On Mon, 2020-07-13 at 19:13 +0000, Sergiy Genyuk via FreeIPA-users wrote: > Radius server is DUO so when in FreeIPA radius server set it sends > Access-Request to the DUO Radius server DUO check password against AD and > then push Accept message to the user mobile app... then returns > Access-Accept message back to FreeIPA. > > Of cause it takes some time so I have setup timeout in Radius section in the > FreeIPA config but that's does not work. With any settings default timeout is > 5 seconds :-( > > Now I am looking for help as my users not so happy with 5 sec timeout :-)
FreeIPA's OTP support is not compatible with challenge response mechanism that require user interaction like DUO. The timeout is backed into too many layers. I think DUO tokens can be configured to provide a OTP number in the app directly before starting the authentication and w/o requiring additional user confirmation, if this is an option you should use it. IIRC, I may be wrong, I'll let others correct me if that is the case. Simo. -- Simo Sorce RHEL Crypto Team Red Hat, Inc _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
