Re: [PacketFence-users] Radius Authentication Source Timeout for 2FA
ok easy.
edit the rest.conf file in conf/radiusd
and at this line add (
https://github.com/inverse-inc/packetfence/blob/devel/conf/radiusd/rest.conf.example#L194
):
timeout = 60.00
Then restart radius-auth
Le jeu. 14 avr. 2022 à 21:49, Benjamin Shirley - Simplicity <
b.shir...@simplicity.ag> a écrit :
> Hi Fabrice,
>
>
>
> thanks for getting back to me. I have tried the settings but that does not
> solve the problem. Raddebug shows following information:
>
>
>
> (8) Fri Apr 15 03:45:53 2022: Debug: Finished request
>
> (7) Fri Apr 15 03:45:56 2022: ERROR: rest: Request failed: 28 - Timeout
> was reached
>
> (7) Fri Apr 15 03:45:56 2022: ERROR: rest: Server returned no data
>
> (7) Fri Apr 15 03:45:56 2022: Debug: [rest] = fail
>
> (7) Fri Apr 15 03:45:56 2022: Debug: } # if (! EAP-Type || (EAP-Type
> != TTLS && EAP-Type != PEAP) ) = fail
>
> (7) Fri Apr 15 03:45:56 2022: Debug: } # post-auth = fail
>
> (7) Fri Apr 15 03:45:56 2022: Debug: Using Post-Auth-Type Reject
>
> (7) Fri Apr 15 03:45:56 2022: Debug: # Executing group from file
> /usr/local/pf/raddb/sites-enabled/packetfence
>
>
>
>
>
> Hope this information is any good!
>
>
>
> Kind regards
>
> Benjamin
>
>
>
>
>
>
>
>
>
> Benjamin Shirley . simplicity networks GmbH
>
>
>
> Heinrich-Hertz-Straße 2 . 59302 Oelde . Phone: +49 2522 8330 3124 .
> Mobile: +49 170 9496681
>
> E-Mail: b.shir...@simplicity.ag . Web: www.simplicity.ag
>
> USt-IdNr DE 210993280 . HRB 14936 Münster . Managing Director: Stefan
> Leewe
>
> We operate for *OPUS* and *someday*
>
>
> Think before you print!
>
>
>
>
>
>
>
> *Von: *Fabrice Durand
> *Datum: *Freitag, 15. April 2022 um 03:18
> *An: *packetfence-users
> *Cc: *Benjamin Shirley
> *Betreff: *Re: [PacketFence-users] Radius Authentication Source Timeout
> for 2FA
>
>
>
> Hello Benjamin,
>
>
>
> first you need to raise the timeout value of the radius-auth service.
>
> You should be able to do it there:
>
>
>
>
> https://github.com/inverse-inc/packetfence/blob/devel/conf/radiusd/auth.conf.example#L23
>
>
>
> and add that:
>
>
>
> ```
>
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 60
> }
>
> ```
>
>
>
> you probably have to add an option to the duo radius source too, like:
>
>
>
> response_timeouts = 30
>
>
>
> if it still not work then run raddebug to see where in freeradius it
> timeout.
>
>
>
> raddebug -f /usr/local/pf/var/run/radiusd.sock -t 3000
>
>
>
> Regards
>
> Fabrice
>
>
>
> Le jeu. 14 avr. 2022 à 14:22, Benjamin Shirley - Simplicity via
> PacketFence-users a écrit :
>
> Hi @all,
>
> trying to bypass an issue i'm having using 2 different radius server
> (packetfence / duo authproxy) one for admin login purpose (DUO 2FA) and the
> other beeing packetfence for MAB in our network environment - which is a
> known bug in Dell OS6 Network Operating System - I had the idea to simply
> add the Duo Authproxy as an Radius Authentication Source in Packetfence
> meaning I only have to configure 1 radius authentication server on our
> switches.
>
>
> It works! I am able to proxy the authentication to the DUO Authproxy from
> within PF but there is a tiny problem I am not able to overcome and kindly
> ask for help.
>
>
>
> The problem is that RADIUS Authentication for the Shell-Access in PF times
> out so quickly I am hardly able to tap the push notification, open the DUO
> App and Confirm the Login Proccess, regardless to say that authentication
> via Phone Call will be impossible.
>
>
>
> Is there a way to configure a higher value of lets say 15 seconds
> somewhere maybe only for this one Authentication Source which is only used
> for the purpose of 2FA to our switches??
>
> Kind Regards
>
> Benjamin
>
>
>
>
>
> *Benjamin Shirley *. simplicity networks GmbH
>
>
>
> Heinrich-Hertz-Straße 2 . 59302 Oelde . Phone: +49 2522 8330 3124 .
> Mobile: +49 170 9496681
>
> E-Mail: b.shir...@simplicity.ag . Web: www.simplicity.ag
>
> USt-IdNr DE 210993280 . HRB 14936 Münster . Managing Director: Stefan
> Leewe
>
> We operate for *OPUS* and * someday*
>
>
>
> Think before you print!
>
>
>
>
>
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Radius Authentication Source Timeout for 2FA
Hi Fabrice,
thanks for getting back to me. I have tried the settings but that does not solve the problem. Raddebug shows following information:
(8) Fri Apr 15 03:45:53 2022: Debug: Finished request
(7) Fri Apr 15 03:45:56 2022: ERROR: rest: Request failed: 28 - Timeout was reached
(7) Fri Apr 15 03:45:56 2022: ERROR: rest: Server returned no data
(7) Fri Apr 15 03:45:56 2022: Debug: [rest] = fail
(7) Fri Apr 15 03:45:56 2022: Debug: } # if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP) ) = fail
(7) Fri Apr 15 03:45:56 2022: Debug: } # post-auth = fail
(7) Fri Apr 15 03:45:56 2022: Debug: Using Post-Auth-Type Reject
(7) Fri Apr 15 03:45:56 2022: Debug: # Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence
Hope this information is any good!
Kind regards
Benjamin
Benjamin Shirley
.
simplicity networks GmbH
Heinrich-Hertz-Straße 2 . 59302 Oelde
. Phone: +49 2522 8330 3124 . Mobile: +49 170 9496681
E-Mail:
b.shir...@simplicity.ag . Web:
www.simplicity.ag
USt-IdNr DE 210993280 . HRB 14936 Münster . Managing Director: Stefan Leewe
We operate for
OPUS and someday
Think before you print!
Von: Fabrice Durand
Datum: Freitag, 15. April 2022 um 03:18
An: packetfence-users
Cc: Benjamin Shirley
Betreff: Re: [PacketFence-users] Radius Authentication Source Timeout for 2FA
Hello Benjamin,
first you need to raise the timeout value of the radius-auth service.
You should be able to do it there:
https://github.com/inverse-inc/packetfence/blob/devel/conf/radiusd/auth.conf.example#L23
and add that:
```
limit {
max_connections = 16
lifetime = 0
idle_timeout = 60
}
```
you probably have to add an option to the duo radius source too, like:
response_timeouts = 30
if it still not work then run raddebug to see where in freeradius it timeout.
raddebug -f /usr/local/pf/var/run/radiusd.sock -t 3000
Regards
Fabrice
Le jeu. 14 avr. 2022 à 14:22, Benjamin Shirley - Simplicity via PacketFence-users <packetfence-users@lists.sourceforge.net> a écrit :
Hi @all,
trying to bypass an issue i'm having using 2 different radius server (packetfence / duo authproxy) one for admin login purpose (DUO 2FA) and the other beeing packetfence for MAB in
our network environment - which is a known bug in Dell OS6 Network Operating System - I had the idea to simply add the Duo Authproxy as an Radius Authentication Source in Packetfence meaning I only have to configure 1 radius authentication server on our switches.
It works! I am able to proxy the authentication to the DUO Authproxy from within PF but there is a tiny problem I am not able to overcome and kindly ask for help.
The problem is that RADIUS Authentication for the Shell-Access in PF times out so quickly I am hardly able to tap the push notification, open the DUO App and Confirm the Login Proccess,
regardless to say that authentication via Phone Call will be impossible.
Is there a way to configure a higher value of lets say 15 seconds somewhere maybe only for this one Authentication Source which is only used for the purpose of 2FA to our switches??
Kind Regards
Benjamin
Benjamin Shirley
. simplicity networks GmbH
Heinrich-Hertz-Straße 2 . 59302 Oelde . Phone: +49 2522 8330 3124 . Mobile: +49 170 9496681
E-Mail:
b.shir...@simplicity.ag . Web:
www.simplicity.ag
USt-IdNr DE 210993280 . HRB 14936 Münster . Managing Director: Stefan Leewe
We operate for
OPUS and
someday
Think before you print!
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Radius Authentication Source Timeout for 2FA
Hello Benjamin,
first you need to raise the timeout value of the radius-auth service.
You should be able to do it there:
https://github.com/inverse-inc/packetfence/blob/devel/conf/radiusd/auth.conf.example#L23
and add that:
```
limit {
max_connections = 16
lifetime = 0
idle_timeout = 60
}
```
you probably have to add an option to the duo radius source too, like:
response_timeouts = 30
if it still not work then run raddebug to see where in freeradius it
timeout.
raddebug -f /usr/local/pf/var/run/radiusd.sock -t 3000
Regards
Fabrice
Le jeu. 14 avr. 2022 à 14:22, Benjamin Shirley - Simplicity via
PacketFence-users a écrit :
> Hi @all,
>
> trying to bypass an issue i'm having using 2 different radius server
> (packetfence / duo authproxy) one for admin login purpose (DUO 2FA) and the
> other beeing packetfence for MAB in our network environment - which is a
> known bug in Dell OS6 Network Operating System - I had the idea to simply
> add the Duo Authproxy as an Radius Authentication Source in Packetfence
> meaning I only have to configure 1 radius authentication server on our
> switches.
>
>
> It works! I am able to proxy the authentication to the DUO Authproxy from
> within PF but there is a tiny problem I am not able to overcome and kindly
> ask for help.
>
>
> The problem is that RADIUS Authentication for the Shell-Access in PF times
> out so quickly I am hardly able to tap the push notification, open the DUO
> App and Confirm the Login Proccess, regardless to say that authentication
> via Phone Call will be impossible.
>
>
> Is there a way to configure a higher value of lets say 15 seconds
> somewhere maybe only for this one Authentication Source which is only used
> for the purpose of 2FA to our switches??
>
> Kind Regards
>
> Benjamin
>
>
>
>
>
> Benjamin Shirley . simplicity networks GmbH
>
>
>
> Heinrich-Hertz-Straße 2 . 59302 Oelde . Phone: +49 2522 8330 3124 .
> Mobile: +49 170 9496681
>
> E-Mail: b.shir...@simplicity.ag . Web: www.simplicity.ag
>
> USt-IdNr DE 210993280 . HRB 14936 Münster . Managing Director: Stefan
> Leewe
>
> We operate for *OPUS* and *someday*
>
>
> Think before you print!
>
>
>
>
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
[PacketFence-users] Radius Authentication Source Timeout for 2FA
Hi @all, trying to bypass an issue i'm having using 2 different radius server (packetfence / duo authproxy) one for admin login purpose (DUO 2FA) and the other beeing packetfence for MAB in our network environment - which is a known bug in Dell OS6 Network Operating System - I had the idea to simply add the Duo Authproxy as an Radius Authentication Source in Packetfence meaning I only have to configure 1 radius authentication server on our switches. It works! I am able to proxy the authentication to the DUO Authproxy from within PF but there is a tiny problem I am not able to overcome and kindly ask for help. The problem is that RADIUS Authentication for the Shell-Access in PF times out so quickly I am hardly able to tap the push notification, open the DUO App and Confirm the Login Proccess, regardless to say that authentication via Phone Call will be impossible. Is there a way to configure a higher value of lets say 15 seconds somewhere maybe only for this one Authentication Source which is only used for the purpose of 2FA to our switches?? Kind Regards Benjamin Benjamin Shirley . simplicity networks GmbH Heinrich-Hertz-Straße 2 . 59302 Oelde . Phone: +49 2522 8330 3124 . Mobile: +49 170 9496681 E-Mail: b.shir...@simplicity.ag . Web: www.simplicity.ag USt-IdNr DE 210993280 . HRB 14936 Münster . Managing Director: Stefan Leewe We operate for OPUS and someday Think before you print! smime.p7s Description: S/MIME cryptographic signature ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
