Hello I have setup radius proxy (DUO) and associate user with it. Everything works except radius timeout. It is 5 seconds and you have to be blazing fast to push the button :-) I did adjust radius timeout in freeipa to 30 seconds but it is still 5 seconds. As well I have tried a trick with krb.conf [otp] settings, same still 5 seconds. Please point me to proper way to change radius timeout.
Tested on Centos 8. Freeipa 4.8.4
ipa radiusproxy-find ----------------------------- 1 RADIUS proxy server matched ----------------------------- RADIUS proxy server name: duo2 Server: x.x.x.x Timeout: 30 Retries: 0 ---------------------------- Number of entries returned 1 ----------------------------
Thank you.
Sergiy
Hello Sergiy,
Sergiy Genyuk via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
I have setup radius proxy (DUO) and associate user with it. Everything works except radius timeout. It is 5 seconds and you have to be blazing fast to push the button :-) I did adjust radius timeout in freeipa to 30 seconds but it is still 5 seconds. As well I have tried a trick with krb.conf [otp] settings, same still 5 seconds. Please point me to proper way to change radius timeout.
I had a similar problem some time ago. In my case FreeIPA did a DNS query for the RADIUS server IP address. The answer was IPv6, but freeradius didn't listen for IPv6. So FreeIPA did a retry with IPv4 after 5 or 6 seconds. I did see that when sniffing radius traffic on my radius server.
Here's the diff for my configuration:
diff --git a/freeradius/radiusd.conf b/freeradius/radiusd.conf index d80312e..85669c4 100644 --- a/freeradius/radiusd.conf +++ b/freeradius/radiusd.conf @@ -354,6 +354,18 @@ listen { # clients = per_socket_clients }
+listen { + ipv6addr = :: + port = 0 + type = auth +} +listen { + ipv6addr = :: + port = 0 + type = acct +}
I can't find the original thread in the archive, but check with "tcpdump -i <dev> port 1812" if you see a failed attempt with IPv6 on your radius server followed some seconds later with IPv4.
Jochen
Hi Jochen, Thank you for your reply, I do have ipv6 disabled and in capture do not see failed attempts. In capture it is only ipv4:
1 0.000000000 xx.xx.xx.xx -> yy.yy.yy.yy RADIUS 117 Access-Request(1) (id=214, l=75) 2 7.889686902 yy.yy.yy.yy -> xx.xx.xx.xx RADIUS 90 Access-Accept(2) (id=214, l=48)
If delay more then 5 seconds between request and reply you going to get request for password again :-( First Factor: Second Factor: First Factor:
If your Access-Accept arrived within 5 seconds you will login :-)
Regards,
Sergiy
Sergiy Genyuk via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
Thank you for your reply, I do have ipv6 disabled and in capture do not see failed attempts. In capture it is only ipv4:
1 0.000000000 xx.xx.xx.xx -> yy.yy.yy.yy RADIUS 117 Access-Request(1) (id=214, l=75) 2 7.889686902 yy.yy.yy.yy -> xx.xx.xx.xx RADIUS 90 Access-Accept(2) (id=214, l=48)
If delay more then 5 seconds between request and reply you going to get request for password again :-(
So you should find out why RADIUS is spending so much time. What RADIUS server do you use? What's your user store, and what do you use for OTP? I did use freeradius and privacyidea.
I did research setting longer timeouts, but that proved not really useful.
Jochen
Radius server is DUO so when in FreeIPA radius server set it sends Access-Request to the DUO Radius server DUO check password against AD and then push Accept message to the user mobile app... then returns Access-Accept message back to FreeIPA.
Of cause it takes some time so I have setup timeout in Radius section in the FreeIPA config but that's does not work. With any settings default timeout is 5 seconds :-(
Now I am looking for help as my users not so happy with 5 sec timeout :-)
On Mon, 2020-07-13 at 19:13 +0000, Sergiy Genyuk via FreeIPA-users wrote:
Radius server is DUO so when in FreeIPA radius server set it sends Access-Request to the DUO Radius server DUO check password against AD and then push Accept message to the user mobile app... then returns Access-Accept message back to FreeIPA.
Of cause it takes some time so I have setup timeout in Radius section in the FreeIPA config but that's does not work. With any settings default timeout is 5 seconds :-(
Now I am looking for help as my users not so happy with 5 sec timeout :-)
FreeIPA's OTP support is not compatible with challenge response mechanism that require user interaction like DUO. The timeout is backed into too many layers.
I think DUO tokens can be configured to provide a OTP number in the app directly before starting the authentication and w/o requiring additional user confirmation, if this is an option you should use it.
IIRC, I may be wrong, I'll let others correct me if that is the case.
Simo.
Hi,
Sergiy Genyuk via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
Radius server is DUO so when in FreeIPA radius server set it sends Access-Request to the DUO Radius server DUO check password against AD and then push Accept message to the user mobile app... then returns Access-Accept message back to FreeIPA.
Of cause it takes some time so I have setup timeout in Radius section in the FreeIPA config but that's does not work. With any settings default timeout is 5 seconds :-(
I see... I've looked again for my research concerning IPA OTP timeouts. These posts document the timeouts I found:
https://www.redhat.com/archives/freeipa-users/2016-December/msg00239.html https://www.redhat.com/archives/freeipa-users/2016-December/msg00271.html
May they have some hints for you.
Jochen
Jochen Kellner via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
I see... I've looked again for my research concerning IPA OTP timeouts. These posts document the timeouts I found:
https://www.redhat.com/archives/freeipa-users/2016-December/msg00239.html https://www.redhat.com/archives/freeipa-users/2016-December/msg00271.html
There's also a ticket: https://pagure.io/freeipa/issue/7444
Jochen
freeipa-users@lists.fedorahosted.org