2 Factor Authentication
Dudás Péter
peter.pdudas at gmail.com
Thu Jan 5 13:54:42 CET 2017
Dear Stefan!
No, the firewall shows authentication accepted - also Wireshark logs shows
accepted connection, NPS also (which proxies the request/answer) shows
accept.
I'm not aware of any timing limitations (as with the SSLVPN I can even wait
for 30s using the same 2nd authentication as for L2TP) - the whole chain
(firewall-Nps-Freeradius) has minimum 30s timeout configured.
Regarding MPPE keys: is there an expiration encoded somehow?
With 'Sleep 3' it is still connected successfully - anything above 3
seconds just makes the L2TP VPN connection unsuccessful.
Checked in the firewall - timeout is 90s.
Thank you!
On 5 January 2017 at 12:48, Stefan Paetow <Stefan.Paetow at jisc.ac.uk> wrote:
> > I*t is a timing issue.* I just forwarded the Access Request to another
> > radius server (Domain Controller) which replies immediately - access
> > accepted, VPN client logged in successfully.
> > If I put a 'sleep 10' in the shell script (duo2.sh) before the radtest
> > (please see below) to send the request to the Domain Controller
> > (10.101.168.3), then the VPN connection fails like with the DUO.
>
> Does the NAS have a timing limit on establishing a tunnel? If that's the
> case, I suggest you look at increasing that limit to allow a DUO 2FA to
> happen.
>
> Stefan Paetow
> Moonshot Industry & Research Liaison Coordinator
>
> t: +44 (0)1235 822 125
> gpg: 0x3FCE5142
> xmpp: stefanp at jabber.dev.ja.net
> skype: stefan.paetow.janet
>
> jisc.ac.uk
>
> Jisc is a registered charity (number 1149740) and a company limited by
> guarantee which is registered in England under Company No. 5747339, VAT No.
> GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill,
> Bristol, BS2 0JA. T 0203 697 5800.
>
>
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>
More information about the Freeradius-Users
mailing list