Session-Timeout in Access-Challenge (that contains EAP-Message)

David Mitton david at mitton.com
Wed Jul 8 16:20:26 CEST 2009


Alan,
      They most certainly do!

      I just debugged a case where the Cisco 1200 takes the 30s Session-Timeout that the Microsoft IAS server sends and treats it as a response timeout.   (It then aborts the authentication, which I believe is wrong, but that's another story)
When doing a SecurID authentication with user input of a 60s token OTP, the default 30s is "inadequate".
Cisco does document the way to extend or override this behavior.

       The Session-Timeout on Access-Challenges for EAP should be a separate "design" somehow.
In the older MS RasEap API, it was crudely based on on the type of Send action the EAP server used.
In the newer MS EAPHost API, the EAP server code has direct control.

I don't know how your EAP modules interface to the RADIUS server proper, but a method that is expecting interactive user control _will_ want to create some slack here.  

      Not all EAP methods complete in short time.

Dave.



On Jul 8, 2009, aland at deployingradius.com wrote:


Gong Cheng wrote:
> Hi, 
>     I wonder if there is  a way
> - not to include "Session-Timeout" value intended for Access-Accept in
> Access-Challenge messages?

 In 2.1.7, see raddb/sites-available/default.  Look for
Access-Challenge.  There is sample configuration.

> - or to configure a different Session-Timeout value for Access-Challenges
> (which contain EAP-Message)?
> 
> This is about the following section in RFC3579 where Session-Timeout in
> Access-Challenge is used to influence EAP retransmission behavior.

 I'm not sure any AP supports that.

 Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list