[Freeipa-users] ipa spamming radius with otp token?

[Bahmer, Eric Vaughn]

Institutionally we have a hardware token set up, you use a pin to unlock the device and it spits out a passcode.
The passcode allows access through kerberos, radius, or ldap binds to linux servers, or with a custom apache module to websites.

I have an out-of-band private network set up that attaches to our intranet using a firewall/gateway server which does some port forwarding for various things like SSH, RDP.
I’m attempting to set up RADIUS on this firewall/gateway to be used as a proxy for freeipa to our token system which I’d like to be able to use behind the firewall.
However I seem to be getting nearly a dozen requests into the radius server, about half are dropped as duplicate, but usually 3-6 get through and since it’s a single use token the first attempt succeeds, but the rest fail and cause the hardware token to be blacklisted.
Is there a way to specify that the user radius login is a one-time token or is this something that sssd or pam is causing?
Or does the OTP support just not work in the way I need it to?
I have this issue with both the inbox 4.1.0 in RHEL7.1 or the upstream 4.1.4 rpms.

My only alternative is probably to set up a KDC on the firewall to trust the institutional realm and have the IdM kerberos realm trust that.
This is also a mixed linux/windows environment behind the firewall, I’ve enabled unix attributes in my AD and I’m using a script to sync uid/gid with the external ldap.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150513/1c631777/attachment.htm>