ZyWALL USG and multiOTP Pro 420b
Hi there..
I try to connect a ZyWALL USG 50 with the multiOTP Pro 420b. I have five Zyxel OTP Tokens registred with SafeWord. After that I imported the "importAlpine.dat" in multiOTP. I can also assign the tokkens to my users.
On the ZyWALL USG 50 webinterface i added all settings from your presentation "Internetsichere_Kennwörter_OTP" from André Liechti CTO of SysCo.
So, when i try to connect with a user, the log in multiOTP says "from (192.168.200.1) for [172.16.120.64] Error: authentication failed for user ids
Do you have any solutions for my problem? Or a setup manual?
Regards,
Luke
This discussion has been closed.
Comments
Thanks using our multiOTP Pro device.
On multiOTP Pro side, did you set up a PIN code for the user ids, and are you requesting the PIN prefix ? If yes, you need to type then PIN just before the OTP.
Are your tokens new or already used ? If they are already used, it's possible that their internal counter is to far away and you need to resynchronize your tokens. To do that, you simply have to give two consecutive tokens separated with a space, instead of only one (and don't forget also to type also twice the prefix PIN before the displayed OTP if enabled for the user).
Thanks to keep us in touch. If you cannot fix your problem, we can do a remote support session tomorrow morning.
Best regards,
Andre
Regards,
Andre
Let's say your user ids is linked with the token with the serial number 0001000200AB, without PIN prefix activated (note that it's not a good idea to uncheck the PIN prefix, because if someone steal your token, he can connect directly).
When you click on the button of your token, a 6 digits One-Time Password is displayed (let's say 123321).
To make a legacy logon, you will have to type the following:
User Name: ids
Password: 123321
One-Time Password: (leave empty)
or
User Name: ids
Password: (leave empty)
One-Time Password: 123321
ZyXEL USG concatenates automatically the password (which is the PIN prefix) and the one time password.
To make a logon with token synchronisation:
Click once on the token, and a 6 digits One-Time Password is displayed (let's say 112345).
When the first OTP disappeared, click one again on thr token, and a new 6 digits One-Time Password is displayed (let's say 223456).
Now, you can do a resynchronisation during the login:
User Name: ids
Password: 112345 223456 (you must type a space between the two OTPs)
One-Time Password: (leave empty)
or
User Name: ids
Password: (leave empty)
One-Time Password: 112345 223456 (you must type a space between the two OTPs)
If you had checked the PIN Prefix with a prefix defined as 9789:
User Name: ids
Password: 9789112345 9789223456 (you must type a space between the two prefixed OTPs)
One-Time Password: (leave empty)
or
User Name: ids
Password: (leave empty)
One-Time Password: 9789112345 9789223456 (you must type a space between the two prefixed OTPs)
Hope it helps
Keep us in touch
Regards,
Andre
- multiOTP Pro makes since 8.50 this morning no logs. I try to fix it with a reboot. Without success.
Just to for the others following the forum, what was the issue ? The idea is also to know how to be more clear in the quick start guide and in the forthcoming online help. Our goal is that anybody can setup the device and create twenty accounts in less than 10 minutes!
Oups, a ghost user reference? Here is how to fix it:
Letr's say you have an extra ghost user GHOST (that you have deleted) for the token 0001000200AB.
Here is how to remove this annoying reference (it will be nicely fixed in the next release):
1) create again the basic user GHOST
2) edit the user and attribute to the user GHOST the hardware token 0001000200AB. Apply the change.
3) edit the user again and set the token back to software
The next release will check for orphaned when we delete a user that is linked with a token.
Concerning the logs, there is sometime an issue with the log of the various radius operations after the version release version 4.2.2. The 4.2.4 release (Actually in QA test) will fix that in the next days (available release is checked once a day automatically by the device, and you can also visit the update webpage http://firmware.multiotp.com/update/)
Beside of that, I also invite you to check the software token feature, which is a cheap and secure alternative to hardware tokens.
Regards, thanks using our product, and happy authentication !
Andre
Thanks for your feedback. I will keep you in touch when the discussed fixes are done.
Regards,
Andre
Regards,
Andre