Using Packet Monitor to troubleshoot One Time Password (OTP) on imported LDAP groups

Packet Monitor can be used to determine if the information, required for a One Time Password to be generated, has been requested or retrieved.  It can also be used to identify if the firewall has sent a One Time Password.

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

To facilitate the troubleshooting of OTP issues it is important that LDAP and SMTP traffic is not encrypted. 

1. Under the LDAP settings disable TLS and make sure that port 389 has been selected
   
   
   
   
2. Make sure there is valid mail server configured on the firewall.  The mail server settings are to be found under Log/Automation
   
   
   
   
   
   
3. Make sure a group has been imported and that OTP has been configured on that group.  In this example we will use a group required for SSL VPN access.
   
   
   
   The user is a member of this group but has not been imported into the firewall.  The email address has been confirmed on the LDAP server for that particular user
   
   
   
   
4.  Configure the Packet Monitor to capture TCP traffic on ports 25 and 389 and start the capture
   
   
5. Use NetExtender for the test and enter the user credentials
   
   
   
   
6. You will then be prompted for the one time password
   
   
   
   
7. Under the Packet Monitor LDAP and SMTP packets should be visible
   
   
   
   
8. Export the capture as Pcapng
   
   
   
   
9. Open the capture in Wireshark and filter for "imf", as shown below
   
   
   Note: Wireshark can be downloaded from www.wireshark.org
   
   
   
10. Right click on the Internet Message Format section and select Show Packet Bytes
    
    
    
    
    
    The OTP should then be visible.
    
    
    
    
    
11. Enter the OTP into the NetExtender OTP field and click on OK
    
    
    
    
    
12. Once the user has connected it should be possible to view the OTP event in the Event Log.
    
    
    
    
    If no prompt for a OTP is received, and instead the following message is displayed, then it will be necessary to check the captures to see if any email information was delivered to the firewall.
    
    
    
    Note:  This message is displayed on NetExtender.  In this example we are using NetExtender to test OTP over SSLVPN
    
    
13. Filter Wireshark for ldap.type == "mail", as shown below
    
    
    
    
    
14. Right Click on the LDAP section of the packet details and select Show Packet Bytes
    
    
    
    The email address should be visible in the Packet Bytes if it was retrieved correctly
    
    
    
    If an email address is not received then further investigation on the LDAP server, with regard to permissions etc., would be required.  If the firewall has successfully submitted a request for this attribute then this can be determined by filtering the capture for the following attribute ldap.AttributeDescription == "mail"
    
    
    
    If packets are visible then the firewall has requested this information and the LDAP server should have returned it.