Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
430
Views
0
Helpful
4
Replies

Duo push notification for postgresql database log in

KarthikSudanagunta
Level 1
Level 1

‎10-24-2023 06:25 AM

Hello members,

We have configured MFA for the PostgreSQL database using RADIUS authentication and Cisco Duo, overall the configuration works, but I need help with the usage. 

 The problem is that database authentication succeeds when I approve the Duo push notification in a second or so; if I delay one more second, the database authentication fails with the below error:

[enterprisedb@closvl2142 data]$  psql -d edb -p 5445 -U ksudanag
Password for user ksudanag:
psql: error: connection to server on socket "/tmp/.s.PGSQL.5445" failed: FATAL:  RADIUS authentication failed for user "ksudanag"

This makes the entire solution unusable. Can someone suggest how do I resolve this? 

BR//

Karthik

0 Helpful
4 Replies 4

DuoKristina
Cisco Employee
Cisco Employee

‎10-26-2023 09:01 AM

Is there is an adjustable RADIUS authentication timeout in PostgreSQL that you can extend to allow more time for a user to approve the Duo Push request?

Duo, not DUO.
0 Helpful

KarthikSudanagunta
Level 1
Level 1
In response to DuoKristina

‎10-27-2023 01:39 AM

Hello,

Thanks for sharing your thoughts. I did work with our PostgreSQL vendor support to identify any such parameters in the database, but there are none; as per them, the time out is managed at the RADIUS server itself, and we already set the radius timeout to 30 seconds. 

The Database logs say as  below:

2023-10-27 09:44:48 CEST LOG: timeout waiting for RADIUS response from 10.245.124.45
2023-10-27 09:44:48 CEST FATAL: RADIUS authentication failed for user "ksudanag"

Where 10.245.124.45 is our RADIUS server.

My assumption is that this something is to be fixed between the RADIUS and Duo. Are there any time-outs set between them?

Thanks,

Karthik

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to KarthikSudanagunta

‎10-30-2023 06:01 AM

The timeout for a Duo Push itself is 60 seconds. When our service sends a Duo Push request it waits 60 seconds for a user response before failing it as timed out. This is not adjustable.

There is also a timeout in the Authentication Proxy configurable in the radius_server_nnn section: api_timeout. This determines how long the Duo Authentication Proxy will wait for a response from the Duo API host (our cloud service). It defaults to no limit.

> the time out is managed at the RADIUS server itself, and we already set the radius timeout to 30 seconds. 

What do you mean? You set the api_timeout value to 30 seconds in the Duo Authentication Proxy authproxy.cfg? If so, means that the Duo server will only wait 30 seconds to receive a response from the Duo cloud service before terminating the 2FA request and returning a reject to the authenticating service (in your case, PostgreSQL). That is not a lot of time for the user to receive and respond to a Duo Push request (half the lifetime of the Duo Push request itself).

Duo, not DUO.
0 Helpful

KarthikSudanagunta
Level 1
Level 1
In response to DuoKristina

‎11-03-2023 05:20 AM

Hello, 

Thanks for the insights. 

Yes, we tried setting the api_timeout value to 60 seconds, but that didn't help. 

Instead of RADIUS, we tried LDAP authentication for PostgreSQL. This works as expected; the Duo notification waits 60 seconds. 

 

 

 

0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents