KeyError: 'push_triggered'

Question
1

Hi everyone, I’m setting up RD gateway + NPS + FreeRADIUS + privacyIDEA with push polling

PrivacyIDEA version 3.11.4
Release GitHub - gpappsoft/privacyidea-docker: Simply deploy and run a privacyIDEA instance in a container environment. · GitHub

I set up NPS, it sends requests to FreeRADIUS.

Timeouts on NPS 60
Timeouts in FreeRADIUS 30

rlm_perl.ini

[Default]
URL = https://reverse_proxy/validate/check
REALM = scop
RESCONF = SCOP
SSL_CHECK = false
DEBUG = true
TIMEOUT = 30

#[Mapping]
#serial = privacyIDEA-Serial

[Mapping user]

The Mapping is used to add attributes to the RADIUS response.

The value is read from the privacyIDEA response.

In this case the content of the privacyIDEA response

detail->user->group

will be written to the RADIUS response attribute “Class”.

#group = Class

[Attribute Filter-Id]

With the multivalue attributes in the user response of privacyIDEA

we can also do an attribute mangling.

privacyIDEA may return a value like

detail : { user : { acl : [“CN=vpn-user,ou=sales,dc=example,dc=com”,

“CN=domain users,ou=sales,dc=example,dc=com”]}}}

The below example would match the privacyIDEA userAttribute “acl” and check if the

value matches the regex. If it does, it will add the substring $1 as the

“Filter-Id” to the RADIUS response.

The ini file can contain several “Attribute” groups, to add several RADIUS attributes

to the response.

#dir = user
#userAttribute = acl
#regex = CN=(\w*)-users,OU=sales,DC=example,DC=com
#prefix =
#suffix =

[Attribute otherAttribute]

If you want to have more mapping rules for a RADIUS attribute you

can give the section an arbitrary name and use the key “radiusAttribute”.

This example will set the Filter-Id to “FIXEDValue” if the user is located in

resolver1.

#radiusAttribute = Filter-Id
#userAttribute = user-resolver
#regex = resolver1
#prefix = FIXEDValue

[Attribute Class]

This example will add the RADIUS Attribute Class = SomeOtherValue

if the user is in the resolver “myResolverName”.

#userAttribute = user-resolver
#regex = myResolverName
#prefix = SomeOtherValue

When testing the gateway login, the FreeRADIUS logs show

(0) Received Access-Request Id 2 from 10.105.15.11:62009 to 172.18.0.2:1812 length 120
(0) Service-Type = Sip-session
(0) User-Name = “DOMAIN\user”
(0) Called-Station-Id = “UserAuthType:PW”
(0) MS-Machine-Name = “``WRS0094.DOMAIN.COM``”
(0) MS-Network-Access-Server-Type = Terminal-Server-Gateway
(0) NAS-Port-Type = Virtual
(0) Proxy-State = 0x0a69080b0000002f
(0) # Executing section authorize from file /opt/etc/raddb/sites-enabled/privacyidea
(0) authorize {
(0) update request {
(0) EXPAND %{Packet-Src-IP-Address}
(0) → 10.105.15.11
(0) Packet-Src-IP-Address = 10.105.15.11
(0) } # update request = noop
(0) perl-privacyidea: $RAD_REQUEST{‘Packet-Src-IP-Address’} = &request:Packet-Src-IP-Address → ‘10.105.15.11’
(0) perl-privacyidea: $RAD_REQUEST{‘MS-Network-Access-Server-Type’} = &request:MS-Network-Access-Server-Type → ‘Terminal-Server-Gateway’
(0) perl-privacyidea: $RAD_REQUEST{‘MS-Machine-Name’} = &request:MS-Machine-Name → ‘``WRS0094.DOMAIN.COM``’
(0) perl-privacyidea: $RAD_REQUEST{‘User-Name’} = &request:User-Name → ‘DOMAIN\user’
(0) perl-privacyidea: $RAD_REQUEST{‘Service-Type’} = &request:Service-Type → ‘Sip-session’
(0) perl-privacyidea: $RAD_REQUEST{‘Called-Station-Id’} = &request:Called-Station-Id → ‘UserAuthType:PW’
(0) perl-privacyidea: $RAD_REQUEST{‘Proxy-State’} = &request:Proxy-State → ‘0x0a69080b0000002f’
(0) perl-privacyidea: $RAD_REQUEST{‘NAS-Port-Type’} = &request:NAS-Port-Type → ‘Virtual’
(0) perl-privacyidea: &request:Called-Station-Id = $RAD_REQUEST{‘Called-Station-Id’} → ‘UserAuthType:PW’
(0) perl-privacyidea: &request:Service-Type = $RAD_REQUEST{‘Service-Type’} → ‘Sip-session’
(0) perl-privacyidea: &request:User-Name = $RAD_REQUEST{‘User-Name’} → ‘DOMAIN\user’
(0) perl-privacyidea: &request:MS-Network-Access-Server-Type = $RAD_REQUEST{‘MS-Network-Access-Server-Type’} → ‘Terminal-Server-Gateway’
(0) perl-privacyidea: &request:MS-Machine-Name = $RAD_REQUEST{‘MS-Machine-Name’} → ‘``WRS0094.DOMAIN.COM``’
(0) perl-privacyidea: &request:Packet-Src-IP-Address = $RAD_REQUEST{‘Packet-Src-IP-Address’} → ‘10.105.15.11’
(0) perl-privacyidea: &request:Proxy-State = $RAD_REQUEST{‘Proxy-State’} → ‘0x0a69080b0000002f’
(0) perl-privacyidea: &request:NAS-Port-Type = $RAD_REQUEST{‘NAS-Port-Type’} → ‘Virtual’
(0) [perl-privacyidea] = ok
(0) if (ok || updated) {
(0) if (ok || updated) → TRUE
(0) if (ok || updated) {
(0) update control {
(0) Auth-Type := Perl
(0) } # update control = noop
(0) } # if (ok || updated) = noop
(0) } # authorize = ok
(0) Found Auth-Type = Perl
(0) # Executing group from file /opt/etc/raddb/sites-enabled/privacyidea
(0) Auth-Type Perl {
(0) perl-privacyidea: $RAD_REQUEST{‘Packet-Src-IP-Address’} = &request:Packet-Src-IP-Address → ‘10.105.15.11’
(0) perl-privacyidea: $RAD_REQUEST{‘MS-Network-Access-Server-Type’} = &request:MS-Network-Access-Server-Type → ‘Terminal-Server-Gateway’
(0) perl-privacyidea: $RAD_REQUEST{‘MS-Machine-Name’} = &request:MS-Machine-Name → ‘``WRS0094.DOMAIN.COM``’
(0) perl-privacyidea: $RAD_REQUEST{‘User-Name’} = &request:User-Name → ‘DOMAIN\user’
(0) perl-privacyidea: $RAD_REQUEST{‘Service-Type’} = &request:Service-Type → ‘Sip-session’
(0) perl-privacyidea: $RAD_REQUEST{‘Called-Station-Id’} = &request:Called-Station-Id → ‘UserAuthType:PW’
(0) perl-privacyidea: $RAD_REQUEST{‘Proxy-State’} = &request:Proxy-State → ‘0x0a69080b0000002f’
(0) perl-privacyidea: $RAD_REQUEST{‘NAS-Port-Type’} = &request:NAS-Port-Type → ‘Virtual’
(0) perl-privacyidea: $RAD_CHECK{‘Auth-Type’} = &control:Auth-Type → ‘Perl’
(0) perl-privacyidea: $RAD_CONFIG{‘Auth-Type’} = &control:Auth-Type → ‘Perl’
rlm_perl: Config File /etc/raddb/rlm_perl.ini found!
rlm_perl: Debugging config: false
rlm_perl: Verifying SSL certificate: false
rlm_perl: Default URL https://reverse_proxy/validate/check
rlm_perl: Looking for config for auth-type Perl
rlm_perl: Username encoding guessed: ascii
rlm_perl: Setting client IP to 10.105.15.11.
rlm_perl: Auth-Type: Perl
rlm_perl: url: https://reverse_proxy/validate/check
rlm_perl: user sent to privacyidea: DOMAIN%5Cuser
rlm_perl: realm sent to privacyidea: scop
rlm_perl: resolver sent to privacyidea: SCOP
rlm_perl: client sent to privacyidea: 10.105.15.11
rlm_perl: state sent to privacyidea:
rlm_perl: urlparam resConf
rlm_perl: urlparam pass
rlm_perl: urlparam client
rlm_perl: urlparam realm
rlm_perl: urlparam user
rlm_perl: Request timeout: 30
rlm_perl: Not verifying SSL certificate!
rlm_perl: elapsed time for privacyidea call: 0.949486
rlm_perl: privacyIDEA request failed: 500 INTERNAL SERVER ERROR
rlm_perl: privacyIDEA Result status is false!
rlm_perl: 500 Internal Server Error: The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.
rlm_perl: privacyIDEA failed to handle the request
rlm_perl: return RLM_MODULE_FAIL
(0) perl-privacyidea: &request:Called-Station-Id = $RAD_REQUEST{‘Called-Station-Id’} → ‘UserAuthType:PW’
(0) perl-privacyidea: &request:Service-Type = $RAD_REQUEST{‘Service-Type’} → ‘Sip-session’
(0) perl-privacyidea: &request:User-Name = $RAD_REQUEST{‘User-Name’} → ‘DOMAIN\user’
(0) perl-privacyidea: &request:MS-Network-Access-Server-Type = $RAD_REQUEST{‘MS-Network-Access-Server-Type’} → ‘Terminal-Server-Gateway’
(0) perl-privacyidea: &request:MS-Machine-Name = $RAD_REQUEST{‘MS-Machine-Name’} → ‘``WRS0094.DOMAIN.COM``’
(0) perl-privacyidea: &request:Packet-Src-IP-Address = $RAD_REQUEST{‘Packet-Src-IP-Address’} → ‘10.105.15.11’
(0) perl-privacyidea: &request:Proxy-State = $RAD_REQUEST{‘Proxy-State’} → ‘0x0a69080b0000002f’
(0) perl-privacyidea: &request:NAS-Port-Type = $RAD_REQUEST{‘NAS-Port-Type’} → ‘Virtual’
(0) perl-privacyidea: &reply:Reply-Message = $RAD_REPLY{‘Reply-Message’} → ‘500 Internal Server Error: The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.’
(0) perl-privacyidea: &control:Auth-Type = $RAD_CHECK{‘Auth-Type’} → ‘Perl’
(0) [perl-privacyidea] = fail
(0) } # Auth-Type Perl = fail
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) Delaying response for 1.000000 seconds
Waking up in 0.9 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 2 from 172.18.0.2:1812 to 10.105.15.11:62009 length 213
(0) Reply-Message = “500 Internal Server Error: The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.”
(0) Proxy-State = 0x0a69080b0000002f
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 2 with timestamp +122 due to cleanup_delay was reached

privacyIDEA container logs

privacyidea-1 | [2025-09-12 07:59:30.693][ERROR] Exception on /validate/check [POST]
privacyidea-1 | Traceback (most recent call last):
privacyidea-1 | File “/privacyidea/venv/lib/python3.12/site-packages/flask/app.py”, line 1473, in wsgi_app
privacyidea-1 | response = self.full_dispatch_request()
privacyidea-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
privacyidea-1 | File “/privacyidea/venv/lib/python3.12/site-packages/flask/app.py”, line 882, in full_dispatch_request
privacyidea-1 | rv = self.handle_user_exception(e)
privacyidea-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
privacyidea-1 | File “/privacyidea/venv/lib/python3.12/site-packages/flask/app.py”, line 880, in full_dispatch_request
privacyidea-1 | rv = self.dispatch_request()
privacyidea-1 | ^^^^^^^^^^^^^^^^^^^^^^^
privacyidea-1 | File “/privacyidea/venv/lib/python3.12/site-packages/flask/app.py”, line 865, in dispatch_request
privacyidea-1 | return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args) # type: ignore[no-any-return]
privacyidea-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
privacyidea-1 | File “/privacyidea/venv/lib/python3.12/site-packages/privacyidea/api/lib/postpolicy.py”, line 129, in policy_wrapper
privacyidea-1 | response = wrapped_function(*args, **kwds)
privacyidea-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
privacyidea-1 | File “/privacyidea/venv/lib/python3.12/site-packages/privacyidea/api/lib/postpolicy.py”, line 129, in policy_wrapper
privacyidea-1 | response = wrapped_function(*args, **kwds)
privacyidea-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
privacyidea-1 | File “/privacyidea/venv/lib/python3.12/site-packages/privacyidea/api/lib/postpolicy.py”, line 129, in policy_wrapper
privacyidea-1 | response = wrapped_function(*args, **kwds)
privacyidea-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
privacyidea-1 | [Previous line repeated 10 more times]
privacyidea-1 | File “/privacyidea/venv/lib/python3.12/site-packages/privacyidea/api/lib/decorators.py”, line 39, in function_wrapper
privacyidea-1 | response = wrapped_function(*args, **kwds)
privacyidea-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
privacyidea-1 | File “/privacyidea/venv/lib/python3.12/site-packages/privacyidea/api/lib/prepolicy.py”, line 168, in policy_wrapper
privacyidea-1 | return wrapped_function(*args, **kwds)
privacyidea-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
privacyidea-1 | File “/privacyidea/venv/lib/python3.12/site-packages/privacyidea/api/lib/prepolicy.py”, line 168, in policy_wrapper
privacyidea-1 | return wrapped_function(*args, **kwds)
privacyidea-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
privacyidea-1 | File “/privacyidea/venv/lib/python3.12/site-packages/privacyidea/api/lib/prepolicy.py”, line 168, in policy_wrapper
privacyidea-1 | return wrapped_function(*args, **kwds)
privacyidea-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
privacyidea-1 | [Previous line repeated 6 more times]
privacyidea-1 | File “/privacyidea/venv/lib/python3.12/site-packages/privacyidea/lib/decorators.py”, line 120, in check_user_or_serial_in_request_wrapper
privacyidea-1 | f_result = func(*args, **kwds)
privacyidea-1 | ^^^^^^^^^^^^^^^^^^^
privacyidea-1 | File “/privacyidea/venv/lib/python3.12/site-packages/privacyidea/lib/subscriptions.py”, line 360, in check_subscription_wrapper
privacyidea-1 | f_result = func(*args, **kwds)
privacyidea-1 | ^^^^^^^^^^^^^^^^^^^
privacyidea-1 | File “/privacyidea/venv/lib/python3.12/site-packages/privacyidea/api/lib/prepolicy.py”, line 168, in policy_wrapper
privacyidea-1 | return wrapped_function(*args, **kwds)
privacyidea-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
privacyidea-1 | File “/privacyidea/venv/lib/python3.12/site-packages/privacyidea/lib/event.py”, line 92, in event_wrapper
privacyidea-1 | f_result = func(*args, **kwds)
privacyidea-1 | ^^^^^^^^^^^^^^^^^^^
privacyidea-1 | File “/privacyidea/venv/lib/python3.12/site-packages/privacyidea/api/validate.py”, line 487, in check
privacyidea-1 | success, details = check_user_pass(user, password, options=options)
privacyidea-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
privacyidea-1 | File “/privacyidea/venv/lib/python3.12/site-packages/privacyidea/lib/policydecorators.py”, line 95, in policy_wrapper
privacyidea-1 | return self.decorator_function(wrapped_function, *args, **kwds)
privacyidea-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
privacyidea-1 | File “/privacyidea/venv/lib/python3.12/site-packages/privacyidea/lib/policydecorators.py”, line 192, in auth_cache
privacyidea-1 | res, reply_dict = wrapped_function(user_object, passw, options)
privacyidea-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
privacyidea-1 | File “/privacyidea/venv/lib/python3.12/site-packages/privacyidea/lib/policydecorators.py”, line 95, in policy_wrapper
privacyidea-1 | return self.decorator_function(wrapped_function, *args, **kwds)
privacyidea-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
privacyidea-1 | File “/privacyidea/venv/lib/python3.12/site-packages/privacyidea/lib/policydecorators.py”, line 257, in auth_user_does_not_exist
privacyidea-1 | return wrapped_function(user_object, passw, options)
privacyidea-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
privacyidea-1 | File “/privacyidea/venv/lib/python3.12/site-packages/privacyidea/lib/policydecorators.py”, line 95, in policy_wrapper
privacyidea-1 | return self.decorator_function(wrapped_function, *args, **kwds)
privacyidea-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
privacyidea-1 | File “/privacyidea/venv/lib/python3.12/site-packages/privacyidea/lib/policydecorators.py”, line 228, in auth_user_has_no_token
privacyidea-1 | return wrapped_function(user_object, passw, options)
privacyidea-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
privacyidea-1 | File “/privacyidea/venv/lib/python3.12/site-packages/privacyidea/lib/policydecorators.py”, line 95, in policy_wrapper
privacyidea-1 | return self.decorator_function(wrapped_function, *args, **kwds)
privacyidea-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
privacyidea-1 | File “/privacyidea/venv/lib/python3.12/site-packages/privacyidea/lib/policydecorators.py”, line 354, in auth_user_timelimit
privacyidea-1 | res, reply_dict = wrapped_function(user_object, passw, options)
privacyidea-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
privacyidea-1 | File “/privacyidea/venv/lib/python3.12/site-packages/privacyidea/lib/policydecorators.py”, line 95, in policy_wrapper
privacyidea-1 | return self.decorator_function(wrapped_function, *args, **kwds)
privacyidea-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
privacyidea-1 | File “/privacyidea/venv/lib/python3.12/site-packages/privacyidea/lib/policydecorators.py”, line 441, in auth_lastauth
privacyidea-1 | res, reply_dict = wrapped_function(user_or_serial, passw, options)
privacyidea-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
privacyidea-1 | File “/privacyidea/venv/lib/python3.12/site-packages/privacyidea/lib/policydecorators.py”, line 95, in policy_wrapper
privacyidea-1 | return self.decorator_function(wrapped_function, *args, **kwds)
privacyidea-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
privacyidea-1 | File “/privacyidea/venv/lib/python3.12/site-packages/privacyidea/lib/policydecorators.py”, line 331, in auth_user_passthru
privacyidea-1 | return wrapped_function(user_object, passw, options)
privacyidea-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
privacyidea-1 | File “/privacyidea/venv/lib/python3.12/site-packages/privacyidea/lib/policydecorators.py”, line 95, in policy_wrapper
privacyidea-1 | return self.decorator_function(wrapped_function, *args, **kwds)
privacyidea-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
privacyidea-1 | File “/privacyidea/venv/lib/python3.12/site-packages/privacyidea/lib/policydecorators.py”, line 663, in force_challenge_response
privacyidea-1 | return wrapped_function(user_object, passw, options)
privacyidea-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
privacyidea-1 | File “/privacyidea/venv/lib/python3.12/site-packages/privacyidea/lib/log.py”, line 144, in log_wrapper
privacyidea-1 | return func(*args, **kwds)
privacyidea-1 | ^^^^^^^^^^^^^^^^^^^
privacyidea-1 | File “/privacyidea/venv/lib/python3.12/site-packages/privacyidea/lib/token.py”, line 2335, in check_user_pass
privacyidea-1 | res, reply_dict = check_token_list(token_objects, passw,
privacyidea-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
privacyidea-1 | File “/privacyidea/venv/lib/python3.12/site-packages/privacyidea/lib/log.py”, line 144, in log_wrapper
privacyidea-1 | return func(*args, **kwds)
privacyidea-1 | ^^^^^^^^^^^^^^^^^^^
privacyidea-1 | File “/privacyidea/venv/lib/python3.12/site-packages/privacyidea/lib/policydecorators.py”, line 95, in policy_wrapper
privacyidea-1 | return self.decorator_function(wrapped_function, *args, **kwds)
privacyidea-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
privacyidea-1 | File “/privacyidea/venv/lib/python3.12/site-packages/privacyidea/lib/policydecorators.py”, line 633, in reset_all_user_tokens
privacyidea-1 | r = wrapped_function(*args, **kwds)
privacyidea-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
privacyidea-1 | File “/privacyidea/venv/lib/python3.12/site-packages/privacyidea/lib/policydecorators.py”, line 95, in policy_wrapper
privacyidea-1 | return self.decorator_function(wrapped_function, *args, **kwds)
privacyidea-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
privacyidea-1 | File “/privacyidea/venv/lib/python3.12/site-packages/privacyidea/lib/challengeresponsedecorators.py”, line 153, in generic_challenge_response_reset_pin
privacyidea-1 | success, reply_dict = wrapped_function(*args, **kwds)
privacyidea-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
privacyidea-1 | File “/privacyidea/venv/lib/python3.12/site-packages/privacyidea/lib/policydecorators.py”, line 95, in policy_wrapper
privacyidea-1 | return self.decorator_function(wrapped_function, *args, **kwds)
privacyidea-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
privacyidea-1 | File “/privacyidea/venv/lib/python3.12/site-packages/privacyidea/lib/challengeresponsedecorators.py”, line 186, in generic_challenge_response_resync
privacyidea-1 | success, reply_dict = wrapped_function(*args, **kwds)
privacyidea-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
privacyidea-1 | File “/privacyidea/venv/lib/python3.12/site-packages/privacyidea/lib/token.py”, line 2505, in check_token_list
privacyidea-1 | pin_match, otp_count, repl = token_object.authenticate(passw, user, options=options)
privacyidea-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
privacyidea-1 | File “/privacyidea/venv/lib/python3.12/site-packages/privacyidea/lib/decorators.py”, line 45, in token_locked_wrapper
privacyidea-1 | f_result = func(*args, **kwds)
privacyidea-1 | ^^^^^^^^^^^^^^^^^^^
privacyidea-1 | File “/privacyidea/venv/lib/python3.12/site-packages/privacyidea/lib/tokens/pushtoken.py”, line 1097, in authenticate
privacyidea-1 | _t, _m, transaction_id, _attr = self.create_challenge(options=options)
privacyidea-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
privacyidea-1 | File “/privacyidea/venv/lib/python3.12/site-packages/privacyidea/lib/tokens/pushtoken.py”, line 980, in create_challenge
privacyidea-1 | if not options[“push_triggered”]:
privacyidea-1 | ~~~~~~~^^^^^^^^^^^^^^^^^^
privacyidea-1 | KeyError: ‘push_triggered’

2

Hi and welcome,

first of all, polling and RADIUS don’t work together due to the way the RADIUS protocol is specified.

This looks like a bug which is triggered when using the push_wait policy together with push_require_presence. We will look into this.

3

I thought it worked. Does this article use firebase instead of polling?

4

Hi @Ybfree, the firebase or polling setting is about how the push request reaches your smartphone. You do not need to have firebase at all. Polling in this context means that the app will automatically ask the server for new authentication requests, like when the app is started or when you do the refresh gesture in the app.

What @plettich means in polling in the context of authentication: Usually, when using push to authenticate, our plugins repeatedly ask the privacyIDEA server “has the user accepted yet?” => polling. This does not work with RADIUS, which is why we added the push_wait policy. When this is enabled (ideally with a condition on the RADIUS/VPN), the initial request from the radius plugin is prolonged until the user accepted on the phone, so there is only a single request. This means you have to adjust the timeout settings accordingly. But this also has a important limitation in the server: it blocks the thread completely, until the user accepted or the timeout is reached. No other requests can be handled by that thread in that time. So if you want to use this on a large scale, it will probably not work and cause your privacyidea to “freeze”. If you just have like 1-3 admins that use this feature, it will be fine if the webserver of privacyidea has sufficient threads/workers.

5

Thank you. So, it’s essentially impossible to protect RDG with PrivacyIDEA push using the pushwait policy, as it would freeze the server for a while.
Are there other ways to protect RDG with a second factor using PrivacyIDEA?

6

Well it is possible, but currently with strong limitations.

Since privacyIDEA supports an array of token types, you can just use another one. For RADIUS, it is best to use OTP type token, so HOTP/TOTP/Sms/Email and the like. You can configure privacyidea to use one kind of token for your RADIUS application and another type of token for the rest, so that you can have the convience of push, just not for RADIUS, e.g. users can have multiple tokens.

7

FYI here is the issue for the error above: