[Freeipa-users] ipa spamming radius with otp token?

Wed May 13 18:00:30 UTC 2015

On Wed, 2015-05-13 at 14:44 +0000, Bahmer, Eric Vaughn wrote:
> Institutionally we have a hardware token set up, you use a pin to 
> unlock the device and it spits out a passcode.
> The passcode allows access through kerberos, radius, or ldap binds 
> to linux servers, or with a custom apache module to websites.
> 
> I have an out-of-band private network set up that attaches to our 
> intranet using a firewall/gateway server which does some port 
> forwarding for various things like SSH, RDP.
> I’m attempting to set up RADIUS on this firewall/gateway to be used 
> as a proxy for freeipa to our token system which I’d like to be able 
> to use behind the firewall.
> However I seem to be getting nearly a dozen requests into the radius 
> server, about half are dropped as duplicate, but usually 3-6 get 
> through and since it’s a single use token the first attempt 
> succeeds, but the rest fail and cause the hardware token to be 
> blacklisted.
> Is there a way to specify that the user radius login is a one-time 
> token or is this something that sssd or pam is causing?
> Or does the OTP support just not work in the way I need it to?
> I have this issue with both the inbox 4.1.0 in RHEL7.1 or the 
> upstream 4.1.4 rpms.
> 
> My only alternative is probably to set up a KDC on the firewall to 
> trust the institutional realm and have the IdM kerberos realm trust 
> that.
> This is also a mixed linux/windows environment behind the firewall, 
> I’ve enabled unix attributes in my AD and I’m using a script to sync 
> uid/gid with the external ldap.

I do think a cross realm trust is the right way to set this up.

However, let's look more closely at the RADIUS issue.

First, I want to ensure that you are using TCP for your kerberos
connections. If you are using UDP for kerberos, then the kerberos
client will send a new packet which will cause the KDC to fire off a
new set of RADIUS messages. The use of TCP should be enforced with
kerberos when using OTP.

How long does it take for the hardware token RADIUS server to respond?
Have you tried adjusting the number of retries and timeout for the
RADIUS server in FreeIPA? A longer timeout or fewer retries will
reduce the number of packets transmitted.

If you are able to setup a test user with fake credentials and could
perform a packet capture of kerberos and RADIUS traffic it would help
me understand what is going on here.

Nathaniel

PS - If I had to take a guess based on what I know now, I would
suspect that the real culprit is kinit sending too many requests. This
is based on your statement that the RADIUS server is dropping *some*
duplicates. This means that the other RADIUS packets are *not*
duplicates and probably represent a subsequent AS-REQ on the KDC from
kinit.