Spass token not logged with token-type in audit and not adhering to policy: only hotp on this server

Question
1

Hi,

I have a policy restricting client 192.168.0.2 to authenticate HOTP tokens only, but as it turns out SPASS tokens are accepted from that client as well:

136966 	2024-01-08 23:25:04 	2024-01-08 23:25:04 	0.334272 	POST /validate/check 	1 					testuser 	example.com 	users_example.com 	authz_dmzserver authn_generic 	192.168.0.2 	Authenticated by AuthCache. 	OK 	OK 	140048437589696

Some observations:

  • The audit log line does not have an associated “token type” to the login attempt, whereas I would expect it to show “SPASS”.
  • The audit line says: “Authenticated by AuthCache”. This makes me believe that the AuthCache is a global cache, because SPASS authentication is allowed from another server (192.168.0.5) and there the user has indeed within the cache timeframe authenticated with the SPASS token.

Is the fact that no token-type is logged due to the use of the AuthCache or is it a feature of token-type SPASS?
Is it possible to check the token-type as per the authorization policy even when the AuthCache is used?

Right now I have set the authentication policy (containing auth_cache=10h) as prio 1 and the authorization policies (containing tokentype=hotp) as prio 2, would it help to turn that around?

The Privacyidea version is 3.9

  • Kees.
2

What do you want to achive?

How dies your policy in regards to HOTP look like?

Yes, the authentication is successful due to AuthCache. There is not tokentype, since the authentication did not happen with a real token but with the AuthCache.
Maybe your expectations in regards to the Authcache do not match the actual implementation.

3

I want authentication on serverA+serviceA with token A and on serverB+serviceB with token B.
I don’t want cached authentication of “serverA+serviceA with token A” to allow someone to access “serverB+serviceB with token B” without checking token B. And is exactly what happened here.

The way I worked around is to disable the AuthCache for the SPASS token, which does not make much sense anyway.
The cache is now only used for HOTP and mainly because openvpn with HOTP MFA tries to restore the connection after a network hickup and otherwise hourly and I do not want to break the VPN that often.