Allow multiple use of 1 token

Hi,

Im not sure that multiple use of the same token is the best option so i need your help with it
we have Palo Alto Firewall that sends authentication requests to the PrivacyIDEA server (running on Centos7)
from what i check and found that the Firewall send 2 Packets (in some cases)
now, when the server get the first packet - the user get accepted
but, after 1 second the server gets the second packet (with the same token) and reject the access

i didnt find something that i can do on the Palo Alto side
but i do know that on Google Authentication you have option of Multiple use of the same authentication token
i know it can be some security risk - but for if it the only solution so we will go with it

if you have any other idea i would be glad to know

just an example from the radiusd log
Tue Feb 12 13:55:07 2019 : Info: rlm_perl: Config File /etc/privacyidea/rlm_perl.ini found!
Tue Feb 12 13:55:07 2019 : Info: rlm_perl: Debugging config: true
Tue Feb 12 13:55:07 2019 : Info: rlm_perl: Default URL http.s://127.0.0.2/validate/check
Tue Feb 12 13:55:07 2019 : Info: rlm_perl: Looking for config for auth-type Perl
Tue Feb 12 13:55:07 2019 : rlm_perl: RAD_REQUEST: User-Name = leonidr
Tue Feb 12 13:55:07 2019 : rlm_perl: RAD_REQUEST: Event-Timestamp = Feb 12 2019 13:55:07 IST
Tue Feb 12 13:55:07 2019 : rlm_perl: RAD_REQUEST: NAS-Identifier = Radius_Auth
Tue Feb 12 13:55:07 2019 : rlm_perl: RAD_REQUEST: User-Password = XXXXX
Tue Feb 12 13:55:07 2019 : rlm_perl: RAD_REQUEST: NAS-IP-Address = 192.XXX.XXX.XXX
Tue Feb 12 13:55:07 2019 : Info: rlm_perl: Auth-Type: Perl
Tue Feb 12 13:55:07 2019 : Info: rlm_perl: url: http.s://127.0.0.2/validate/check
Tue Feb 12 13:55:07 2019 : Info: rlm_perl: user sent to privacyidea: leonidr
Tue Feb 12 13:55:07 2019 : Info: rlm_perl: realm sent to privacyidea:
Tue Feb 12 13:55:07 2019 : Info: rlm_perl: resolver sent to privacyidea:
Tue Feb 12 13:55:07 2019 : Info: rlm_perl: client sent to privacyidea: 192.XXX.XXX.XXX
Tue Feb 12 13:55:07 2019 : Info: rlm_perl: state sent to privacyidea:
Tue Feb 12 13:55:07 2019 : rlm_perl: urlparam client = 192.XXX.XXX.XXX
Tue Feb 12 13:55:07 2019 : rlm_perl: urlparam pass = XXXXXXXXX
Tue Feb 12 13:55:07 2019 : rlm_perl: urlparam user = leonidr
Tue Feb 12 13:55:07 2019 : Info: rlm_perl: Request timeout: 10
Tue Feb 12 13:55:07 2019 : Info: rlm_perl: Not verifying SSL certificate!
Tue Feb 12 13:55:08 2019 : rlm_perl: Content {“jsonrpc”: “2.0”, “signature”: "X }
Tue Feb 12 13:55:08 2019 : Info: rlm_perl: privacyIDEA access granted
Tue Feb 12 13:55:08 2019 : Info: rlm_perl: return RLM_MODULE_OK
Tue Feb 12 13:55:09 2019 : Info: rlm_perl: Config File /etc/privacyidea/rlm_perl.ini found!
Tue Feb 12 13:55:09 2019 : Info: rlm_perl: Debugging config: true
Tue Feb 12 13:55:09 2019 : Info: rlm_perl: Default URL http.s://127.0.0.2/validate/check
Tue Feb 12 13:55:09 2019 : Info: rlm_perl: Looking for config for auth-type Perl
Tue Feb 12 13:55:09 2019 : rlm_perl: RAD_REQUEST: User-Name = leonidr
Tue Feb 12 13:55:09 2019 : rlm_perl: RAD_REQUEST: Event-Timestamp = Feb 12 2019 13:55:09 IST
Tue Feb 12 13:55:09 2019 : rlm_perl: RAD_REQUEST: NAS-Identifier = Radius_Auth
Tue Feb 12 13:55:09 2019 : rlm_perl: RAD_REQUEST: User-Password = XXXXXXXX
Tue Feb 12 13:55:09 2019 : rlm_perl: RAD_REQUEST: Framed-IP-Address = 172.XXX.XXX.XXX
Tue Feb 12 13:55:09 2019 : rlm_perl: RAD_REQUEST: NAS-IP-Address = 192.XXX.XXX.XXX
Tue Feb 12 13:55:09 2019 : Info: rlm_perl: Auth-Type: Perl
Tue Feb 12 13:55:09 2019 : Info: rlm_perl: url: http.s://127.0.0.2/validate/check
Tue Feb 12 13:55:09 2019 : Info: rlm_perl: user sent to privacyidea: leonidr
Tue Feb 12 13:55:09 2019 : Info: rlm_perl: realm sent to privacyidea:
Tue Feb 12 13:55:09 2019 : Info: rlm_perl: resolver sent to privacyidea:
Tue Feb 12 13:55:09 2019 : Info: rlm_perl: client sent to privacyidea: 192.XXX.XXX.XXX
Tue Feb 12 13:55:09 2019 : Info: rlm_perl: state sent to privacyidea:
Tue Feb 12 13:55:09 2019 : rlm_perl: urlparam client = 192.XXX.XXX.XXX
Tue Feb 12 13:55:09 2019 : rlm_perl: urlparam pass = XXXXXXXXXX
Tue Feb 12 13:55:09 2019 : rlm_perl: urlparam user = leonidr
Tue Feb 12 13:55:09 2019 : Info: rlm_perl: Request timeout: 10
Tue Feb 12 13:55:09 2019 : Info: rlm_perl: Not verifying SSL certificate!
Tue Feb 12 13:55:10 2019 : rlm_perl: Content {“jsonrpc”: “2.0”, “signature”: "X }
Tue Feb 12 13:55:10 2019 : Info: rlm_perl: privacyIDEA Result status is true!
Tue Feb 12 13:55:10 2019 : Info: rlm_perl: privacyIDEA access denied
Tue Feb 12 13:55:10 2019 : Info: rlm_perl: return RLM_MODULE_REJECT

thanks guys !

Regards,
Leonid Reznitsky

Hi Leonid,

this sounds like a timing issue.
This sometimes happens with RADIUS, if you have chosen bad timings.

The timings of the RADIUS client and server need to match.
Kind regards
Cornelius

Hi,

Thanks for the answer
can you please explain more or direct me to which file i should look for ?
because on the client side i have only 2 timing
1 is for second of timeout - (configured default 5 sec)
2 is for retries time ( configured default 3 times )

Thanks for your help !

Regards,
Leonid Reznitsky

Hi Leonid,

there is no file in question.
As RADIUS is UDP, you can get into issues, when the client timeout is shorter than the server timeout.
I recommend doing a network sketch an writing your timeouts (client and server) at each connection.

(Did I mention this is something we also take care for for our customers?)

Kind regards
Cornelius