aland at deployingradius.com
Sat Dec 12 15:40:07 CET 2020
On Dec 11, 2020, at 1:20 PM, Matt Zagrabelny via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> Our institution is proxying auth requests to a Duo enabled RADIUS server
> off site. Due to the delay in the WAN, plus the human delay of the 2FA I
> would like to have an appropriate configured timeout for the proxy. I am
> thinking 60 seconds. Is that value too large?
Most NAS equipment will give up after 30s or so.
> Attempting to change the timeout for the proxy yields a message that I
> cannot set the value to 60 seconds:
> WARNING: Ignoring "response_window = 60.000000", forcing to
> "response_window = 30.000000"
> According to the docs it looks like it should accept 60:
It does, mostly.
But if you have "max_request_time = 30", then the request will time out after 30s. So that's why the response_window is capped.
The solution is to change *both* settings. But....
Most NAS equipment will give up after 30s or so. So changing this in FreeRADIUS *might* help, but also might not do anything.
More information about the Freeradius-Users