9:14 a.m.
Hello
I have setup radius proxy (DUO) and associate user with it. Everything works except
radius
timeout. It is 5 seconds and you have to be blazing fast to push the button :-)
I did adjust radius timeout in freeipa to 30 seconds but it is still 5 seconds. As well
I
have tried a trick with krb.conf [otp] settings, same still 5 seconds.
Please point me to proper way to change radius timeout.
Tested on Centos 8. Freeipa 4.8.4
ipa radiusproxy-find
-----------------------------
1 RADIUS proxy server matched
-----------------------------
RADIUS proxy server name: duo2
Server: x.x.x.x
Timeout: 30
Retries: 0
----------------------------
Number of entries returned 1
----------------------------
Thank you.
Sergiy
10:29 a.m.
Hello Sergiy,
Sergiy Genyuk via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
writes:
I have setup radius proxy (DUO) and associate user with it.
Everything works except radius
timeout. It is 5 seconds and you have to be blazing fast to push the button :-)
I did adjust radius timeout in freeipa to 30 seconds but it is still 5 seconds. As well
I
have tried a trick with krb.conf [otp] settings, same still 5 seconds.
Please point me to proper way to change radius timeout.
I had a similar problem some time ago. In my case FreeIPA did a DNS
query for the RADIUS server IP address. The answer was IPv6, but
freeradius didn't listen for IPv6. So FreeIPA did a retry with IPv4
after 5 or 6 seconds. I did see that when sniffing radius traffic on my
radius server.
Here's the diff for my configuration:
diff --git a/freeradius/radiusd.conf b/freeradius/radiusd.conf
index d80312e..85669c4 100644
--- a/freeradius/radiusd.conf
+++ b/freeradius/radiusd.conf
@@ -354,6 +354,18 @@ listen {
# clients = per_socket_clients
}
+listen {
+ ipv6addr = ::
+ port = 0
+ type = auth
+}
+listen {
+ ipv6addr = ::
+ port = 0
+ type = acct
+}
I can't find the original thread in the archive, but check with "tcpdump
-i <dev> port 1812" if you see a failed attempt with IPv6 on your radius
server followed some seconds later with IPv4.
Jochen
--
This space is intentionally left blank.
11:01 a.m.
Hi Jochen,
Thank you for your reply, I do have ipv6 disabled and in capture do not see failed
attempts.
In capture it is only ipv4:
1 0.000000000 xx.xx.xx.xx -> yy.yy.yy.yy RADIUS 117 Access-Request(1) (id=214,
l=75)
2 7.889686902 yy.yy.yy.yy -> xx.xx.xx.xx RADIUS 90 Access-Accept(2) (id=214, l=48)
If delay more then 5 seconds between request and reply you going to get request for
password again :-(
First Factor:
Second Factor:
First Factor:
If your Access-Accept arrived within 5 seconds you will login :-)
Regards,
Sergiy
2:26 p.m.
Sergiy Genyuk via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
writes:
Thank you for your reply, I do have ipv6 disabled and in capture do
not see failed attempts.
In capture it is only ipv4:
1 0.000000000 xx.xx.xx.xx -> yy.yy.yy.yy RADIUS 117 Access-Request(1) (id=214,
l=75)
2 7.889686902 yy.yy.yy.yy -> xx.xx.xx.xx RADIUS 90 Access-Accept(2) (id=214,
l=48)
If delay more then 5 seconds between request and reply you going to get request for
password again :-(
So you should find out why RADIUS is spending so much time. What RADIUS
server do you use? What's your user store, and what do you use for OTP?
I did use freeradius and privacyidea.
I did research setting longer timeouts, but that proved not really
useful.
Jochen
--
This space is intentionally left blank.
2:13 p.m.
Radius server is DUO so when in FreeIPA radius server set it sends Access-Request to the
DUO Radius server DUO check password against AD and then push Accept message to the user
mobile app... then returns Access-Accept message back to FreeIPA.
Of cause it takes some time so I have setup timeout in Radius section in the FreeIPA
config but that's does not work. With any settings default timeout is 5 seconds :-(
Now I am looking for help as my users not so happy with 5 sec timeout :-)
2:35 p.m.
On Mon, 2020-07-13 at 19:13 +0000, Sergiy Genyuk via FreeIPA-users
wrote:
Radius server is DUO so when in FreeIPA radius server set it sends
Access-Request to the DUO Radius server DUO check password against AD and then push Accept
message to the user mobile app... then returns Access-Accept message back to FreeIPA.
Of cause it takes some time so I have setup timeout in Radius section in the FreeIPA
config but that's does not work. With any settings default timeout is 5 seconds :-(
Now I am looking for help as my users not so happy with 5 sec timeout :-)
FreeIPA's OTP support is not compatible with challenge response
mechanism that require user interaction like DUO.
The timeout is backed into too many layers.
I think DUO tokens can be configured to provide a OTP number in the app
directly before starting the authentication and w/o requiring
additional user confirmation, if this is an option you should use it.
IIRC,
I may be wrong, I'll let others correct me if that is the case.
Simo.
--
Simo Sorce
RHEL Crypto Team
Red Hat, Inc
2:51 p.m.
Hi,
Sergiy Genyuk via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
writes:
Radius server is DUO so when in FreeIPA radius server set it sends
Access-Request to the DUO Radius server DUO check password against AD
and then push Accept message to the user mobile app... then returns
Access-Accept message back to FreeIPA.
Of cause it takes some time so I have setup timeout in Radius section
in the FreeIPA config but that's does not work. With any settings
default timeout is 5 seconds :-(
I see... I've looked again for my research concerning IPA OTP timeouts.
These posts document the timeouts I found:
https://www.redhat.com/archives/freeipa-users/2016-December/msg00239.html
https://www.redhat.com/archives/freeipa-users/2016-December/msg00271.html
May they have some hints for you.
Jochen
--
This space is intentionally left blank.
3:03 p.m.
Jochen Kellner via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
writes:
I see... I've looked again for my research concerning IPA OTP
timeouts.
These posts document the timeouts I found:
https://www.redhat.com/archives/freeipa-users/2016-December/msg00239.html
https://www.redhat.com/archives/freeipa-users/2016-December/msg00271.html
There's also a ticket:
https://pagure.io/freeipa/issue/7444
Jochen
--
This space is intentionally left blank.
1382
days inactive
1387
days old
freeipa-users@lists.fedorahosted.org
7 comments
3 participants
participants (3)
-
Jochen Kellner -
Sergiy Genyuk -
Simo Sorce