I have successfully integrated RSA Cloud Authentication and have push notifications working to my users' RSA app on their iPhone to connect to our company VPN.. The user may now start their Windows VPN client, and then it flows to RSA as a Radius request which is then converted to another Radius using Windows Server Network Policy Server (NPS) which sends the request to the RSA cloud to push the authentication 2FA to the user's RSA app on their iPhone.
The trouble is that employees are receiving MULTIPLE Sign-in windows on the iPhone app, in a rapid fashion. They are getting two approval sign-in windows within about two seconds of each other. Even if I manage to approve using the first one, the second still appears. On the client connection side, it appears that when I approve on the first window, it then connects succesfully to the VPN.
How can I determine why the RSA cloud authentication layer is sending multiple sign-in requests?
- Cloud Auth
- Cloud Authentication
- Cloud Authentication Service
- Community Thread
- Forum Thread
- RSA SecurID
- RSA SecurID Access
This usually happens when the timeout value is not set high enough to allow the user to respond to the push notification. On your NPS server, edit your remote RADIUS server group and change the timeout value to something higher (45 seconds might be a good starting point). You should then have enough time to respond to the push notification before the NPS server tries again.
Thanks for the suggestions, all. I will start a support ticket. I looked for a "timeout" setting in the Radius Server Groups, and don't see anything that specifies "timeout".
The only timing settings I see are on the "Load Balancing" tab:
Number of seconds without response before request is considered dropped = 30
Maximum number of dropped requests before server is identified as unavailable = 15
Number of seconds between request when server is identified as unavailable = 30
I suspect this may actually be an issue because the NPS is configured as a "Network Access Protection" NPS (required by my VPN solution – Cisco Meraki) instead of VPN, and thus I don't have the timeout setting. In any event, thanks for suggestions and I'll contact support.
Sorry for the confusing terminology. The "timeout" I was referring to is actually the "Number of seconds without response before request is considered dropped" This is what we are looking for. The 30 seconds you have here is Ok however I would tweak the other values slightly. My personal recommendation would be something like:
Number of seconds without response before request is considered dropped = 45
Maximum number of dropped requests before server is identified as unavailable = 2
Number of seconds between request when server is identified as unavailable = 120 (or more)
Basically, we don't want NPS to keep trying an Identity router if it's down. After the second failure, we want to remove it from the pool and wait a little while before trying again. Ideally, you would have a second Identity Router deployed for redundancy. The settings I recommended will help NPS to keep requests going to an available Identity Router rather than continually trying one that is unavailable.
With that said, your NPS settings don't seem to be the problem. You will need to contact Cisco support and have them adjust your timeout on the Meraki side. I don't believe this is configurable in the admin UI but it can be adjusted by support.