Issues found when enrolling device

After installing TRASA sucessfully and accessing the web console, there is an issue with the enrollment of mobile device.

While on “Part 1 - Setup TRASA server and root account” followed the steps of changing root password and next enrol device and after getting TRASA Authenticator the next step was scanning the QR code which lead to this error

Even refreshing the page did not work, that error message persists.

Hope the image is clear as the app disallows screenshots so alternativelly i took that picture.

Any thoughts?

This might be counter-productive… but is there a way to bypass 2FA using TRASA?

Hi, the expiry time of qr code is set to around 6 minutes. Did it took a longer than that to enrol your device? Also if it was already expired during first try, it would not have succeeded in subsequent tries either.

Hi, in fact the time the service was up was longer than that period of time to try to enrol the device.

After restarting and trying again, now I get the following error:

**Alert**
Error: Network Error

I am currently connected to a vpn accessing the server where TRASA is installed , and in the future (as in final product on client environment) the machine is supposed to be selfhosted without internet access, only internal network connections, is there a way to connect via a proxy and bypass these authentication agents?

Is your mobile device connected to the internet? After you scan QR code, it tries to sync to TRASA server via TRASA cloud proxy. This synchronization is required for TRASA Push U2F to work. But if you only wish to use TOTP (offline mode), it should have already been set up despite the error message.

Note that both TRASA server and mobile app should be connected to the internet to register a device for Push U2F.

Yes my mobile device is connected to the internet, but I begin to realize the issue, I think…

That’s maybe the problem, I am testing this server in same conditions like it would be on client environment… therefore there is no internet access.

However I’m trying to find the offline mode in the tutorial, also I am running TRASA without docker.

Also I noticed that by commenting the line cloudServer = "https://sg.cpxy.trasa.io" it wouldn’t throw me the QR code expiration, and would hang on for a little more time, but yes that’s when the “network error” occurs.

There is no specific guide for offline mode setup. Both Push U2F and TOTP are default actions and the mobile app tries to register both methods after scanning the QR code. But even if Push U2F sync fails, the default fallback is TOTP registration (i.e. offline mode). Can you see TRASA icon in the app after exiting the network error alert you mentioned earlier?

You mean like this situation shown on setup tutorial?

No, it doesn’t show up, nothing changes.

Yes that’s what I meant.
Can you check log file at /var/log/trasa.log if there’s anything interesting?

this is what I have from the latest events:

time="2021-04-23T15:15:15+01:00" level=info msg="database connection successful" func=github.com/seknox/trasa/server/global.DBconn file="global/global.go:245"
time="2021-04-23T15:15:15+01:00" level=info msg="HTTPs server started. " func=main.StartServer file="server/server.go:159"
time="2021-04-23T15:15:15+01:00" level=info msg="Radius server started on port 1812/udp" func=main.StartRadiusServer file="server/radiusServer.go:26"
time="2021-04-23T15:15:17+01:00" level=info msg="TRASA SSH access proxy started" func=github.com/seknox/trasa/server/accessproxy/sshproxy.ListenSSH file="sshproxy/listner.go:49"
time="2021-04-23T15:15:49+01:00" level=error msg="failed to get device detail: Post \"https://sg.cpxy.trasa.io/api/v1/devicedetailpipe\": dial tcp: lookup sg.cpxy.trasa.io on [::1]:53: dial udp [::1]:53: socket: address family not supported by protocol" func=github.com/seknox/trasa/server/api/devices.GiveMeDeviceDetail file="devices/hMobile.go:154"
time="2021-04-23T15:17:20+01:00" level=info msg="database connection successful" func=github.com/seknox/trasa/server/global.DBconn file="global/global.go:245"
time="2021-04-23T15:17:20+01:00" level=info msg="HTTPs server started. " func=main.StartServer file="server/server.go:159"
time="2021-04-23T15:17:20+01:00" level=info msg="Radius server started on port 1812/udp" func=main.StartRadiusServer file="server/radiusServer.go:26"
time="2021-04-23T15:17:26+01:00" level=info msg="TRASA SSH access proxy started" func=github.com/seknox/trasa/server/accessproxy/sshproxy.ListenSSH file="sshproxy/listner.go:49"
time="2021-04-23T15:17:40+01:00" level=error msg="failed to get device detail: Post \"https://sg.cpxy.trasa.io/api/v1/devicedetailpipe\": dial tcp: lookup sg.cpxy.trasa.io on [::1]:53: dial udp [::1]:53: socket: address family not supported by protocol" func=github.com/seknox/trasa/server/api/devices.GiveMeDeviceDetail file="devices/hMobile.go:154"
time="2021-04-23T15:18:40+01:00" level=info msg="database connection successful" func=github.com/seknox/trasa/server/global.DBconn file="global/global.go:245"
time="2021-04-23T15:18:41+01:00" level=info msg="HTTPs server started. " func=main.StartServer file="server/server.go:159"
time="2021-04-23T15:18:41+01:00" level=info msg="Radius server started on port 1812/udp" func=main.StartRadiusServer file="server/radiusServer.go:26"
time="2021-04-23T15:18:45+01:00" level=info msg="TRASA SSH access proxy started" func=github.com/seknox/trasa/server/accessproxy/sshproxy.ListenSSH file="sshproxy/listner.go:49"
time="2021-04-23T15:18:51+01:00" level=error msg="failed to get device detail: Post \"/api/v1/devicedetailpipe\": unsupported protocol scheme \"\"" func=github.com/seknox/trasa/server/api/devices.GiveMeDeviceDetail file="devices/hMobile.go:154"

Can you once try to enrol device with Google Authenticator app?
If the TOTP works there, we can confirm that there may be another configuration error which is preventing TRASA app to function properly.

Good morning, yes I can confirm that with Google Authenticator, the process went smoothly

1 Like

Good morning, when sharing root account details for testing by others in client premises, some questions were placed regarding 2FA:

I had to be online on that period of time to issue TOTP codes to that person, as I setup the root account on first login so a workaround was to create an user account to perform tests and assigned to the services and with administrator role.

But what if for some reason I would have lost data from Google Authenticator while transfering my 2FA details to a new phone for example?

Probably it would be advised not to dispose of the old phone, but then again what if the old phone wasn’t available?

Those are questions that are relevant and we need to prevent such situations.

Hi, as I understand, you are asking that what if root administrator looses access to 2FA device and is locked out?
As a second step verification process TRASA first checks if a user has a 2FA device enrolled. If the device is enrolled, TRASA inititates second step verification flow. Otherwise, enrol device flow will be triggered. If by chance root administrator looses accesss to 2FA device and is locked out, one possible way for solving the issue would be manually deleting 2FA device detail row for root account from database. This way on next login for root account, TRASA will not be able to retreive device detail and will initiate device enrol flow again so that root administrator will be able to register a new device and continue with TRASA.

In case a normal TRASA user looses access to 2FA device, root administrator can remove the device from administrative dashboard. But for root administrator, this must be done manually by accessing the database. This is by design because allowing resetting of 2FA device for root administrator from the application itself would be a security risk.

Hello,
Yes exactly, I understand those designs.
So it’s also not designed to disable 2FA validation on each login?

The reason I make that last question is because at some point the client questioned if it’s possible to skip the 2FA process, despite beating the purpose of the application in our view, but your last reply just shows exactly the point of TRASA, which I have already explained to the client.

1 Like

So it’s also not designed to disable 2FA validation on each login?

Yes, it is not designed to disable 2FA validation on each dashboard login.

However, 2FA can be disabled for upstream server login which can be done by assigning a policy that skips 2FA checks.

Yes creating a policy for that purpose was tested , and it works fine