Stop "Sending duplicate proxied request"

Arran Cudbard-Bell a.cudbardb at freeradius.org
Sat Dec 12 16:17:21 CET 2015


> On 11 Dec 2015, at 16:40, David Aldwinckle <daldwinckle at uwaterloo.ca> wrote:
> 
> Hi All,
> 
> I've configured FreeRadius + Duo 2-factor authentication, like so:
> 
> - NAS sends Access Request to FreeRadius
> - FreeRadius proxies the request to the Duo Authentication Proxy (id 1)
> - Duo sends an Access Request to FreeRadius for the same username (id 2)
> - If Duo receives an Access-Accept for id 2, it then sends its 2 factor authentication request to a mobile device.
> - The users hits OK, Duo sends an Access-Accept for id 1, using the reply-attributes of id 2.
> 
> It seems strange but it works. The problem I am having, is that if the user doesn't immediately accept or decline the Duo request, they are bombarded with duplicates.
> 
> I believe it is because FreeRadius is sending duplicate requests without waiting for an answer:
> 
> Waking up in 0.3 seconds.
> (2) Expecting proxy response no later than 19.666697 seconds from now
> Waking up in 2.0 seconds.
> (0) Sending duplicate proxied request to home server 10.10.10.10 port 1812 - ID: 186
> 
> The duplicate is sent long before the 19 second timer from above has expired.

Sending a duplicate for request (0), when request (2) was the one most recently proxied.

Retransmissions are triggered by the NAS, nothing to do with FreeRADIUS.  Timeout is when freeradius will consider the request dead, and synthesise an Access-Reject and return that to the NAS.  Nothing to do with RTX.

Configure timeout on the NAS correctly,  that's the thing causing the short RTX interval.

Is that Yubikey Duo?  If so what's the integration,  same as the old tokens?  If so, we have a module in the server to deal with authentication locally without proxying.

-Arran

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS development team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20151212/313f3bd8/attachment.sig>


More information about the Freeradius-Users mailing list