SSL VPN Client AUTH timeout
hi
Is this configurable beyond the default 30 seconds?
It causes AUTH to fail with MFA when response is a little slow, and the below work around is not overly useful.
Note: The official SSL VPN WatchGuard client times out after a maximum of 30 seconds during authentication. If your users require more than 30 seconds to launch the LoginTC mobile app and approve the LoginTC request, we recommend instructions your users to open the LoginTC mobile app on their device prior to authenticating. Your users may then refresh the app right after they enter their username and password and approve the request within 30 seconds.
0
Sign In to comment.
Comments
Hi @PGIT
That setting will be in the RADIUS settings, where you set up that authentication server. You'll want to modify the 'timeout' setting.
(RADIUS Server)
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/authentication/radius_server_auth_about_c.html
Thank you,
-James Carson
WatchGuard Customer Support
Radius server timeout set to 90 secs, but client times out after 30.
Hi @PGIT
I'd suggest opening a case so that one of our support team can take a look at it with you.
-James Carson
WatchGuard Customer Support
hi, have opened a case but appears to be a challenge for the tech to understand the issue.
If after some point in time you seem to make no progress with the WG rep, you can ask for escalation.
Hi @PGIT
What's the case number, I can ask the tech support team to push it along if that's helpful.
In addition to the above, SSLVPN's timeout isn't 30 seconds, it's 1 minute. It will act faster if it gets an authentication reject, which sounds like might be happening. That can be verified via logs on the firewall, as well as packet captures of the RADIUS traffic from the LoginTC server.
Thank you,
-James Carson
WatchGuard Customer Support
hi, how do you capture all radius traffic on the firewall?
You can use TCP DUMP to capture all of the traffic from a specific IP addr
FSM:
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/fsm/log_message_learn_more_wsm.html
Web UI:
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/system_status/stats_diagnostics_tasks_web.html
hi, it can be clearly seen from a tcp dump that the client disconnects after 30 seconds without a reject being sent from NPS to the FW. I have confirmed the radius timeout is 90 seconds and the Azure MFA timeout is 60 seconds.