proxy timeout

Fri Dec 11 19:20:35 CET 2020

Greetings FR-users,

I am running 3.0.17.

I've got a question about my radius deployment...

Our institution is proxying auth requests to a Duo enabled RADIUS server
off site. Due to the delay in the WAN, plus the human delay of the 2FA I
would like to have an appropriate configured timeout for the proxy. I am
thinking 60 seconds. Is that value too large?

Attempting to change the timeout for the proxy yields a message that I
cannot set the value to 60 seconds:

WARNING: Ignoring "response_window = 60.000000", forcing to
"response_window = 30.000000"

Here is my config:

home_server radius_1 {
    type                          = auth
    ipaddr                        = 10.0.0.1
    secret                        = REMOVED
    require_message_authenticator = yes
    response_window               = 60
}

According to the docs it looks like it should accept 60:

#  The response window can be a number between 0.001 and 60.000
#  Values on the low end are discouraged, as they will likely
#  not work due to limitations of operating system timers.
#
#  The default response window is large because responses may
#  be slow, especially when proxying across the Internet.
#
#  Useful range of values: 5 to 60
response_window = 30

Is response_window the right config parameter for adjusting the proxy
timeout?

Is the 30 second limitation a bug? or is the documentation wrong? Or is the
issue corrected in a more recent release?

Thanks for the help!

-m