Two-Factor Authentication for VPN users on Juniper SRX - Twice "Access-Request"?

Hi All,
I’m going to setup 2FA for VPN clients on Juniper SRX box, LDAP integrated with PI and all users imported to the PI.
Users open Juniper “secure connect” app, and connect to SRX with user and pass( OTP code )

Output of #freeradius -X command shows that the PI receives 2 “Access-Request” from Juniper( as you can see in below)
First one “Granted” and second one rejected(wrong otp value. previous otp used again)

How can I ask PI to send “Access-Accept” to Juniper, if user granted before?

Thanks
Mike
============ Output of freeradius -X =============
rlm_perl: Config File /etc/privacyidea/rlm_perl.ini found!
rlm_perl: Debugging config:
rlm_perl: Default URL https://localhost/validate/check
rlm_perl: Looking for config for auth-type Perl
rlm_perl: Password encoding guessed: ascii
rlm_perl: Setting client IP to 192.168.67.133.
rlm_perl: Auth-Type: Perl
rlm_perl: url: https://localhost/validate/check
rlm_perl: user sent to privacyidea: pi
rlm_perl: realm sent to privacyidea:
rlm_perl: resolver sent to privacyidea:
rlm_perl: client sent to privacyidea: 192.168.67.133
rlm_perl: state sent to privacyidea:
rlm_perl: urlparam pass
rlm_perl: urlparam client
rlm_perl: urlparam user
rlm_perl: Request timeout: 10
rlm_perl: Not verifying SSL certificate!
rlm_perl: elapsed time for privacyidea call: 0.306415
rlm_perl: privacyIDEA access granted for pi realm=‘’
rlm_perl: ++++ Parsing group: Attribute
rlm_perl: +++++ Found member ‘Attribute Filter-Id’
rlm_perl: ++++++ Attribute: IF ‘’->‘’ == ‘’ THEN ‘Filter-Id’
rlm_perl: ++++++ no directory
rlm_perl: +++++++ User attribute is a string:
rlm_perl: +++++++ trying to match
rlm_perl: ++++++++ Result: No match, no RADIUS attribute Filter-Id added.
rlm_perl: +++++ Found member ‘Attribute otherAttribute’
rlm_perl: ++++++ Attribute: IF ‘’->‘’ == ‘’ THEN ‘otherAttribute’
rlm_perl: ++++++ no directory
rlm_perl: +++++++ User attribute is a string:
rlm_perl: +++++++ trying to match
rlm_perl: ++++++++ Result: No match, no RADIUS attribute otherAttribute added.
rlm_perl: +++++ Found member ‘Attribute Class’
rlm_perl: ++++++ Attribute: IF ‘user’->‘groups’ == ‘CN=(\w*[^,]).DC=safenet,DC=local’ THEN ‘Class’
rlm_perl: ++++++ searching in directory user
rlm_perl: +++++++ User attribute is a string:
rlm_perl: +++++++ trying to match
rlm_perl: ++++++++ Result: No match, no RADIUS attribute Class added.
rlm_perl: ++++ Parsing group: Mapping
rlm_perl: +++++ Found member ‘Mapping user’
rlm_perl: return RLM_MODULE_OK
(15) perl-privacyidea: &request:NAS-Port-Type = $RAD_REQUEST{‘NAS-Port-Type’} → ‘Ethernet’
(15) perl-privacyidea: &request:User-Password = $RAD_REQUEST{‘User-Password’} → ‘664226’
(15) perl-privacyidea: &request:Packet-Src-IP-Address = $RAD_REQUEST{‘Packet-Src-IP-Address’} → ‘192.168.67.133’
(15) perl-privacyidea: &request:NAS-Identifier = $RAD_REQUEST{‘NAS-Identifier’} → ‘srx300’
(15) perl-privacyidea: &request:User-Name = $RAD_REQUEST{‘User-Name’} → ‘pi’
(15) perl-privacyidea: &reply:Reply-Message = $RAD_REPLY{‘Reply-Message’} → ‘privacyIDEA access granted’
(15) perl-privacyidea: &control:Auth-Type = $RAD_CHECK{‘Auth-Type’} → ‘Perl’
(15) [perl-privacyidea] = ok
(15) } # Auth-Type Perl = ok
(15) Sent Access-Accept Id 20 from 192.168.67.139:1812 to 192.168.67.133:62384 length 48
**strong text
***strong text**(15) Reply-Message = “privacyIDEA access granted”
(15) Finished request
Waking up in 4.9 seconds.
(16) Received Access-Request Id 21 from 192.168.67.133:62384 to 192.168.67.139:1812 length 56
(16) User-Name = “pi”
(16) User-Password = “664226”
(16) NAS-Identifier = “srx300”
(16) NAS-Port-Type = Ethernet
(16) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/privacyidea
(16) authorize {
(16) update request {
(16) EXPAND %{Packet-Src-IP-Address}
(16) → 192.168.67.133
(16) Packet-Src-IP-Address = 192.168.67.133
(16) } # update request = noop
(16) perl-privacyidea: $RAD_REQUEST{‘User-Name’} = &request:User-Name → ‘pi’
(16) perl-privacyidea: $RAD_REQUEST{‘User-Password’} = &request:User-Password → ‘664226’
(16) perl-privacyidea: $RAD_REQUEST{‘NAS-Identifier’} = &request:NAS-Identifier → ‘srx300’
(16) perl-privacyidea: $RAD_REQUEST{‘NAS-Port-Type’} = &request:NAS-Port-Type → ‘Ethernet’
(16) perl-privacyidea: $RAD_REQUEST{‘Packet-Src-IP-Address’} = &request:Packet-Src-IP-Address → ‘192.168.67.133’
(16) perl-privacyidea: &request:NAS-Port-Type = $RAD_REQUEST{‘NAS-Port-Type’} → ‘Ethernet’
(16) perl-privacyidea: &request:User-Password = $RAD_REQUEST{‘User-Password’} → ‘664226’
(16) perl-privacyidea: &request:Packet-Src-IP-Address = $RAD_REQUEST{‘Packet-Src-IP-Address’} → ‘192.168.67.133’
(16) perl-privacyidea: &request:NAS-Identifier = $RAD_REQUEST{‘NAS-Identifier’} → ‘srx300’
(16) perl-privacyidea: &request:User-Name = $RAD_REQUEST{‘User-Name’} → ‘pi’
(16) [perl-privacyidea] = ok
(16) if (ok || updated) {
(16) if (ok || updated) → TRUE
(16) if (ok || updated) {
(16) update control {
(16) Auth-Type := Perl
(16) } # update control = noop
(16) } # if (ok || updated) = noop
(16) } # authorize = ok
(16) Found Auth-Type = Perl
(16) # Executing group from file /etc/freeradius/3.0/sites-enabled/privacyidea
(16) Auth-Type Perl {
(16) perl-privacyidea: $RAD_REQUEST{‘User-Name’} = &request:User-Name → ‘pi’
(16) perl-privacyidea: $RAD_REQUEST{‘User-Password’} = &request:User-Password → ‘664226’
(16) perl-privacyidea: $RAD_REQUEST{‘NAS-Identifier’} = &request:NAS-Identifier → ‘srx300’
(16) perl-privacyidea: $RAD_REQUEST{‘NAS-Port-Type’} = &request:NAS-Port-Type → ‘Ethernet’
(16) perl-privacyidea: $RAD_REQUEST{‘Packet-Src-IP-Address’} = &request:Packet-Src-IP-Address → ‘192.168.67.133’
(16) perl-privacyidea: $RAD_CHECK{‘Auth-Type’} = &control:Auth-Type → ‘Perl’
(16) perl-privacyidea: $RAD_CONFIG{‘Auth-Type’} = &control:Auth-Type → ‘Perl’
rlm_perl: Config File /etc/privacyidea/rlm_perl.ini found!
rlm_perl: Debugging config:
rlm_perl: Default URL httpX://localhost/validate/check
rlm_perl: Looking for config for auth-type Perl
rlm_perl: Password encoding guessed: ascii
rlm_perl: Setting client IP to 192.168.67.133.
rlm_perl: Auth-Type: Perl
rlm_perl: url: httpX://localhost/validate/check
rlm_perl: user sent to privacyidea: pi
rlm_perl: realm sent to privacyidea:
rlm_perl: resolver sent to privacyidea:
rlm_perl: client sent to privacyidea: 192.168.67.133
rlm_perl: state sent to privacyidea:
rlm_perl: urlparam pass
rlm_perl: urlparam client
rlm_perl: urlparam user
rlm_perl: Request timeout: 10
rlm_perl: Not verifying SSL certificate!
rlm_perl: elapsed time for privacyidea call: 0.257282
rlm_perl: privacyIDEA Result status is true!
rlm_perl: privacyIDEA access denied for pi realm=’’
rlm_perl: return RLM_MODULE_REJECT
(16) perl-privacyidea: &request:NAS-Port-Type = $RAD_REQUEST{‘NAS-Port-Type’} → ‘Ethernet’
(16) perl-privacyidea: &request:User-Password = $RAD_REQUEST{‘User-Password’} → ‘664226’
(16) perl-privacyidea: &request:Packet-Src-IP-Address = $RAD_REQUEST{‘Packet-Src-IP-Address’} → ‘192.168.67.133’
(16) perl-privacyidea: &request:NAS-Identifier = $RAD_REQUEST{‘NAS-Identifier’} → ‘srx300’
(16) perl-privacyidea: &request:User-Name = $RAD_REQUEST{‘User-Name’} → ‘pi’
(16) perl-privacyidea: &reply:Reply-Message = $RAD_REPLY{‘Reply-Message’} → ‘wrong otp value. previous otp used again’
(16) perl-privacyidea: &control:Auth-Type = $RAD_CHECK{‘Auth-Type’} → ‘Perl’
(16) [perl-privacyidea] = reject
(16) } # Auth-Type Perl = reject
(16) Failed to authenticate the user
(16) Using Post-Auth-Type Reject
(16) Post-Auth-Type sub-section not found. Ignoring.
(16) Delaying response for 1.000000 seconds
Waking up in 0.9 seconds.
(16) Sending delayed response
(16) Sent Access-Reject Id 21 from 192.168.67.139:1812 to 192.168.67.133:62384 length 62
(16) Reply-Message = “wrong otp value. previous otp used again”
Waking up in 3.5 seconds.
(15) Cleaning up request packet ID 20 with timestamp +15346 due to cleanup_delay was reached
Waking up in 0.4 seconds.
(16) Cleaning up request packet ID 21 with timestamp +15347 due to cleanup_delay was reached
Ready to process requests

Hi Mike
I’m experiencing a similar issue, and I can’t establish a two-factor Authentication connection with my Juniper Secure Connect, SRX Firewall and Privacyidea.
I would appreciate it if someone has a solution or provide some guidance.

You need to fix your Juniper setup to only send one request.

You might have a bad config like low timeout and several retires.

FreeRADIUS and privacyIDEA works like expected.

As @cornelinux said, best way to deal with this problem is to fix your NAS configuration so it doesn’t send excessive requests.
If that’s not an option, you can try to use freeradius caching mechanisms to cache first response from privacy - cache | FreeRADIUS Documentation