Community discussions

MikroTik App
 
zvekyf
just joined
Topic Author
Posts: 21
Joined: Thu Sep 29, 2016 1:29 am

radius and ppp authentication timeout

Mon Nov 14, 2022 4:09 am

ver. 7.6

I have setup radius login for OpenVPN integrated with DUO 2FA authentication.
We have noticed problem if you don't click yes in DUO app in about 5 seconds VPN connection hangs and you must manually kill connection because OpenVPN will never clean it.
When connection hangs encoding part is empty under active connections or under interface shows only D instead DR.
1.png
2.png
Under RADIUS I have setup 40 seconds but then I see error if timeout is longer than 3 sec. that authentication might time out.
4.png
Question is how can I increase timeout for ppp authentication?
You do not have the required permissions to view the files attached to this post.
 
RiFF
newbie
Posts: 34
Joined: Sun Apr 29, 2018 9:35 pm

Re: radius and ppp authentication timeout

Mon Nov 14, 2022 11:36 am

You can set max 60s (60000ms) Timeout in RADIUS server setting - message in red color is only warning. I see that Push Notifications timeout is not configurable on DUO side - https://help.duo.com/s/article/2185?language=en_US
 
zvekyf
just joined
Topic Author
Posts: 21
Joined: Thu Sep 29, 2016 1:29 am

Re: radius and ppp authentication timeout

Tue Nov 15, 2022 6:22 am

RASDIUS timeout is already 40 sec. which is I think enough, it can be set to 60 sec. so it is same as DUO but problem is PPP authentication as I understand and this is if we don't do DUO autorization inside 5 sec. connection hangs.
I would like to control PPP authentication timeout and for now I haven't found solution.
If anyone have some info that would be helpful.
 
RiFF
newbie
Posts: 34
Joined: Sun Apr 29, 2018 9:35 pm

Re: radius and ppp authentication timeout

Tue Nov 15, 2022 11:55 am

You're looking too deep. With this configuration Radius Client (Mikrotik) will wait 40s (or 60s if you set it) for a response from the RADIUS Server. If the message is not received within the specified time, the request will expire. I pasted this link before in another topic (similar solution with another MFA vendor) - https://mbum.pl/archive/mbum6/Secure_VP ... th_MFA.pdf , but if you look at this presentation (page 16) you will see the configured settings between MT and ADSelfService Plus (RADIUS timeout' and 'Keep the VPN MFA session valid for ...') which are very important for the correct handling of the second factor during session establishment.
You should enable RADIUS debugging and check how client-server communication looks like, and check logs on DUO (if possible) to correlate Push Notification acceptance and radius timeout (and verify this in radius logs)

Who is online

Users browsing this forum: Ahrefs [Bot], rplant and 64 guests