On 05/13/2015 10:44 AM, Bahmer, Eric Vaughn wrote:
Institutionally we have a hardware token set up, you use a pin to unlock the device and it spits out a passcode. The passcode allows access through kerberos, radius, or ldap binds to linux servers, or with a custom apache module to websites.

I have an out-of-band private network set up that attaches to our intranet using a firewall/gateway server which does some port forwarding for various things like SSH, RDP. I'm attempting to set up RADIUS on this firewall/gateway to be used as a proxy for freeipa to our token system which I'd like to be able to use behind the firewall. However I seem to be getting nearly a dozen requests into the radius server, about half are dropped as duplicate, but usually 3-6 get through and since it's a single use token the first attempt succeeds, but the rest fail and cause the hardware token to be blacklisted. Is there a way to specify that the user radius login is a one-time token or is this something that sssd or pam is causing?
Or does the OTP support just not work in the way I need it to?
I have this issue with both the inbox 4.1.0 in RHEL7.1 or the upstream 4.1.4 rpms.

My only alternative is probably to set up a KDC on the firewall to trust the institutional realm and have the IdM kerberos realm trust that. This is also a mixed linux/windows environment behind the firewall, I've enabled unix attributes in my AD and I'm using a script to sync uid/gid with the external ldap.

Let me rephrase the setup to see if I got it.

You have an OTP server, it is behind the firewall. IPA is outside the firewall. You configured IPA to use radius to talk to OTP server. The firewall drops some of the packets but some go through.

If this is true then:
- There can be a problem with our implementation of the RADIUS client retries. If the client starts a new conversation every time rather than retries the same packet then this is a client side bug. Nathaniel, do you have any hints on how to debug, troubleshoot, change configuration of the RADIUS client? Are retries and timeouts configurable? - The problem can be also on the server side. Server should be tolerant to the identical radius packets and not do more than one 2FA authentication sequence. If it starts more than one it is a bug on the server side. Being the former implementer of one of the RADIUS servers for one of the major 2FA vendors I know exactly how that happens.

Thank you,
Dmitri Pal

Director of Engineering for IdM portfolio
Red Hat, Inc.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to