Jump to content
Welcome to our new Citrix community!

Netscaler RADIUS MFA - Duplicate Requests


Recommended Posts

Hi all,

 

We have a Netscaler virtual gateway configured for remote access. We have MFA setup, which uses LDAP, and, RADIUS for the second factor. There have recently been issues with the RADIUS factor as it is linked to a mobile app where the end user taps Approve on their device to authenticate. Some users are getting multiple authentication notifications, and they usually do not work until the second or third approval. I did a pcap on the RADIUS traffic between SNIP and RADIUS service group, and am seeing a lot of duplicate RADIUS requests. I don't suspect this is normal behavior, but I may be wrong. Does anyone have an idea of what could be causing the NS to send duplicate RADIUS requests to the RADIUS servers? Not sure what to check next.... everything looks good on the the RADIUS server side.

 

Edit: I should also note that I am seeing in the pcaps that some of the health check pings from NS to RADIUS servers are not getting replies.

Edited by Keith Giles
Link to comment
Share on other sites

1 hour ago, Carl Stalhood1709151912 said:

On NetScaler, if you edit the RADIUS Server, what timeout is configured? Default is 3 minutes. Normally you want it higher (30 seconds+)

The timeout is set to 60 seconds.

We have a frontend vserver for two radius nodes and the timeout, secret, etc is configured at the vserver level correct?

Link to comment
Share on other sites

  • 4 weeks later...
On 12/29/2023 at 7:14 PM, Keith Giles1709159890 said:

The timeout is set to 60 seconds.

We have a frontend vserver for two radius nodes and the timeout, secret, etc is configured at the vserver level correct?

Are you loadbalancing the RADIUS backend services? If yes, did you configure persistence? From what you describe, it looks like the auth request is sent to ServerA and when prompted with the Challenge, the challenge-response is sent to ServerB (round robin)

  • Like 1
Link to comment
Share on other sites

9 hours ago, Jens Ostkamp said:

Are you loadbalancing the RADIUS backend services? If yes, did you configure persistence? From what you describe, it looks like the auth request is sent to ServerA and when prompted with the Challenge, the challenge-response is sent to ServerB (round robin)

Hi Jens,

We are load-balancing the RADIUS servers. That is a great question, and yes, we do have persistence (SOURCEIP) configured for those services. 

Link to comment
Share on other sites

Update: I am seeing this error in the NS logs occassionally:

RADIUS auth: RADIUS server [ip redacted] unresponsive, timed out:No valid RADIUS responses received

 

And from the RADIUS server's side we see an error that RADIUS authentication could not be completed before timeout.

 

Having a tough time discerning if this is a NS issue or a problem with RADIUS server.  I have tried adjusting the RADIUS timeout up and down on the NS, with no change in the behavior.

 

From a packet tracing perspective, it does appear the NS is sending out an extra RADIUS request occassionally.

 

What we are seeing is errant MFA notifications come through to the mobile app. Typically the first will fail, and the second is successful

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...