RADIUS Server erroneously denying access requests

Follow

SecureAuth RADIUS Version Affected:  All

 

Description: 

When users attempt to log in via a RADIUS client, they eventually get in, however RADIUS server will log multiple error messages, including the following error message:

[26/Nov/2018:00:00:57 -0600] INFO PasswordState: Second factors query failed for user: admin. Authentication header has been seen before.

 

Cause:  

The RADIUS client's timeout setting is set too short.  Due to dependencies for data store lookup, the recommended minimum timeout is 5 seconds.  Anything less than 5 (ex. typical Cisco ACS configuration is 3 seconds) will result in the client sending duplicate Access-Request messages before the RADIUS server has had a change to respond.

 

Resolution: 

Increase the RADIUS client timeout/retry to 5-10 seconds.  This change is completed on the device/appliance/service calling the RADIUS server, not within the RADIUS server itself.  This will give the RADIUS authentication workflow time to complete requests, and account for any potential delays from the data store. 

 

SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.

Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.

0 out of 0 found this helpful

Comments

2 comments
  • would be really helpful to have instructions on *how* to adjust the timeout settings

    0
    Comment actions Permalink
  • Our RADIUS server does not have any timeout settings to adjust, as it abides by whatever the client (ie. Cisco ASA, Palo Alto, ntradping, etc) dictates. For example, Cisco ACS by default uses 3 seconds, while Cisco AnyConnect is 12 seconds. You have to make the timeout changes on the client side, NOT the RADIUS server side. As these clients are devices outside of the SecureAuth realm of influence, we defer to the admin of those devices to make the respective adjustments.

    0
    Comment actions Permalink

Please sign in to leave a comment.