On Dec 11, 2020, at 1:20 PM, Matt Zagrabelny via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Our institution is proxying auth requests to a Duo enabled RADIUS server off site. Due to the delay in the WAN, plus the human delay of the 2FA I would like to have an appropriate configured timeout for the proxy. I am thinking 60 seconds. Is that value too large?
Yes. Most NAS equipment will give up after 30s or so.
Attempting to change the timeout for the proxy yields a message that I cannot set the value to 60 seconds:
WARNING: Ignoring "response_window = 60.000000", forcing to "response_window = 30.000000"
Yes.
According to the docs it looks like it should accept 60:
It does, mostly. But if you have "max_request_time = 30", then the request will time out after 30s. So that's why the response_window is capped. The solution is to change *both* settings. But.... Most NAS equipment will give up after 30s or so. So changing this in FreeRADIUS *might* help, but also might not do anything. Alan DeKok.