On 05/13/2015 10:44 AM, Bahmer, Eric Vaughn wrote:
Institutionally we have a hardware token set up, you use a pin to
unlock the device and it spits out a passcode.
The passcode allows access through kerberos, radius, or ldap binds to
linux servers, or with a custom apache module to websites.
I have an out-of-band private network set up that attaches to our
intranet using a firewall/gateway server which does some port
forwarding for various things like SSH, RDP.
I'm attempting to set up RADIUS on this firewall/gateway to be used as
a proxy for freeipa to our token system which I'd like to be able to
use behind the firewall.
However I seem to be getting nearly a dozen requests into the radius
server, about half are dropped as duplicate, but usually 3-6 get
through and since it's a single use token the first attempt succeeds,
but the rest fail and cause the hardware token to be blacklisted.
Is there a way to specify that the user radius login is a one-time
token or is this something that sssd or pam is causing?
Or does the OTP support just not work in the way I need it to?
I have this issue with both the inbox 4.1.0 in RHEL7.1 or the upstream
4.1.4 rpms.
My only alternative is probably to set up a KDC on the firewall to
trust the institutional realm and have the IdM kerberos realm trust that.
This is also a mixed linux/windows environment behind the firewall,
I've enabled unix attributes in my AD and I'm using a script to sync
uid/gid with the external ldap.
Let me rephrase the setup to see if I got it.
You have an OTP server, it is behind the firewall. IPA is outside the
firewall. You configured IPA to use radius to talk to OTP server. The
firewall drops some of the packets but some go through.
If this is true then:
- There can be a problem with our implementation of the RADIUS client
retries. If the client starts a new conversation every time rather than
retries the same packet then this is a client side bug.
Nathaniel, do you have any hints on how to debug, troubleshoot, change
configuration of the RADIUS client? Are retries and timeouts configurable?
- The problem can be also on the server side. Server should be tolerant
to the identical radius packets and not do more than one 2FA
authentication sequence. If it starts more than one it is a bug on the
server side. Being the former implementer of one of the RADIUS servers
for one of the major 2FA vendors I know exactly how that happens.
--
Thank you,
Dmitri Pal
Director of Engineering for IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
