Oh for sure...
I used Cisco 1200s @ RSA and the Windows EAP interfaces
I was always fighting with the system timing out the authentication
before a user would time in a token code. This frequently takes a
minute or more, because people have to get their token, often they
wait for the code to change, so they have a minute to read it, then
type it in...
On Windows 7, we had more problems, so I decided to explore some not
well understood options of the EAP interface. Their was on option
that supposed to take 60 seconds (so their Tech support told me) I
tried it.
It failed so quickly my head was spinning. I got out Wireshark and
traced the protocol. When this option was selected, the MS EAP/RADIUS
client sent an Session-Timeout value of 6! That AP killed the session
faster than you could type a character. Removing the option, the
value Windows sends is 60.
If you google hard you will find that some versions of Cisco APs have
a command line option to ignore the attribute and allow you to specify
your own value.
Mine honored the command, but did not have it in the Management GUI.
I believe the "new" Windows EAPhost API now allows the EAP developer
to set this value. But there are other 1 minute timers hardwired into
the Windows EAP interface that I had to work around.
Dave.
Quoting Phil Mayers <[email protected]>:
On 04/07/13 14:34, David Mitton wrote:
Quoting Phil Mayers <[email protected]>:
On 04/07/13 11:00, Franks Andy (RLZ) IT Systems Engineer wrote:
Hi,
....
Session-timeout and Idle-timeout are attributes mentioned by the cisco
docs but neither of these seem to be what I'm after.
Neither are relevant; they're for established sessions, not timeouts in
*establishing* one.
-
Actually, that is incorrect Session-Timeout _is_ used to control the
authentication timeout, when in the initial AccReq. I'd quote the RFC,
but I'm not at home. The *-Timeouts in the Acc-Accept control the session.
Hmm, so it does; 5.27 of 2865 and 2.3.2 of 2869.
However - does any equipment actually *honour* this? Also, I note the
wording is very loose indeed - no MUST.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
