From: Arran Cudbard-Bell Date: Mon, 27 Feb 2023 00:44:44 +0000 (-0600) Subject: radius: Increase radius Access-Request timeouts significantly X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0f9808905ff8652102f6c50093fbc6ae7f5c5d2a;p=thirdparty%2Ffreeradius-server.git radius: Increase radius Access-Request timeouts significantly So we can use NPS as an MFA gateway --- diff --git a/raddb/mods-available/radius b/raddb/mods-available/radius index 3215ac13ea5..72a6b982cf3 100644 --- a/raddb/mods-available/radius +++ b/raddb/mods-available/radius @@ -425,14 +425,14 @@ radius { # initial_rtx_time:: If there is no response within this time, # the module will retransmit the packet. # - # Value should be `1..5`. + # Value should be `1..120`. # initial_rtx_time = 2 # # max_rtx_time:: The maximum time between retransmissions. # - # Value should be `5..30` + # Value should be `5..120` # max_rtx_time = 16 @@ -449,7 +449,7 @@ radius { # max_rtx_count:: How many times the module will send the packet # before giving up. # - # Value should be `1..20` _(0 == retransmit forever)_ + # Value should be `1..10` _(0 == retransmit forever)_ # max_rtx_count = 2 @@ -457,9 +457,9 @@ radius { # max_rtx_duration:: The total length of time the module will # try to retransmit the packet. # - # Value should be `5..60` + # Value should be `5..240` # - max_rtx_duration = 30 + max_rtx_duration = 5 } # @@ -471,9 +471,35 @@ radius { # max_rtx_count = 0 # Accounting-Request { + # + # initial_rtx_time:: If there is no response within this time, + # the module will retransmit the packet. + # + # Value should be `1..3`. + # initial_rtx_time = 2 + + # + # max_rtx_time:: The maximum time between retransmissions. + # + # Value should be `5..30` + # max_rtx_time = 16 + + # + # max_rtx_count:: How many times the module will send the packet + # before giving up. + # + # Value should be `1..10` _(0 == retransmit forever)_ + # max_rtx_count = 5 + + # + # max_rtx_duration:: The total length of time the module will + # try to retransmit the packet. + # + # Value should be `5..30` + # max_rtx_duration = 30 } diff --git a/src/modules/rlm_radius/rlm_radius.c b/src/modules/rlm_radius/rlm_radius.c index 4239b94bcee..10731db7529 100644 --- a/src/modules/rlm_radius/rlm_radius.c +++ b/src/modules/rlm_radius/rlm_radius.c @@ -546,10 +546,21 @@ static int mod_bootstrap(module_inst_ctx_t const *mctx) FR_INTEGER_BOUND_CHECK("Access-Request.max_rtx_count", inst->retry[FR_RADIUS_CODE_ACCESS_REQUEST].mrc, >=, 1); FR_TIME_DELTA_BOUND_CHECK("Access-Request.max_rtx_duration", inst->retry[FR_RADIUS_CODE_ACCESS_REQUEST].mrd, >=, fr_time_delta_from_sec(5)); - FR_TIME_DELTA_BOUND_CHECK("Access-Request.initial_rtx_time", inst->retry[FR_RADIUS_CODE_ACCESS_REQUEST].irt, <=, fr_time_delta_from_sec(3)); - FR_TIME_DELTA_BOUND_CHECK("Access-Request.max_rtx_time", inst->retry[FR_RADIUS_CODE_ACCESS_REQUEST].mrt, <=, fr_time_delta_from_sec(30)); + /* + * initial and max rtx times are significantly + * higher for authentication packets, because + * in some cases we're proxying to another RADIUS + * which is performing MFA on our behalf and waiting + * for user input. + * + * We can afford to wait this long because the + * module is fully async, and the requests will + * sleep until they're work up. + */ + FR_TIME_DELTA_BOUND_CHECK("Access-Request.initial_rtx_time", inst->retry[FR_RADIUS_CODE_ACCESS_REQUEST].irt, <=, fr_time_delta_from_sec(120)); + FR_TIME_DELTA_BOUND_CHECK("Access-Request.max_rtx_time", inst->retry[FR_RADIUS_CODE_ACCESS_REQUEST].mrt, <=, fr_time_delta_from_sec(120)); FR_INTEGER_BOUND_CHECK("Access-Request.max_rtx_count", inst->retry[FR_RADIUS_CODE_ACCESS_REQUEST].mrc, <=, 10); - FR_TIME_DELTA_BOUND_CHECK("Access-Request.max_rtx_duration", inst->retry[FR_RADIUS_CODE_ACCESS_REQUEST].mrd, <=, fr_time_delta_from_sec(30)); + FR_TIME_DELTA_BOUND_CHECK("Access-Request.max_rtx_duration", inst->retry[FR_RADIUS_CODE_ACCESS_REQUEST].mrd, <=, fr_time_delta_from_sec(240)); } /*