Allow multiple use of 1 token


#1

Hi,

Im not sure that multiple use of the same token is the best option so i need your help with it
we have Palo Alto Firewall that sends authentication requests to the PrivacyIDEA server (running on Centos7)
from what i check and found that the Firewall send 2 Packets (in some cases)
now, when the server get the first packet - the user get accepted
but, after 1 second the server gets the second packet (with the same token) and reject the access

i didnt find something that i can do on the Palo Alto side
but i do know that on Google Authentication you have option of Multiple use of the same authentication token
i know it can be some security risk - but for if it the only solution so we will go with it

if you have any other idea i would be glad to know

just an example from the radiusd log
Tue Feb 12 13:55:07 2019 : Info: rlm_perl: Config File /etc/privacyidea/rlm_perl.ini found!
Tue Feb 12 13:55:07 2019 : Info: rlm_perl: Debugging config: true
Tue Feb 12 13:55:07 2019 : Info: rlm_perl: Default URL http.s://127.0.0.2/validate/check
Tue Feb 12 13:55:07 2019 : Info: rlm_perl: Looking for config for auth-type Perl
Tue Feb 12 13:55:07 2019 : rlm_perl: RAD_REQUEST: User-Name = leonidr
Tue Feb 12 13:55:07 2019 : rlm_perl: RAD_REQUEST: Event-Timestamp = Feb 12 2019 13:55:07 IST
Tue Feb 12 13:55:07 2019 : rlm_perl: RAD_REQUEST: NAS-Identifier = Radius_Auth
Tue Feb 12 13:55:07 2019 : rlm_perl: RAD_REQUEST: User-Password = XXXXX
Tue Feb 12 13:55:07 2019 : rlm_perl: RAD_REQUEST: NAS-IP-Address = 192.XXX.XXX.XXX
Tue Feb 12 13:55:07 2019 : Info: rlm_perl: Auth-Type: Perl
Tue Feb 12 13:55:07 2019 : Info: rlm_perl: url: http.s://127.0.0.2/validate/check
Tue Feb 12 13:55:07 2019 : Info: rlm_perl: user sent to privacyidea: leonidr
Tue Feb 12 13:55:07 2019 : Info: rlm_perl: realm sent to privacyidea:
Tue Feb 12 13:55:07 2019 : Info: rlm_perl: resolver sent to privacyidea:
Tue Feb 12 13:55:07 2019 : Info: rlm_perl: client sent to privacyidea: 192.XXX.XXX.XXX
Tue Feb 12 13:55:07 2019 : Info: rlm_perl: state sent to privacyidea:
Tue Feb 12 13:55:07 2019 : rlm_perl: urlparam client = 192.XXX.XXX.XXX
Tue Feb 12 13:55:07 2019 : rlm_perl: urlparam pass = XXXXXXXXX
Tue Feb 12 13:55:07 2019 : rlm_perl: urlparam user = leonidr
Tue Feb 12 13:55:07 2019 : Info: rlm_perl: Request timeout: 10
Tue Feb 12 13:55:07 2019 : Info: rlm_perl: Not verifying SSL certificate!
Tue Feb 12 13:55:08 2019 : rlm_perl: Content {“jsonrpc”: “2.0”, “signature”: "X }
Tue Feb 12 13:55:08 2019 : Info: rlm_perl: privacyIDEA access granted
Tue Feb 12 13:55:08 2019 : Info: rlm_perl: return RLM_MODULE_OK
Tue Feb 12 13:55:09 2019 : Info: rlm_perl: Config File /etc/privacyidea/rlm_perl.ini found!
Tue Feb 12 13:55:09 2019 : Info: rlm_perl: Debugging config: true
Tue Feb 12 13:55:09 2019 : Info: rlm_perl: Default URL http.s://127.0.0.2/validate/check
Tue Feb 12 13:55:09 2019 : Info: rlm_perl: Looking for config for auth-type Perl
Tue Feb 12 13:55:09 2019 : rlm_perl: RAD_REQUEST: User-Name = leonidr
Tue Feb 12 13:55:09 2019 : rlm_perl: RAD_REQUEST: Event-Timestamp = Feb 12 2019 13:55:09 IST
Tue Feb 12 13:55:09 2019 : rlm_perl: RAD_REQUEST: NAS-Identifier = Radius_Auth
Tue Feb 12 13:55:09 2019 : rlm_perl: RAD_REQUEST: User-Password = XXXXXXXX
Tue Feb 12 13:55:09 2019 : rlm_perl: RAD_REQUEST: Framed-IP-Address = 172.XXX.XXX.XXX
Tue Feb 12 13:55:09 2019 : rlm_perl: RAD_REQUEST: NAS-IP-Address = 192.XXX.XXX.XXX
Tue Feb 12 13:55:09 2019 : Info: rlm_perl: Auth-Type: Perl
Tue Feb 12 13:55:09 2019 : Info: rlm_perl: url: http.s://127.0.0.2/validate/check
Tue Feb 12 13:55:09 2019 : Info: rlm_perl: user sent to privacyidea: leonidr
Tue Feb 12 13:55:09 2019 : Info: rlm_perl: realm sent to privacyidea:
Tue Feb 12 13:55:09 2019 : Info: rlm_perl: resolver sent to privacyidea:
Tue Feb 12 13:55:09 2019 : Info: rlm_perl: client sent to privacyidea: 192.XXX.XXX.XXX
Tue Feb 12 13:55:09 2019 : Info: rlm_perl: state sent to privacyidea:
Tue Feb 12 13:55:09 2019 : rlm_perl: urlparam client = 192.XXX.XXX.XXX
Tue Feb 12 13:55:09 2019 : rlm_perl: urlparam pass = XXXXXXXXXX
Tue Feb 12 13:55:09 2019 : rlm_perl: urlparam user = leonidr
Tue Feb 12 13:55:09 2019 : Info: rlm_perl: Request timeout: 10
Tue Feb 12 13:55:09 2019 : Info: rlm_perl: Not verifying SSL certificate!
Tue Feb 12 13:55:10 2019 : rlm_perl: Content {“jsonrpc”: “2.0”, “signature”: "X }
Tue Feb 12 13:55:10 2019 : Info: rlm_perl: privacyIDEA Result status is true!
Tue Feb 12 13:55:10 2019 : Info: rlm_perl: privacyIDEA access denied
Tue Feb 12 13:55:10 2019 : Info: rlm_perl: return RLM_MODULE_REJECT

thanks guys !

Regards,
Leonid Reznitsky


#2

Hi Leonid,

this sounds like a timing issue.
This sometimes happens with RADIUS, if you have chosen bad timings.

The timings of the RADIUS client and server need to match.
Kind regards
Cornelius


#3

Hi,

Thanks for the answer
can you please explain more or direct me to which file i should look for ?
because on the client side i have only 2 timing
1 is for second of timeout - (configured default 5 sec)
2 is for retries time ( configured default 3 times )

Thanks for your help !

Regards,
Leonid Reznitsky


#4

Hi Leonid,

there is no file in question.
As RADIUS is UDP, you can get into issues, when the client timeout is shorter than the server timeout.
I recommend doing a network sketch an writing your timeouts (client and server) at each connection.

(Did I mention this is something we also take care for for our customers?)

Kind regards
Cornelius