[strongSwan] eap-radius authentication timeout

Jan Tyma jantymaa at gmail.com
Tue Sep 16 15:10:38 CEST 2014

Hi Martin,

Thanks for your answer, I'll build a new package then, and see what
happens with changed timeout values. Are there plans to make this a
configuration value?

The second factor is authenticating with a RADIUS proxy. The proxy
forwards the entered username and password to the RADIUS user
authentication server, starts the second factor auth and waits for the
results, with a timeout of 60 seconds. The end result is the answer to
the StrongSwan RADIUS request. If the second factor is not accepted
during this 15 second window, the authentication fails, because
EAP-Radius times out.



On Tue, Sep 16, 2014 at 2:42 PM, Martin Willi <martin at strongswan.org> wrote:
> Hi,
>> Is there an option to set the eap-radius plugin authentication timeout /
>> retransmit period?
> No, these values are currently hardcoded, you may change them at [1].
>> I am using StrongSwan with FreeRadius (and LDAP), problem is that
>> authentication requests time out after about 15 seconds. This makes e.g.
>> two-factor authentication inconvenient to use.
> I don't understand why two factor authentication should be an issue.
> According to your log, the RADIUS server does not respond to the
> authentication request, and the retransmission times out. Why does
> processing the RADIUS request take longer than 14s, given that there is
> no user intervention at this stage?
> Regards
> Martin
> [1]http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libradius/radius_socket.c;h=f432151c;hb=HEAD#l165

More information about the Users mailing list