Hi,
I have a policy restricting client 192.168.0.2 to authenticate HOTP tokens only, but as it turns out SPASS tokens are accepted from that client as well:
136966 2024-01-08 23:25:04 2024-01-08 23:25:04 0.334272 POST /validate/check 1 testuser example.com users_example.com authz_dmzserver authn_generic 192.168.0.2 Authenticated by AuthCache. OK OK 140048437589696
Some observations:
- The audit log line does not have an associated “token type” to the login attempt, whereas I would expect it to show “SPASS”.
- The audit line says: “Authenticated by AuthCache”. This makes me believe that the AuthCache is a global cache, because SPASS authentication is allowed from another server (192.168.0.5) and there the user has indeed within the cache timeframe authenticated with the SPASS token.
Is the fact that no token-type is logged due to the use of the AuthCache or is it a feature of token-type SPASS?
Is it possible to check the token-type as per the authorization policy even when the AuthCache is used?
Right now I have set the authentication policy (containing auth_cache=10h) as prio 1 and the authorization policies (containing tokentype=hotp) as prio 2, would it help to turn that around?
The Privacyidea version is 3.9
- Kees.