Problem: Good morning, I am trying to perform a 2FA after a correct validation with MSCHAP against active directory, the postauth executes a script that sends an email with a link to confirm and authorize access, when the link is clicked, access is authorized based on data meanwhile the script with a while waits for the access to be confirmed but freeradius doesn't wait and gives me the following error: (0) Executing: /bin/bash /etc/freeradius/3.0/otp/enviar2FA.sh %{User-Name}: (0) EXPAND %{User-Name} (0) --> xxx Child PID 17681 is taking too much time: forcing failure and killing child. (0) ERROR: Failed to read from child output Debug output: (0) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} (0) mschap: --> --username=xxx (0) mschap: mschap1: 76 (0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} (0) mschap: --> --challenge=7698262ed349f8f8 (0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (0) mschap: --> --nt-response=d3ad349cc72bd9f1e9e835f73294102da06097b5f6158d4c (0) mschap: Program returned code (0) and output 'NT_KEY: D0ACA7FDF078A8FEBD326F3E18523349' (0) mschap: adding MS-CHAPv1 MPPE keys (0) [mschap] = ok (0) } # authenticate = ok (0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (0) post-auth { (0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { (0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE (0) update { (0) No attributes updated for RHS &session-state: (0) } # update = noop (0) [exec] = noop (0) update control { (0) Session-Timeout := 7200 (0) Executing: /bin/bash /etc/freeradius/3.0/otp/enviar2FA.sh %{User-Name}: (0) EXPAND %{User-Name} (0) --> xxx Child PID 17593 is taking too much time: forcing failure and killing child. (0) ERROR: Failed to read from child output (0) } # update control = fail (0) } # post-auth = fail (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> xxx (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop Config section: # Post-Authentication once we KNOW that the user has been authenticated, there are additional steps we can take.and get timeout error. post-auth { if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { update reply { &User-Name !* ANY Session-Timeout := 7200 } } update { &reply: += &session-state: } -sql exec update control { Session-Timeout := 7200 Auth-Type := `/bin/bash /etc/freeradius/3.0/otp/enviar2FA.sh %{User-Name}` } remove_reply_message_if_eap Post-Auth-Type REJECT { # log failed authentications in SQL, too. -sql attr_filter.access_reject # Insert EAP-Failure message if the request was # rejected by policy instead of because of an # authentication failure eap # Remove reply message if the response contains an EAP-Message remove_reply_message_if_eap } # # Filter access challenges. # Post-Auth-Type Challenge { # remove_reply_message_if_eap # attr_filter.access_challenge.post-auth } Post-Auth-Type Client-Lost { } if (EAP-Key-Name && &reply:EAP-Session-Id) { update reply { &EAP-Key-Name := &reply:EAP-Session-Id } } } Regards, Kamal