Hardware token being locked out
Hi,
Reaching out for some help if possible.
We are based in the UK and we have people working offshore in India who use hardware tokens (Feitian OTP c200) to sign in through Authpoint. One person who uses a token can sign in fine. I have another generic user id however, that is shared between three people who also pool three tokens, that constantly has the tokens blocked. Sometimes they can log in fine but the majority of the time I come in in the morning and they are locked out and I have to unblock them. With the time difference however that means they have missed half a day signing in to the system.
I'm unable to shadow them or remote onto their machine, so it's a bit difficult trying to see where the problem lies. I have resynced all the tokens but the problem persists. However, looking through the logs I'm finding a strange series of events that I can't replicate. There will be an Authorized event, Category RADIUS, Sub-Category LDAP_OTP, followed on average 10 secs later by an Unauthorized event, Reason: The OTP is not valid. After a few of these the token is blocked.
I don't understand why it's showing authorised followed by unauthorised, with the token looking like it is the culprit for this second unauthorised message. If I try and replicate it this side by purposefully entering an incorrect code, or an old one, I just can't get the same series of events. It just won't authorise it. I won't get an authoristion followed by an unauthorised one.
If anybody could help with this as I'm starting to tear my hair out with it.....and I need all the hair I can get at the moment!
Thanks very much.
Comments
Hi Jono,
The first thing that pops into my mind is that you may be experiencing some time drift. The OTP tokens (both the branded WatchGuard ones, and the third party ones) work off time to calculate the appropriate token on their displays.
-Check that AuthPoint gateway's server has the correct time, and is preferably synced to an NTP server.
-Check the client workstation's time and that it's synced to something that is also NTP. (Client machines are often synced to an AD server, that should be synced to NTP.
If that doesn't help, I'd suggest opening a case so that one of our support team can help take a look at your logs and determine what might be going wrong.
I'd also suggest that sharing tokens isn't a particularly good idea from a security standpoint. The security posture of your network is only as good as its weakest link.
-James Carson
WatchGuard Customer Support
Thanks James.
I'm being advised that they sync to their server which is synced via NTP, and so is my gateway server.
There is something definitely amiss though. I have come in today to 2 out of 3 tokens blocked. Looking in the logs they have an authorization and then 10 secs later 2 of the tokens get blocked, no reason given!
I have resynced the tokens in the past as well, just to make sure there is no drift between our gateway and the tokens themselves.
Thanks for your help. I will log a call, even though that seems to be down at the moment.