Stop "Sending duplicate proxied request"

David Aldwinckle daldwinckle at uwaterloo.ca
Mon Dec 14 14:36:11 CET 2015 

Hi Arran,

Thanks for the explanation. I configured the NAS retry interval and that fixed my problem.

Yubikey tokens can be used with Duo. I'm not familiar with the old tokens, so I can't say if they're the same.

I looked at the yubikey module just now and I'm not confident that it could be configured to work with the Duo API.

From the Duo API documentation, for requests that include a passcode, you need to use a POST method like this:

$ export IKEY= # your Auth API application's "Integration key"
$ export SKEY= # your Auth API application's "Secret key"
$ export HOST= # your Auth API application's "API hostname"

python -m duo_client.client --ikey $IKEY --skey $SKEY --host $HOST --path /auth/v2/auth --method POST username=$username factor=passcode passcode=$passcode

https://www.duosecurity.com/docs/authapi-guide#passcode

If the user doesn't have a token, they can use the smartphone app which sends an "Approve?/Deny?" message. In that case there is no passcode, so the process is more complex and involves querying for a users enrollment status and device info first.

https://www.duosecurity.com/docs/authapi-guide#secondary-(duo)-authentication

Dave

-----Original Message-----
From: Arran Cudbard-Bell <a.cudbardb at freeradius.org<mailto:Arran%20Cudbard-Bell%20%3ca.cudbardb at freeradius.org%3e>>
Reply-to: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org<mailto:FreeRadius%20users%20mailing%20list%20%3cfreeradius-users at lists.freeradius.org%3e>>
Subject: Re: Stop "Sending duplicate proxied request"
Date: Sat, 12 Dec 2015 10:17:21 -0500



> On 11 Dec 2015, at 16:40, David Aldwinckle <daldwinckle at uwaterloo.ca<mailto:daldwinckle at uwaterloo.ca>> wrote:
>
> Hi All,
>
> I've configured FreeRadius + Duo 2-factor authentication, like so:
>
> - NAS sends Access Request to FreeRadius
> - FreeRadius proxies the request to the Duo Authentication Proxy (id 1)
> - Duo sends an Access Request to FreeRadius for the same username (id 2)
> - If Duo receives an Access-Accept for id 2, it then sends its 2 factor authentication request to a mobile device.
> - The users hits OK, Duo sends an Access-Accept for id 1, using the reply-attributes of id 2.
>
> It seems strange but it works. The problem I am having, is that if the user doesn't immediately accept or decline the Duo request, they are bombarded with duplicates.
>
> I believe it is because FreeRadius is sending duplicate requests without waiting for an answer:
>
> Waking up in 0.3 seconds.
> (2) Expecting proxy response no later than 19.666697 seconds from now
> Waking up in 2.0 seconds.
> (0) Sending duplicate proxied request to home server 10.10.10.10 port 1812 - ID: 186
>
> The duplicate is sent long before the 19 second timer from above has expired.

Sending a duplicate for request (0), when request (2) was the one most recently proxied.

Retransmissions are triggered by the NAS, nothing to do with FreeRADIUS.  Timeout is when freeradius will consider the request dead, and synthesise an Access-Reject and return that to the NAS.  Nothing to do with RTX.

Configure timeout on the NAS correctly,  that's the thing causing the short RTX interval.

Is that Yubikey Duo?  If so what's the integration,  same as the old tokens?  If so, we have a module in the server to deal with authentication locally without proxying.

-Arran

Arran Cudbard-Bell <a.cudbardb at freeradius.org<mailto:a.cudbardb at freeradius.org>>
FreeRADIUS development team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list