proxy timeout

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

proxy timeout

Users mailing list
Greetings FR-users,

I am running 3.0.17.

I've got a question about my radius deployment...

Our institution is proxying auth requests to a Duo enabled RADIUS server
off site. Due to the delay in the WAN, plus the human delay of the 2FA I
would like to have an appropriate configured timeout for the proxy. I am
thinking 60 seconds. Is that value too large?

Attempting to change the timeout for the proxy yields a message that I
cannot set the value to 60 seconds:

WARNING: Ignoring "response_window = 60.000000", forcing to
"response_window = 30.000000"


Here is my config:

home_server radius_1 {
    type                          = auth
    ipaddr                        = 10.0.0.1
    secret                        = REMOVED
    require_message_authenticator = yes
    response_window               = 60
}

According to the docs it looks like it should accept 60:

#  The response window can be a number between 0.001 and 60.000
#  Values on the low end are discouraged, as they will likely
#  not work due to limitations of operating system timers.
#
#  The default response window is large because responses may
#  be slow, especially when proxying across the Internet.
#
#  Useful range of values: 5 to 60
response_window = 30

Is response_window the right config parameter for adjusting the proxy
timeout?

Is the 30 second limitation a bug? or is the documentation wrong? Or is the
issue corrected in a more recent release?

Thanks for the help!

-m
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: proxy timeout

Alan DeKok-2
On Dec 11, 2020, at 1:20 PM, Matt Zagrabelny via Freeradius-Users <[hidden email]> wrote:
> Our institution is proxying auth requests to a Duo enabled RADIUS server
> off site. Due to the delay in the WAN, plus the human delay of the 2FA I
> would like to have an appropriate configured timeout for the proxy. I am
> thinking 60 seconds. Is that value too large?

  Yes.

  Most NAS equipment will give up after 30s or so.

> Attempting to change the timeout for the proxy yields a message that I
> cannot set the value to 60 seconds:
>
> WARNING: Ignoring "response_window = 60.000000", forcing to
> "response_window = 30.000000"

  Yes.

> According to the docs it looks like it should accept 60:

  It does, mostly.

  But if you have "max_request_time = 30", then the request will time out after 30s.  So that's why the response_window is capped.

  The solution is to change *both* settings.  But....

  Most NAS equipment will give up after 30s or so.  So changing this in FreeRADIUS *might* help, but also might not do anything.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html