JoshW.59888 (Customer) asked a question.
I recently deployed an Okta RADIUS agent to use as the primary authentication for OpenVPN server running on a UniFi Dream Machine Pro. This works, however users state that after some time of being successfully connected, they start receiving continuous authentication prompts to their Okta app. The VPN remains connected during this time, whether they approve the request or ignore it. The users also claim that when this starts, the only way they can stop it is to fully close the OpenVPN client, simply disconnecting the VPN doesn't work. Of course I cannot duplicate this issue at all, even after being connected for over an hour. I see the following in the RADIUS agent log when this happens:
2024-02-04 18:30:35 UTC [RADIUS-SERVER-NAME, pool-2-thread-15, radiusRequestId=XXXXXXXXX, user=user@domain.com, requestType=primary] : INFO - received packet from /[UDM PRO IP]:42403 on local address /0:0:0:0:0:0:0:0:1812. packet id: 99
2024-02-04 18:30:35 UTC [RADIUS-SERVER-NAME, pool-2-thread-15, radiusRequestId=XXXXXXXXX, user=user@domain.com, requestType=primary] : INFO - Begin processing of Access-Request, client=/[UDM PRO IP]:1812, packetId=99, method=PAP
2024-02-04 18:30:46 UTC [RADIUS-SERVER-NAME, pool-2-thread-6, radiusRequestId=ZZZZZZZZZ, user=user@domain.com, requestType=primary] : INFO - received packet from /[UDM PRO IP]:42403 on local address /0:0:0:0:0:0:0:0:1812. packet id: 99
2024-02-04 18:30:46 UTC [RADIUS-SERVER-NAME, pool-2-thread-6, radiusRequestId=ZZZZZZZZZ, user=user@domain.com, requestType=primary] : INFO - Completed processing. packetId=99, totalProcessingTime=0ms, queueTime=0ms, oktaTime=0ms, httpCode=N/A, result=DUPLICATED, remoteAddress=N/A
2024-02-04 18:30:46 UTC [RADIUS-SERVER-NAME, pool-2-thread-6, radiusRequestId=ZZZZZZZZZ, user=user@domain.com, requestType=primary] : INFO - handlePacket returned null response. For request from /[UDM PRO IP]:42403
2024-02-04 18:30:56 UTC [RADIUS-SERVER-NAME, pool-2-thread-5, radiusRequestId=YYYYYYYYY, user=user@domain.com, requestType=primary] : INFO - received packet from /[UDM PRO IP]:42403 on local address /0:0:0:0:0:0:0:0:1812. packet id: 99
2024-02-04 18:30:56 UTC [RADIUS-SERVER-NAME, pool-2-thread-5, radiusRequestId=YYYYYYYYY, user=user@domain.com, requestType=primary] : INFO - Completed processing. packetId=99, totalProcessingTime=0ms, queueTime=0ms, oktaTime=0ms, httpCode=N/A, result=DUPLICATED, remoteAddress=N/A
2024-02-04 18:30:56 UTC [RADIUS-SERVER-NAME, pool-2-thread-5, radiusRequestId=YYYYYYYYY, user=user@domain.com, requestType=primary] : INFO - handlePacket returned null response. For request from /[UDM PRO IP]:42403
2024-02-04 18:31:06 UTC [RADIUS-SERVER-NAME, pool-2-thread-10, radiusRequestId=NNNNNNN, user=user@domain.com, requestType=primary] : INFO - received packet from /[UDM PRO IP]:42403 on local address /0:0:0:0:0:0:0:0:1812. packet id: 99
2024-02-04 18:31:06 UTC [RADIUS-SERVER-NAME, pool-2-thread-10, radiusRequestId=NNNNNNN, user=user@domain.com, requestType=primary] : INFO - Completed processing. packetId=99, totalProcessingTime=0ms, queueTime=0ms, oktaTime=0ms, httpCode=N/A, result=DUPLICATED, remoteAddress=N/A
2024-02-04 18:31:06 UTC [RADIUS-SERVER-NAME, pool-2-thread-10, radiusRequestId=NNNNNNN, user=user@domain.com, requestType=primary] : INFO - handlePacket returned null response. For request from /[UDM PRO IP]:42403
2024-02-04 18:31:06 UTC [RADIUS-SERVER-NAME, pool-2-thread-15, radiusRequestId=XXXXXXXXX, user=user@domain.com, requestType=primary] : WARN - Authentication failed for user user@domain.com, reason --- Access-Request failed, error: Request failed at step=DURING_MFA_POLL_LOOP. Time-out
2024-02-04 18:31:06 UTC [RADIUS-SERVER-NAME, pool-2-thread-15, radiusRequestId=XXXXXXXXX, user=user@domain.com, requestType=primary] : INFO - send response: Access-Reject, ID 99
Reply-Message: Authentication failed for user user@domain.com, reason --- Access-Request failed, error: Request failed at step=DURING_MFA_POLL_LOOP. Time-out to /[UDM PRO IP]:42403
2024-02-04 18:31:06 UTC [RADIUS-SERVER-NAME, pool-2-thread-15, radiusRequestId=XXXXXXXXX, user=user@domain.com, requestType=primary] : INFO - Completed processing. packetId=99, totalProcessingTime=30664ms, queueTime=0ms, oktaTime=169ms, httpCode=202, result=EXECUTED_TOO_LONG, remoteAddress=company.okta.com/1.1.1.1:443
The RADIUS agent is obviously receiving new requests from the UDM Pro so I know the agent is not at fault, but I don't know if the issue is in the UDM Pro, or on the client end. Hoping someone else that has implemented the Okta RADIUS agent with OpenVPN or other VPN clients can chime in. In the OpenVPN config we have auth token set to never expire. There are no timeout settings in the UDM Pro (at least not in the GUI)
Hi, @JoshW.59888 (Customer)
Thank you for posting on our Community page!
As you already called it, the client application is triggering these events.
It looks that the client application may have some reconnection setting that automatically reconnects if the connection is lost, sending these packets to Okta triggering the auth flow.
My suggestion would be to contact OpenVPN support.
You can also take a look here for best practices:
https://help.okta.com/oie/en-us/content/topics/integrations/radius-best-pract-ts.htm
Thank you for reaching out to our Community and have a great day!
Subscribe Today: The Okta Community is on YouTube
_____________________________________________________________________________
Community members help others by clicking Like or Select as Best on responses. Try it today.
_____________________________________________________________________________