SecureAuth RADIUS Version Affected: All
When users attempt to log in via a RADIUS client, they eventually get in, however RADIUS server will log multiple error messages, including the following error message:
[26/Nov/2018:00:00:57 -0600] INFO PasswordState: Second factors query failed for user: admin. Authentication header has been seen before.
The RADIUS client's timeout setting is set too short. Due to dependencies for data store lookup, the recommended minimum timeout is 5 seconds. Anything less than 5 (ex. typical Cisco ACS configuration is 3 seconds) will result in the client sending duplicate Access-Request messages before the RADIUS server has had a change to respond.
Increase the RADIUS client timeout/retry to 5-10 seconds. This change is completed on the device/appliance/service calling the RADIUS server, not within the RADIUS server itself. This will give the RADIUS authentication workflow time to complete requests, and account for any potential delays from the data store.
SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.
Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.