Challenge Response problem

Hi there,

I got 3 users with all 3 an email tokens assigned.

The 3 users are member of my LDAP resolver:

10668
10669
10670

The user gets authenticated on the frontend netscaler with ldap and after
he succeeds authentication the radius request will be sent to the
privacyidea server.

At that moment Radius log show the following:

Tue Oct 4 15:43:03 2016 : Info: rlm_perl: Config File
/etc/privacyidea/rlm_perl.ini found!
Tue Oct 4 15:43:03 2016 : Info: rlm_perl: Debugging config:
Tue Oct 4 15:43:03 2016 : Info: rlm_perl: Default URL
https://privacyidea.company.nl/validate/check
Tue Oct 4 15:43:03 2016 : Info: rlm_perl: Looking for config for auth-type
Perl
Tue Oct 4 15:43:03 2016 : Info: rlm_perl: Auth-Type: Perl
Tue Oct 4 15:43:03 2016 : Info: rlm_perl: url:
https://privacyidea.company.nl/validate/check
Tue Oct 4 15:43:03 2016 : Info: rlm_perl: user sent to privacyidea: 10670
Tue Oct 4 15:43:03 2016 : Info: rlm_perl: realm sent to privacyidea:
domain.lan
Tue Oct 4 15:43:03 2016 : Info: rlm_perl: resolver sent to privacyidea:
Tue Oct 4 15:43:03 2016 : Info: rlm_perl: client sent to privacyidea:
10.10.1.82
Tue Oct 4 15:43:03 2016 : Info: rlm_perl: state sent to privacyidea:
Tue Oct 4 15:43:03 2016 : Info: rlm_perl: urlparam client
Tue Oct 4 15:43:03 2016 : Info: rlm_perl: urlparam realm
Tue Oct 4 15:43:03 2016 : Info: rlm_perl: urlparam pass
Tue Oct 4 15:43:03 2016 : Info: rlm_perl: urlparam user
Tue Oct 4 15:43:25 2016 : Info: rlm_perl: privacyIDEA Result status is
true!
Tue Oct 4 15:43:25 2016 : Info: rlm_perl: return RLM_MODULE_HANDLED

Privacyidea log shows the following:

[2016-10-04
15:43:03,121][1530][140239196612352][WARNING][privacyidea.lib.utils:439]
Proxy 10.10.2.33 not allowed to set IP to 10.10.1.82.
[2016-10-04
15:43:03,150][1530][140239196612352][INFO][privacyidea.lib.user:186] user
u’10670’ found in resolver u’domain.local’
[2016-10-04
15:43:03,150][1530][140239196612352][INFO][privacyidea.lib.user:187] userid
resolved to ‘d45bc0df-f392-40a1-bd44-b9f00ec1203d’
[2016-10-04
15:43:03,182][1530][140239196612352][INFO][privacyidea.lib.user:186] user
u’10670’ found in resolver u’domain.local’
[2016-10-04
15:43:03,182][1530][140239196612352][INFO][privacyidea.lib.user:187] userid
resolved to ‘d45bc0df-f392-40a1-bd44-b9f00ec1203d’
[2016-10-04
15:43:03,210][1530][140239196612352][INFO][privacyidea.lib.user:186] user
u’10670’ found in resolver u’domain.local’
[2016-10-04
15:43:03,210][1530][140239196612352][INFO][privacyidea.lib.user:187] userid
resolved to ‘d45bc0df-f392-40a1-bd44-b9f00ec1203d’
[2016-10-04
15:43:03,239][1530][140239196612352][INFO][privacyidea.lib.user:186] user
u’10670’ found in resolver u’domain.local’
[2016-10-04
15:43:03,239][1530][140239196612352][INFO][privacyidea.lib.user:187] userid
resolved to ‘d45bc0df-f392-40a1-bd44-b9f00ec1203d’
[2016-10-04
15:43:25,810][1530][140239196612352][INFO][privacyidea.lib.smtpserver:100]
Mail sent: {}
[2016-10-04
15:43:25,859][1530][140239196612352][INFO][privacyidea.lib.user:186] user
u’10670’ found in resolver u’domain.local’
[2016-10-04
15:43:25,859][1530][140239196612352][INFO][privacyidea.lib.user:187] userid
resolved to ‘d45bc0df-f392-40a1-bd44-b9f00ec1203d’
[2016-10-04
15:43:25,914][1530][140239221790464][WARNING][privacyidea.lib.utils:439]
Proxy 10.10.2.33 not allowed to set IP to 10.10.1.29.

The email tokens is sent to the user and normally i get the response page
on my netscaler asking to type the token code but now i dont get that
response and i get a bad request from radius on my netscaler rejecting the
challenge response.

Now the strange thing, i make a new token for the user and the problem is
resolved and everything works fine.

So i still got 2 users from the 3 of which i can reproduce the problem, can
you help me find out where the problem is occuring?

Python-Privacyidea Version: Version: 2.14-1trusty
Server: Ubuntu 14.04.1
Apache2 version 2.4.7 (Ubuntu)
FreeRADIUS Version 2.1.12

rlm_perl.ini
[Default]
URL = https://privacyidea.olvg.nl/validate/check
REALM = domain.local
#RESCONF = someResolver
SSL_CHECK = true
#DEBUG = true

Get system documentation:
Posted on this link, i will mail you the password.
https://cloud.olvg.nl/index.php/s/Lu2PzMWwQhToRRX

Seems like i am having a email server problem, when using debug i can see
the delay is in the time it takes to send the email, when selecting a
different email server the problem is resolved and response times are a
maximum of 2 seconds.

Still doesnt make sense why making a new email token with the exact values
in privacyidea fixes it with the mail server who is giving me problems.

Will do further investigation.On Tuesday, October 4, 2016 at 4:15:52 PM UTC+2, jmdeking wrote:

Hmm, it seems like it takes more 20 seconds for privacyidea to find the

token and give the result back to my netscaler. (you can also see this in
the log i posted)

Any idea as to why it takes such a long time? When i make a new token i
get the result almost immediately.

When i look into the database the pidea_audit is 420mb, could this be
a problem causing a long time to get the token from the database?

Kind Regards,
Johan

Hmm, it seems like it takes more 20 seconds for privacyidea to find the
token and give the result back to my netscaler. (you can also see this in
the log i posted)

Any idea as to why it takes such a long time? When i make a new token i
get the result almost immediately.

When i look into the database the pidea_audit is 420mb, could this be a
problem causing a long time to get the token from the database?> Kind Regards,
Johan