Validate Check and RADIUS Timeout?

wwalker · November 13, 2020, 5:00pm

I’m running into an issue where some users are logging in with their PIN+OTP via RADIUS and they’re getting failed authentication. Checking the radius logs, I see they’re putting in the correct PIN, but I also see

Info: rlm_perl: Request timeout: 10
Info: rlm_perl: elapsed time for privacyidea call: 1.60792

Is that first line just an informational letting me know what the current time-out is configured to?

This issue is being reported by another team member who says that if they log into PrivacyIDEA as an admin and set the user PIN to exactly what it was before, the user can login successfully.

cornelinux · November 14, 2020, 6:59am

Yes, see here:

github.com

privacyidea/FreeRADIUS/blob/master/privacyidea_radius.pm#L467


      
                  $params{"client"} = $RAD_REQUEST{$Config->{CLIENTATTRIBUTE}};
                  &radiusd::radlog( Info, "Setting client IP to $params{'client'}." );
              }
          }
          if ( length($REALM) > 0 ) {
              $params{"realm"} = $REALM;
          } elsif ( length($RAD_REQUEST{'Realm'}) > 0 ) {
              $params{"realm"} = $RAD_REQUEST{'Realm'};
          }
          if ( length($RESCONF) > 0 ) {
              $params{"resConf"} = $RESCONF;
          }
          
          &radiusd::radlog( Info, "Auth-Type: $auth_type" );
          &radiusd::radlog( Info, "url: $URL" );
          &radiusd::radlog( Info, "user sent to privacyidea: $params{'user'}" );
          &radiusd::radlog( Info, "realm sent to privacyidea: $params{'realm'}" );
          &radiusd::radlog( Info, "resolver sent to privacyidea: $params{'resConf'}" );
          &radiusd::radlog( Info, "client sent to privacyidea: $params{'client'}" );
          &radiusd::radlog( Info, "state sent to privacyidea: $params{'state'}" );
          if ( $debug == true ) {

If a user fails to authenticate against privacyIDEA you need to take a look into the privacyIDEA audit log.

wwalker · November 17, 2020, 9:59pm

Alright…had some time to dig into things with this and found the problem. I had an event that was improperly configured set to assign a random pin.