We're using AWS SSO with TOTP over RADIUS. Our RADIUS server is a FreeRADIUS with linotp-auth-freeradius-perl.
The problem is the connection between AWS SSO and FreeRADIUS is not completely reliable - there are some periods, when there seems to be significant packet loss between them.
RADIUS uses UDP, which means that even a single return packet lost can cause authentication failure. AWS SSO then tries again, after some time, but TOTP RFC prohibits use of the same token value twice, and the first try used-up the TOTP.
So there are many logs like:
2022/05/24 - 05:59:49 WARNI {140508089116416} [linotp.tokens.totptoken][checkOtp #429] [checkOTP] a previous OTP value was used again!
former tokencounter: 55112395, presented counter 55112395
And many users can't login to AWS SSO even with several tries.
I'm looking for ideas on how to improve reliability of this. I could not find a way for FreeRADIUS to make it send several reply packets with some delay (for example 10 packets every 1 second), which would make it much less likely for every reply packet to get lost.
But maybe there's a way for Linux kernel to duplicate such reply packets several times with increasing delays. If there is, then how? While avoiding duplicating those duplicates again, which, although somewhat funny to think about, is rather not desirable…
I don't think AWS SSO support any other protocol to use TOTP than RADIUS (with UDP), but I might be wrong. Please correct me if this is the case.
