[RADIATOR] AuthBy DUO issue

Alexander.Hartmaier at t-systems.com Alexander.Hartmaier at t-systems.com
Thu Aug 19 10:27:11 UTC 2021


Hello Alfred,
how would the reverse proxy help? Just by ensuring that there is always (as long as the reverse proxy works 😉) a response to the https request?

Thanks, Alex

T-SYSTEMS AUSTRIA GESMBH
PU Cyber Security
Network Architecture
Operation Manager Authentication
Rennweg 97-99, A-1030 Vienna
+43 57057 4320 (phone)
+43 676 8642 4320 (mobile)
E-mail: alexander.hartmaier at t-systems.com
Internet: www.t-systems.at
Blog: blog.t-systems.at
Social Media: Facebook, Linkedin, Twitter

BIG CHANGES START SMALL – CONSERVE RESOURCES BY NOT PRINTING EVERY E-MAIL.

****************************************************************************************************************
T-Systems Austria GesmbH, Rennweg 97-99, A-1030 Vienna
Commercial Court Vienna, FN 79340b
****************************************************************************************************************
Notice: This transmittal and/or attachments may be privileged or confidential. It is
intended solely for the addressee named above. If you received this transmittal in error,
please notify us immediately by reply and delete this message and all its attachments.
Thank you.
****************************************************************************************************************
________________________________
Von: radiator <radiator-bounces at lists.open.com.au> im Auftrag von Alfred Reibenschuh <alfred.reibenschuh_v-tservices at at.ibm.com>
Gesendet: Dienstag, 17. August 2021 11:26
An: radiator at lists.open.com.au <radiator at lists.open.com.au>
Betreff: Re: [RADIATOR] AuthBy DUO issue

hello

seams like you are facing the same "uncooperative" upstream system issue i have had in the past.

i have had similar problems with radius and other protocols, that radiator
would mark all upstream servers offline and never recovering.

i did not follow your complete conversation, but iirc DUO is http-based,
so if your issue is ha-related you could get away with setting CheckTimerInterval to 0
and putting a reverse-proxy between radiator and DUO like NGINX
(the community edition of nginx would be sufficient)


Yours sincerely

Alfred Reibenschuh

Network Engineer
(Management & Monitoring Architect)

Unified Communication Services
Network & Telecommunication AT

Value Transformation Services GmbH
An IBM Company
Obere Donaustrasse 95
1020 Wien

Phone: +43-1-2056320-143
Mobile: +43-664-3523820
mail: Alfred.Reibenschuh_v-tservices at at.ibm.com<mailto:Alfred.Reibenschuh_v-tservices at at.ibm.com>
webex: https://ibm.webex.com/meet/alfred.reibenschuh_v-tservices

Please consider the environment before printing this e-mail.

This e-mail is confidential and may also contain privileged information. If you are not the intended recipient you are not authorized to read, print, save, process or disclose this message. If you have received this message by mistake, please inform the sender immediately and delete this e-mail, its attachments and any copies.
Any use, distribution, reproduction or disclosure by any person other than the intended recipient is strictly prohibited and the person responsible may incur penalties.

Thank you!


Message: 1
Date: Mon, 16 Aug 2021 16:23:45 +0000
From: <Alexander.Hartmaier at t-systems.com>
To: <hvn at open.com.au>, <radiator at lists.open.com.au>
Subject: Re: [RADIATOR] AuthBy DUO issue
Message-ID:
<FR2P281MB05961DB02C47793A3557FCE8A5FD9 at FR2P281MB0596.DEUP281.PROD.OUTLOOK.COM>

Content-Type: text/plain; charset="windows-1252"

Hi,
that sounds like a sane solution.

A simpler might be to mark Duo dead for a configurable number of seconds after which it's marked as alive again without a check. The next authentication would then either work or again trigger marking it as dead.

Thanks, Alex

T-SYSTEMS AUSTRIA GESMBH
PU Cyber Security
Network Architecture
Operation Manager Authentication
Rennweg 97-99, A-1030 Vienna
+43 57057 4320 (phone)
+43 676 8642 4320 (mobile)
E-mail: alexander.hartmaier at t-systems.com
Internet: www.t-systems.at
Blog: blog.t-systems.at
Social Media: Facebook, Linkedin, Twitter

BIG CHANGES START SMALL ? CONSERVE RESOURCES BY NOT PRINTING EVERY E-MAIL.

****************************************************************************************************************
T-Systems Austria GesmbH, Rennweg 97-99, A-1030 Vienna
Commercial Court Vienna, FN 79340b
****************************************************************************************************************
Notice: This transmittal and/or attachments may be privileged or confidential. It is
intended solely for the addressee named above. If you received this transmittal in error,
please notify us immediately by reply and delete this message and all its attachments.
Thank you.
****************************************************************************************************************
________________________________
Von: radiator <radiator-bounces at lists.open.com.au> im Auftrag von Heikki Vatiainen <hvn at open.com.au>
Gesendet: Mittwoch, 14. Juli 2021 20:26
An: radiator at lists.open.com.au <radiator at lists.open.com.au>
Betreff: Re: [RADIATOR] AuthBy DUO issue

On 13.7.2021 18.05, Alexander.Hartmaier at t-systems.com wrote:

> We've encountered another issue today: when CheckTimerInterval is
> configured to 0, to disable the periodic DUO API check which fills our
> log and generated unnecessary traffic and load, the API never recovers
> when marked as dead.

That seems to be correct, but likely not expected.

> Do you have a suggestion how to solve this besides configuring
> CheckTimerInterval for something else?

Currently there is nothing to solve this. A strategy, such as starting
the poll timer when the API is down and letting it poll until it's up,
would be needed.

If you have a preferred idea, please let us know.

Thanks,
Heikki

--
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
_______________________________________________


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20210819/133e3775/attachment-0001.html>


More information about the radiator mailing list