There is an issue while using push token with my VPN Server (in this case Cisco FTD) when I forward authentication to privacy idea for a user which have push token assigned it forwards multiple challenges to user phone with a signle auth request.
in audit log I can see that there are several /validate/check called.
what can the issue be?
I dont have this issue with sms token or other types.
You are probably using RADIUS for connecting the VPN to privacyIDEA?
The RADIUS protocol does not work with push-tokens since they verify the authentication out-of-band and the RADIUS protocol is basically stateless.
By default, RADIUS issues three requests if it doesn’t receive an answer, which would explain the three push messages. https://privacyidea.readthedocs.io/en/v3.8.1/tokens/tokentypes/push.html#authentication
Thank you . thats exactly what happened. I Forward authentication to cisco ISE and it forward it to privacy idea . no matter which number I put in push_wait field it sends 3 requests.
I tried to turn off push wait. in this situation it send only one challenge to smart phone but it prompt a challenge response page like this
It ask for an answer in a field which whatever I write in that it will accept it.
and if I leave it empty it wont accept authentication.
can we ignore that field and not show it in challenge response?
We used push_wait=true with freeradius and also had the same problem of repeated requests from cisco vpn gateway. However, we were able to mitigate additional push notifications with help of freeradius cache module.
In fact freeradius has the logic for declining repeated auth requests from the same user while it’s waiting for first request to privacyidea, you just have to set sufficiently high timeouts in freeradius and cisco client. Correct timeout settings left only one scenario in which multiple push notifications can happen - when the user failed to confirm his push in time it’s possible to get “a chain reaction” of failing /validate/check queries. To prevent those we added caching of response for a given user id for ~1minute with help of modules/Rlm_cache , so that additional /validate/check calls never happen.