Hi,
Im not sure that multiple use of the same token is the best option so i need your help with it
we have Palo Alto Firewall that sends authentication requests to the PrivacyIDEA server (running on Centos7)
from what i check and found that the Firewall send 2 Packets (in some cases)
now, when the server get the first packet - the user get accepted
but, after 1 second the server gets the second packet (with the same token) and reject the access
i didnt find something that i can do on the Palo Alto side
but i do know that on Google Authentication you have option of Multiple use of the same authentication token
i know it can be some security risk - but for if it the only solution so we will go with it
if you have any other idea i would be glad to know
just an example from the radiusd log
Tue Feb 12 13:55:07 2019 : Info: rlm_perl: Config File /etc/privacyidea/rlm_perl.ini found!
Tue Feb 12 13:55:07 2019 : Info: rlm_perl: Debugging config: true
Tue Feb 12 13:55:07 2019 : Info: rlm_perl: Default URL http.s://127.0.0.2/validate/check
Tue Feb 12 13:55:07 2019 : Info: rlm_perl: Looking for config for auth-type Perl
Tue Feb 12 13:55:07 2019 : rlm_perl: RAD_REQUEST: User-Name = leonidr
Tue Feb 12 13:55:07 2019 : rlm_perl: RAD_REQUEST: Event-Timestamp = Feb 12 2019 13:55:07 IST
Tue Feb 12 13:55:07 2019 : rlm_perl: RAD_REQUEST: NAS-Identifier = Radius_Auth
Tue Feb 12 13:55:07 2019 : rlm_perl: RAD_REQUEST: User-Password = XXXXX
Tue Feb 12 13:55:07 2019 : rlm_perl: RAD_REQUEST: NAS-IP-Address = 192.XXX.XXX.XXX
Tue Feb 12 13:55:07 2019 : Info: rlm_perl: Auth-Type: Perl
Tue Feb 12 13:55:07 2019 : Info: rlm_perl: url: http.s://127.0.0.2/validate/check
Tue Feb 12 13:55:07 2019 : Info: rlm_perl: user sent to privacyidea: leonidr
Tue Feb 12 13:55:07 2019 : Info: rlm_perl: realm sent to privacyidea:
Tue Feb 12 13:55:07 2019 : Info: rlm_perl: resolver sent to privacyidea:
Tue Feb 12 13:55:07 2019 : Info: rlm_perl: client sent to privacyidea: 192.XXX.XXX.XXX
Tue Feb 12 13:55:07 2019 : Info: rlm_perl: state sent to privacyidea:
Tue Feb 12 13:55:07 2019 : rlm_perl: urlparam client = 192.XXX.XXX.XXX
Tue Feb 12 13:55:07 2019 : rlm_perl: urlparam pass = XXXXXXXXX
Tue Feb 12 13:55:07 2019 : rlm_perl: urlparam user = leonidr
Tue Feb 12 13:55:07 2019 : Info: rlm_perl: Request timeout: 10
Tue Feb 12 13:55:07 2019 : Info: rlm_perl: Not verifying SSL certificate!
Tue Feb 12 13:55:08 2019 : rlm_perl: Content {“jsonrpc”: “2.0”, “signature”: "X }
Tue Feb 12 13:55:08 2019 : Info: rlm_perl: privacyIDEA access granted
Tue Feb 12 13:55:08 2019 : Info: rlm_perl: return RLM_MODULE_OK
Tue Feb 12 13:55:09 2019 : Info: rlm_perl: Config File /etc/privacyidea/rlm_perl.ini found!
Tue Feb 12 13:55:09 2019 : Info: rlm_perl: Debugging config: true
Tue Feb 12 13:55:09 2019 : Info: rlm_perl: Default URL http.s://127.0.0.2/validate/check
Tue Feb 12 13:55:09 2019 : Info: rlm_perl: Looking for config for auth-type Perl
Tue Feb 12 13:55:09 2019 : rlm_perl: RAD_REQUEST: User-Name = leonidr
Tue Feb 12 13:55:09 2019 : rlm_perl: RAD_REQUEST: Event-Timestamp = Feb 12 2019 13:55:09 IST
Tue Feb 12 13:55:09 2019 : rlm_perl: RAD_REQUEST: NAS-Identifier = Radius_Auth
Tue Feb 12 13:55:09 2019 : rlm_perl: RAD_REQUEST: User-Password = XXXXXXXX
Tue Feb 12 13:55:09 2019 : rlm_perl: RAD_REQUEST: Framed-IP-Address = 172.XXX.XXX.XXX
Tue Feb 12 13:55:09 2019 : rlm_perl: RAD_REQUEST: NAS-IP-Address = 192.XXX.XXX.XXX
Tue Feb 12 13:55:09 2019 : Info: rlm_perl: Auth-Type: Perl
Tue Feb 12 13:55:09 2019 : Info: rlm_perl: url: http.s://127.0.0.2/validate/check
Tue Feb 12 13:55:09 2019 : Info: rlm_perl: user sent to privacyidea: leonidr
Tue Feb 12 13:55:09 2019 : Info: rlm_perl: realm sent to privacyidea:
Tue Feb 12 13:55:09 2019 : Info: rlm_perl: resolver sent to privacyidea:
Tue Feb 12 13:55:09 2019 : Info: rlm_perl: client sent to privacyidea: 192.XXX.XXX.XXX
Tue Feb 12 13:55:09 2019 : Info: rlm_perl: state sent to privacyidea:
Tue Feb 12 13:55:09 2019 : rlm_perl: urlparam client = 192.XXX.XXX.XXX
Tue Feb 12 13:55:09 2019 : rlm_perl: urlparam pass = XXXXXXXXXX
Tue Feb 12 13:55:09 2019 : rlm_perl: urlparam user = leonidr
Tue Feb 12 13:55:09 2019 : Info: rlm_perl: Request timeout: 10
Tue Feb 12 13:55:09 2019 : Info: rlm_perl: Not verifying SSL certificate!
Tue Feb 12 13:55:10 2019 : rlm_perl: Content {“jsonrpc”: “2.0”, “signature”: "X }
Tue Feb 12 13:55:10 2019 : Info: rlm_perl: privacyIDEA Result status is true!
Tue Feb 12 13:55:10 2019 : Info: rlm_perl: privacyIDEA access denied
Tue Feb 12 13:55:10 2019 : Info: rlm_perl: return RLM_MODULE_REJECT
thanks guys !
Regards,
Leonid Reznitsky