[strongSwan] eap-radius authentication timeout

[Jan Tyma]

Hello All,

Is there an option to set the eap-radius plugin authentication timeout /
retransmit period?

I am using StrongSwan with FreeRadius (and LDAP), problem is that
authentication requests time out after about 15 seconds. This makes e.g.
two-factor authentication inconvenient to use.

Sep 16 12:55:19 charon: 01[ENC] parsed IKE_AUTH request 5 [
EAP/RES/MSCHAPV2 ]
Sep 16 12:55:19 charon: 01[CFG] sending RADIUS Access-Request to server
'x.x.x.x'
[auth request started here]
Sep 16 12:55:21 charon: 12[MGR] ignoring request with ID 5, already
processing
Sep 16 12:55:21 charon: 01[CFG] retransmitting RADIUS message
Sep 16 12:55:24 charon: 14[MGR] ignoring request with ID 5, already
processing
Sep 16 12:55:24 charon: 01[CFG] retransmitting RADIUS message
Sep 16 12:55:28 charon: 01[CFG] retransmitting RADIUS message
Sep 16 12:55:29 charon: 11[MGR] ignoring request with ID 5, already
processing
Sep 16 12:55:33 charon: 01[CFG] retransmitting RADIUS message
Sep 16 12:55:33 charon: 01[CFG] RADIUS server is not responding
Sep 16 12:55:33 charon: 01[IKE] EAP method EAP_MSCHAPV2 failed for peer
x.x.x.x
Sep 16 12:55:33 charon: 01[ENC] generating IKE_AUTH response 5 [ EAP/FAIL ]

Leaving out charon and authenticating only through Radius+LDAP, the timeout
can be increased:

$ echo "User-Name=test,Password=foobarbaz" | radclient x.x.x.x:1812 auth
testing123 -x -t 10 -r 6

In this case, each Radius Access-Request times out after 10 seconds, the
whole session after 60 seconds.

Any way to increase this value in StrongSwan to something like 60 seconds
to be in line with Windows 7's VPN client?

Best Regards,

Jan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140916/d6123826/attachment.html>