cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
645
Views
0
Helpful
4
Replies

Duo push notification for postgresql database log in

Hello members,

We have configured MFA for the PostgreSQL database using RADIUS authentication and Cisco Duo, overall the configuration works, but I need help with the usage. 

 The problem is that database authentication succeeds when I approve the Duo push notification in a second or so; if I delay one more second, the database authentication fails with the below error:

[enterprisedb@closvl2142 data]$  psql -d edb -p 5445 -U ksudanag
Password for user ksudanag:
psql: error: connection to server on socket "/tmp/.s.PGSQL.5445" failed: FATAL:  RADIUS authentication failed for user "ksudanag"

This makes the entire solution unusable. Can someone suggest how do I resolve this? 

BR//

Karthik

4 Replies 4

DuoKristina
Cisco Employee
Cisco Employee

Is there is an adjustable RADIUS authentication timeout in PostgreSQL that you can extend to allow more time for a user to approve the Duo Push request?

Duo, not DUO.

Hello,

Thanks for sharing your thoughts. I did work with our PostgreSQL vendor support to identify any such parameters in the database, but there are none; as per them, the time out is managed at the RADIUS server itself, and we already set the radius timeout to 30 seconds. 

The Database logs say as  below:

2023-10-27 09:44:48 CEST LOG: timeout waiting for RADIUS response from 10.245.124.45
2023-10-27 09:44:48 CEST FATAL: RADIUS authentication failed for user "ksudanag"

Where 10.245.124.45 is our RADIUS server.

My assumption is that this something is to be fixed between the RADIUS and Duo. Are there any time-outs set between them?

Thanks,

Karthik

The timeout for a Duo Push itself is 60 seconds. When our service sends a Duo Push request it waits 60 seconds for a user response before failing it as timed out. This is not adjustable.

There is also a timeout in the Authentication Proxy configurable in the radius_server_nnn section: api_timeout. This determines how long the Duo Authentication Proxy will wait for a response from the Duo API host (our cloud service). It defaults to no limit.

> the time out is managed at the RADIUS server itself, and we already set the radius timeout to 30 seconds. 

What do you mean? You set the api_timeout value to 30 seconds in the Duo Authentication Proxy authproxy.cfg? If so, means that the Duo server will only wait 30 seconds to receive a response from the Duo cloud service before terminating the 2FA request and returning a reject to the authenticating service (in your case, PostgreSQL). That is not a lot of time for the user to receive and respond to a Duo Push request (half the lifetime of the Duo Push request itself).

Duo, not DUO.

Hello, 

Thanks for the insights. 

Yes, we tried setting the api_timeout value to 60 seconds, but that didn't help. 

Instead of RADIUS, we tried LDAP authentication for PostgreSQL. This works as expected; the Duo notification waits 60 seconds. 

 

 

 

Quick Links