Access-challenge timeout on IOS

[Arran Cudbard-Bell]

On 4 Jul 2013, at 22:32, David Mitton <david at mitton.com> wrote:

> Oh for sure...
> I used Cisco 1200s @ RSA and the Windows EAP interfaces
> 
> I was always fighting with the system timing out the authentication before a user would time in a token code.  This frequently takes a minute or more, because people have to get their token, often they wait for the code to change, so they have a minute to read it, then type it in...
> 
> On Windows 7, we had more problems, so I decided to explore some not well understood options of the EAP interface.  Their was on option that supposed to take 60 seconds (so their Tech support told me) I tried it.
> 
> It failed so quickly my head was spinning.  I got out Wireshark and traced the protocol.  When this option was selected, the MS EAP/RADIUS client sent an Session-Timeout value of 6!  That AP killed the session faster than you could type a character.  Removing the option, the value Windows sends is 60.
> 
> If you google hard you will find that some versions of Cisco APs have a command line option to ignore the attribute and allow you to specify your own value.
> Mine honored the command, but did not have it in the Management GUI.
> 
> I believe the "new" Windows EAPhost API now allows the EAP developer to set this value.  But there are other 1 minute timers hardwired into the Windows EAP interface that I had to work around.

Lower levels will time out authentication way before you hit the one minute mark. 15 seconds is the default on most NAS, and then you'll have to tune FreeRADIUS so it doesn't clear out it's EAP session cache.

Just don't use this stuff for 802.1X. Web portals fine, email fine, just not anything to do with EAP, it won't work well. Most devices have support for client certificates, use those instead, they're just as easy to revoke as tokens, and you'll piss the end user off a hell of a lot less.

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team