Access-challenge timeout on IOS
david at mitton.com
Thu Jul 4 23:32:41 CEST 2013
Oh for sure...
I used Cisco 1200s @ RSA and the Windows EAP interfaces
I was always fighting with the system timing out the authentication
before a user would time in a token code. This frequently takes a
minute or more, because people have to get their token, often they
wait for the code to change, so they have a minute to read it, then
type it in...
On Windows 7, we had more problems, so I decided to explore some not
well understood options of the EAP interface. Their was on option
that supposed to take 60 seconds (so their Tech support told me) I
It failed so quickly my head was spinning. I got out Wireshark and
traced the protocol. When this option was selected, the MS EAP/RADIUS
client sent an Session-Timeout value of 6! That AP killed the session
faster than you could type a character. Removing the option, the
value Windows sends is 60.
If you google hard you will find that some versions of Cisco APs have
a command line option to ignore the attribute and allow you to specify
your own value.
Mine honored the command, but did not have it in the Management GUI.
I believe the "new" Windows EAPhost API now allows the EAP developer
to set this value. But there are other 1 minute timers hardwired into
the Windows EAP interface that I had to work around.
Quoting Phil Mayers <p.mayers at imperial.ac.uk>:
> On 04/07/13 14:34, David Mitton wrote:
>> Quoting Phil Mayers <p.mayers at imperial.ac.uk>:
>>> On 04/07/13 11:00, Franks Andy (RLZ) IT Systems Engineer wrote:
>>>> Session-timeout and Idle-timeout are attributes mentioned by the cisco
>>>> docs but neither of these seem to be what I'm after.
>>> Neither are relevant; they're for established sessions, not timeouts in
>>> *establishing* one.
>> Actually, that is incorrect Session-Timeout _is_ used to control the
>> authentication timeout, when in the initial AccReq. I'd quote the RFC,
>> but I'm not at home. The *-Timeouts in the Acc-Accept control the session.
> Hmm, so it does; 5.27 of 2865 and 2.3.2 of 2869.
> However - does any equipment actually *honour* this? Also, I note the
> wording is very loose indeed - no MUST.
> List info/subscribe/unsubscribe? See
More information about the Freeradius-Users