Access-challenge timeout on IOS

David Mitton david at mitton.com
Thu Jul 4 23:32:41 CEST 2013 

Oh for sure...
I used Cisco 1200s @ RSA and the Windows EAP interfaces

I was always fighting with the system timing out the authentication  
before a user would time in a token code.  This frequently takes a  
minute or more, because people have to get their token, often they  
wait for the code to change, so they have a minute to read it, then  
type it in...

On Windows 7, we had more problems, so I decided to explore some not  
well understood options of the EAP interface.  Their was on option  
that supposed to take 60 seconds (so their Tech support told me) I  
tried it.

It failed so quickly my head was spinning.  I got out Wireshark and  
traced the protocol.  When this option was selected, the MS EAP/RADIUS  
client sent an Session-Timeout value of 6!  That AP killed the session  
faster than you could type a character.  Removing the option, the  
value Windows sends is 60.

If you google hard you will find that some versions of Cisco APs have  
a command line option to ignore the attribute and allow you to specify  
your own value.
Mine honored the command, but did not have it in the Management GUI.

I believe the "new" Windows EAPhost API now allows the EAP developer  
to set this value.  But there are other 1 minute timers hardwired into  
the Windows EAP interface that I had to work around.

Dave.

Quoting Phil Mayers <p.mayers at imperial.ac.uk>:

> On 04/07/13 14:34, David Mitton wrote:
>> Quoting Phil Mayers <p.mayers at imperial.ac.uk>:
>>
>>> On 04/07/13 11:00, Franks Andy (RLZ) IT Systems Engineer wrote:
>>>> Hi,
>> ....
>>>
>>>>
>>>> Session-timeout and Idle-timeout are attributes mentioned by the cisco
>>>> docs but neither of these seem to be what I'm after.
>>>
>>> Neither are relevant; they're for established sessions, not timeouts in
>>> *establishing* one.
>>> -
>> Actually, that is incorrect Session-Timeout _is_ used to control the
>> authentication timeout, when in the initial AccReq.  I'd quote the RFC,
>> but I'm not at home.  The *-Timeouts in the Acc-Accept control the session.
>>
>
> Hmm, so it does; 5.27 of 2865 and 2.3.2 of 2869.
>
> However - does any equipment actually *honour* this? Also, I note the
> wording is very loose indeed - no MUST.
> -
> List info/subscribe/unsubscribe? See   
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list