentication (and having them exposed via sql injection etc), why not fixing this?

    BTW, not having a domain selection list at the login throws a 404 for https://mysmahostname.domain/__api__/v1/config/domains

    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭

    I opened Ticket #43661658 for this dilemma and keep it posted, even noone seems to be interessted.

    See you all on the other side.

    --Michael@BWC

Sign In or Register to comment.