Configuring Radius Authentication Timeout
-
Hello,
I am trying to use Duo Security with their "push" authentication, which can take quite a while. Is there a way to configure how long pfSense waits for a Radius authentication server before assuming failure?
I've setup a Radius authentication server in pfSense to talk to a Duo Authentication Proxy to provide Authentication services. If I use this set up with pass codes generated in advance by Duo Security it all works well, I can authenticate, the VPN connects and traffic flows.
With "push" security I cannot connect. The connection attempt in the client times out before I can complete the push authentication in the Duo client. The logs for the Duo Proxy Authentication record everything was successful, but the time stamps show the complete after the timeout in the VPN client.
I also get the same time out problem if I use Diagnostics->Authentication in pfSense - it reports failure long before I've completed the Duo push authentication. Again the logs for the Duo Authentication Proxy show success.
Regards,
Steve. -
Hi
Same problem here.
I'm also searching for a possibility to increase the RADIUS timeout since using DUO Security via RADIUS.Anyone have a hint how to increase timeout?
Peter
-
This is from the radiusd.conf
# max_request_time: The maximum time (in seconds) to handle a request. # # Requests which take more time than this to process may be killed, and # a REJECT message is returned. # # WARNING: If you notice that requests take a long time to be handled, # then this MAY INDICATE a bug in the server, in one of the modules # used to handle a request, OR in your local configuration. # # This problem is most often seen when using an SQL database. If it takes # more than a second or two to receive an answer from the SQL database, # then it probably means that you haven't indexed the database. See your # SQL server documentation for more information. # # Useful range of values: 5 to 120 # max_request_time = 30If you are using freeradius2 package on pfsense then you can increase this on SERVICE -> FREERADIUS -> SETTINGS
But I am not sure if this will help to solve your problem. -
Did either of you get this to work? I'm considering adding Duo as well…...but if you didn't get it working I probably won't try.
-
Alas I did not find a way to make this work.
-
Hello,
I am trying to use Duo Security with their "push" authentication, which can take quite a while. Is there a way to configure how long pfSense waits for a Radius authentication server before assuming failure?
I've setup a Radius authentication server in pfSense to talk to a Duo Authentication Proxy to provide Authentication services. If I use this set up with pass codes generated in advance by Duo Security it all works well, I can authenticate, the VPN connects and traffic flows.
With "push" security I cannot connect. The connection attempt in the client times out before I can complete the push authentication in the Duo client. The logs for the Duo Proxy Authentication record everything was successful, but the time stamps show the complete after the timeout in the VPN client.
I also get the same time out problem if I use Diagnostics->Authentication in pfSense - it reports failure long before I've completed the Duo push authentication. Again the logs for the Duo Authentication Proxy show success.
Regards,
Steve.Steve, would mind sharing how you set up duo authentication with VPN?
-
Hi all,
Although this thread is slightly old, I still thought it would be worthwhile to post my solution. In summary, pfSense 2.x on ALIX hardware using OpenVPN with DuoSecurity PUSH authentication is working (for me) and hopefully the following notes will help :D
The following setup works for the three forms of authentication from DuoSecurity - PUSH, Call and SMS.
-
I used a server, separate from pfSense, to run the DuoSecurity RADIUS proxy, FreeRADIUS and authentication database (UNIX). Once you have identified the server, follow these instructions on DuoSecurity's website: http://www.duosecurity.com/docs/radius
-
During the DuoSecurity Generic RADIUS configuration, follow the instructions for RADIUS (not Active Directory) and add the IP address of pfSense (not hostname) as a RADIUS client
-
Test the RADIUS installation locally as suggested by DuoSecurity and be certain it is working before continuing
-
Add the RADIUS details in pfSense:
-
Go to System -> User Manager -> Servers
-
Add the RADIUS client with the RADIUS secret you set during DuoSecurity proxy configuration. Set Services offered: to Authentication.
-
Save
-
Test authentication via DuoSecurity SMS only (PUSH won't work yet) by going to Diagnostics -> Authentication. Password is in the format <password>,sms</password> and if you already have the SMS OTPs, the format is e.g. <password>,A123456</password>. Once this is working, you can continue with the final steps.
-
To set the RADIUS client timeout and retry limit to the values recommended by DuoSecurity, do the following:
-
In pfSense, select Diagnostics -> Edit File
-
Press Browse and select /etc/inc/radius.inc
| | NOTE: If the editing window is grey and you can't edit the file, you will have to amend the file via SSH and making the file system writeable by typing |
| | mount -u -w /dev/ufs/<pfsense_partition></pfsense_partition> |
| | To make it read-only after the change type |
| | mount -u -r /dev/ufs/<pfsense_partition></pfsense_partition> |- In the editor, find the lines:
function addServer($servername = 'localhost', $port = 0, $sharedSecret = 'testing123', $timeout = 3, $maxtries = 3) function putServer($servername, $port = 0, $sharedsecret = 'testing123', $timeout = 3, $maxtries = 3)- Change the timeout and maxtries values to the DuoSecurity recommended values e.g.:
function addServer($servername = 'localhost', $port = 0, $sharedSecret = 'testing123', $timeout = 10, $maxtries = 10) function putServer($servername, $port = 0, $sharedsecret = 'testing123', $timeout = 10, $maxtries = 10)-
Save the changes
-
Test authentication via DuoSecurity PUSH by going to Diagnostics -> Authentication. Password is in the format <password>,push</password>
-
Hopefully it works.
-