Users get multiple OTP Push Notifications, Radius servers see multiple Auth requests & Auth Failures

If there is a delay in processing the user’s authentication, which can happen from the two known causes detailed below, then a user can repeatedly press the Login button and cause multiple logins to process. The second and subsequent login requests, when using OTP, will fail due to processing the same token, which causes authentication failures. Also, depending on your OTP policies, this can lockout the user’s OTP token and cause further authentication denials. Finally, there is a bug in NetScaler 11.1 that can affect this as well.

Known cause 1)

There is an issue with LDAP over SSL that causes the handshake for LDAP over SSL to be a Blocking call for the AAA process. This means that the AAA system can no longer process ANY requests for ANY user until the SSL Handshake with LDAP completes. This can lead to authentication delays, which can cause a user to be able to repeatedly click the Login button. NetScaler 11.1 Build 41.1 and newer have this fixed. There are plans to back-port the fix to 11.0 but no ETA as of May 2017.

Known cause 2)

If a Radius server delays in responding to an authentication request, there will be a delay at the login page which allows the user to click the Login button multiple times.

Known cause 3)

In 11.1, there is a Bug with AppFlow that results in closing the AAAd connection and eventually also the client side connection. Due to abrupt closure, the WebUI resends the post again. This counter confirm this: aaa_force_drop_data, aaa_tot_term_link

Note that you may also experience crashes or login stuck at cgi/login blank page from this bug.