ZyWALL USG and multiOTP Pro 420b

edited April 2014 in Hardware device
Hi there..

I try to connect a ZyWALL USG 50 with the multiOTP Pro 420b. I have five Zyxel OTP Tokens registred with SafeWord. After that I imported the "importAlpine.dat" in multiOTP. I can also assign the tokkens to my users.

On the ZyWALL USG 50 webinterface i added all settings from your presentation "Internetsichere_Kennwörter_OTP" from André Liechti CTO of SysCo. 

So, when i try to connect with a user, the log in multiOTP says "from (192.168.200.1) for [172.16.120.64] Error: authentication failed for user ids

Do you have any solutions for my problem? Or a setup manual?

Regards,

Luke

Comments

  • edited April 2014
    Hello Luke,

    Thanks using our multiOTP Pro device.

    On multiOTP Pro side, did you set up a PIN code for the user ids, and are you requesting  the PIN prefix ? If yes, you need to type then PIN just before the OTP.

    Are your tokens new or already used ? If they are already used, it's possible that their internal counter is to far away and you need to resynchronize your tokens. To do that, you simply have to give two consecutive tokens separated with a space, instead of only one (and don't forget also to type also twice the prefix PIN before the displayed OTP if enabled for the user).

    Thanks to keep us in touch. If you cannot fix your problem, we can do a remote support session tomorrow morning.

    Best regards,

    Andre
  • edited April 2014
    A complete electronic help guide is under review and it will be integrated directly in the multiOTP Pro product in a release update during the next weeks.

    Regards,

    Andre
  • Hello Andre

    Yes I setup a PIN Code but i unchecked the PIN Prefix. 

    No, the tokens are not already used. I used one or two tokens only for tests.

    Sorry I don't know how I resync a token.
    Can you make an example? 

    Thanks a lot!

    Luke



  • edited April 2014
    Hi Luke,

    Let's say your user ids is linked with the token with the serial number 0001000200AB, without PIN prefix activated (note that it's not a good idea to uncheck the PIN prefix, because if someone steal your token, he can connect directly).

    When you click on the button of your token, a 6 digits One-Time Password is displayed (let's say 123321).

    To make a legacy logon, you will have to type the following:

    User Name: ids
    Password: 123321
    One-Time Password: (leave empty)
    or
    User Name: ids
    Password: (leave empty)
    One-Time Password: 123321

    ZyXEL USG concatenates automatically the password (which is the PIN prefix) and the one time password.


    To make a logon with token synchronisation:
    Click once on the token, and a 6 digits One-Time Password is displayed (let's say 112345).
    When the first OTP disappeared, click one again on thr token, and a new 6 digits One-Time Password is displayed (let's say 223456).
    Now, you can do a resynchronisation during the login:
    User Name: ids
    Password: 112345 223456 (you must type a space between the two OTPs)
    One-Time Password: (leave empty)
    or
    User Name: ids
    Password: (leave empty)
    One-Time Password: 112345 223456 (you must type a space between the two OTPs)

    If you had checked the PIN Prefix with a prefix defined as 9789:
    User Name: ids
    Password: 9789112345 9789223456 (you must type a space between the two prefixed OTPs)
    One-Time Password: (leave empty)
    or
    User Name: ids
    Password: (leave empty)
    One-Time Password: 9789112345 9789223456 (you must type a space between the two prefixed OTPs)

    Hope it helps

    Keep us in touch

    Regards,

    Andre
  • Hi Andre,

    IT WORKS! With all five tokens. :-)

    But I have two questions:

    - multiOTP Pro makes since 8.50 this morning no logs. I try to fix it with a reboot. Without success.

    - One token has now two users. But one of these user doesn't exist. How can I delete that "Ghost-User"?

    Best Regards,

    Luke
  • HI Luke,

    Just to for the others following the forum, what was the issue ? The idea is also to know how to be more clear in the quick start guide and in the forthcoming online help. Our goal is that anybody can setup the device and create twenty accounts in less than 10 minutes!

    Oups, a ghost user reference? Here is how to fix it:

    Letr's say you have an extra ghost user GHOST (that you have deleted) for the token 0001000200AB.
    Here is how to remove this annoying reference (it will be nicely fixed in the next release):
    1) create again the basic user GHOST
    2) edit the user and attribute to the user GHOST the hardware token 0001000200AB. Apply the change.
    3) edit the user again and set the token back to software

    The next release will check for orphaned when we delete a user that is linked with a token.

    Concerning the logs, there is sometime an issue with the log of the various radius operations after the version release version 4.2.2. The 4.2.4 release (Actually in QA test) will fix that in the next days (available release is checked once a day automatically by the device, and you can also visit the update webpage http://firmware.multiotp.com/update/)

    Beside of that, I also invite you to check the software token feature, which is a cheap and secure alternative to hardware tokens.

    Regards, thanks using our product, and happy authentication !

    Andre
  • Hi Andre,

    I had a ZyWALL from our labor. I don't know how many settings are moddifed. So I take a factory reset and configured the firewall new with your settings. 
    After that I assign the tokens new with the PIN PREFIX option in multiOTP Pro. Then I try it again and it works now! :-)

    The "Ghost-User" is deleted. Thanks for your little manual.

    That's ok. Now i can brief my customer. 

    I will check the software token feature. Thanks for your hint!

    Now i want to say thank you very much for your great support! It's a long time ago, if I get support like this! :-)
    Our customer is glad to use the multiOTP product.

    Best regards,

    Luke

  • Hi Luke,

    Thanks for your feedback. I will keep you in touch when the discussed fixes are done.

    Regards,

    Andre
  • Hi Luke, the 4.2.4.1 release (2014-04-06) fix both issues (logs are here again and attributed user is removed from token when user is deleted).
    Regards,
    Andre
This discussion has been closed.