10-24-2023 06:25 AM
Hello members,
We have configured MFA for the PostgreSQL database using RADIUS authentication and Cisco Duo, overall the configuration works, but I need help with the usage.
The problem is that database authentication succeeds when I approve the Duo push notification in a second or so; if I delay one more second, the database authentication fails with the below error:
[enterprisedb@closvl2142 data]$ psql -d edb -p 5445 -U ksudanag Password for user ksudanag: psql: error: connection to server on socket "/tmp/.s.PGSQL.5445" failed: FATAL: RADIUS authentication failed for user "ksudanag"
This makes the entire solution unusable. Can someone suggest how do I resolve this?
BR//
Karthik
10-26-2023 09:01 AM
Is there is an adjustable RADIUS authentication timeout in PostgreSQL that you can extend to allow more time for a user to approve the Duo Push request?
10-27-2023 01:39 AM
Hello,
Thanks for sharing your thoughts. I did work with our PostgreSQL vendor support to identify any such parameters in the database, but there are none; as per them, the time out is managed at the RADIUS server itself, and we already set the radius timeout to 30 seconds.
The Database logs say as below:
2023-10-27 09:44:48 CEST LOG: timeout waiting for RADIUS response from 10.245.124.45
2023-10-27 09:44:48 CEST FATAL: RADIUS authentication failed for user "ksudanag"
Where 10.245.124.45 is our RADIUS server.
My assumption is that this something is to be fixed between the RADIUS and Duo. Are there any time-outs set between them?
Thanks,
Karthik
10-30-2023 06:01 AM
The timeout for a Duo Push itself is 60 seconds. When our service sends a Duo Push request it waits 60 seconds for a user response before failing it as timed out. This is not adjustable.
There is also a timeout in the Authentication Proxy configurable in the radius_server_nnn section: api_timeout. This determines how long the Duo Authentication Proxy will wait for a response from the Duo API host (our cloud service). It defaults to no limit.
> the time out is managed at the RADIUS server itself, and we already set the radius timeout to 30 seconds.
What do you mean? You set the api_timeout value to 30 seconds in the Duo Authentication Proxy authproxy.cfg? If so, means that the Duo server will only wait 30 seconds to receive a response from the Duo cloud service before terminating the 2FA request and returning a reject to the authenticating service (in your case, PostgreSQL). That is not a lot of time for the user to receive and respond to a Duo Push request (half the lifetime of the Duo Push request itself).
11-03-2023 05:20 AM
Hello,
Thanks for the insights.
Yes, we tried setting the api_timeout value to 60 seconds, but that didn't help.
Instead of RADIUS, we tried LDAP authentication for PostgreSQL. This works as expected; the Duo notification waits 60 seconds.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide