[Freeipa-users] ipa spamming radius with otp token?

Wed May 13 17:41:40 UTC 2015

On 05/13/2015 10:44 AM, Bahmer, Eric Vaughn wrote:
> Institutionally we have a hardware token set up, you use a pin to 
> unlock the device and it spits out a passcode.
> The passcode allows access through kerberos, radius, or ldap binds to 
> linux servers, or with a custom apache module to websites.
>
> I have an out-of-band private network set up that attaches to our 
> intranet using a firewall/gateway server which does some port 
> forwarding for various things like SSH, RDP.
> I'm attempting to set up RADIUS on this firewall/gateway to be used as 
> a proxy for freeipa to our token system which I'd like to be able to 
> use behind the firewall.
> However I seem to be getting nearly a dozen requests into the radius 
> server, about half are dropped as duplicate, but usually 3-6 get 
> through and since it's a single use token the first attempt succeeds, 
> but the rest fail and cause the hardware token to be blacklisted.
> Is there a way to specify that the user radius login is a one-time 
> token or is this something that sssd or pam is causing?
> Or does the OTP support just not work in the way I need it to?
> I have this issue with both the inbox 4.1.0 in RHEL7.1 or the upstream 
> 4.1.4 rpms.
>
> My only alternative is probably to set up a KDC on the firewall to 
> trust the institutional realm and have the IdM kerberos realm trust that.
> This is also a mixed linux/windows environment behind the firewall, 
> I've enabled unix attributes in my AD and I'm using a script to sync 
> uid/gid with the external ldap.
>
>
>
Let me rephrase the setup to see if I got it.

You have an OTP server, it is behind the firewall. IPA is outside the 
firewall. You configured IPA to use radius to talk to OTP server. The 
firewall drops some of the packets but some go through.

If this is true then:
- There can be a problem with our implementation of the RADIUS client 
retries. If the client starts a new conversation every time rather than 
retries the same packet then this is a client side bug.
Nathaniel, do you have any hints on how to debug, troubleshoot, change 
configuration of the RADIUS client? Are retries and timeouts configurable?
- The problem can be also on the server side. Server should be tolerant 
to the identical radius packets and not do more than one 2FA 
authentication sequence. If it starts more than one it is a bug on the 
server side. Being the former implementer of one of the RADIUS servers 
for one of the major 2FA vendors I know exactly how that happens.

-- 
Thank you,
Dmitri Pal

Director of Engineering for IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150513/58b6f532/attachment.htm>