Hello, I have patched ocserv and rebuilt the EPEL rpm, however no luck. I am counting 12 seconds since I first input the password in AnyConnect client till AnyConnect prompts again for one. I would imagine the 10s timeout still kicks in somehow and the 2s difference is client overhead. I ran ocserv with debug 999 and here is the log, if it helps. http://paste.fedoraproject.org/428276/73931471/ 10s is barely usable; by the time I grab my phone, unlock and approve the login in the Duo app.. there's no room for error, a less technical user might not be as fast. Glad to test out other patches and options. -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro ----- Original Message ----- > From: "Nikos Mavrogiannopoulos" <n.mavrogiannopoulos at gmail.com> > To: "Nux!" <nux at li.nux.ro> > Cc: "openconnect-devel" <openconnect-devel at lists.infradead.org> > Sent: Thursday, 15 September, 2016 07:39:34 > Subject: Re: recvmsg: Connection timed out (when dual auth) > On Wed, Sep 14, 2016 at 4:58 PM, Nux! <nux at li.nux.ro> wrote: >> Hello, >> While getting PAM to talk to both Radius and Duo is still not solved, I managed >> to install the Duo proxy software which acts like a local RADIUS client; in the >> background it checks both our RADIUS server in the LAN and DUO's 2FA service. >> >> All good and well, I can connect with my RADIUS password and the DUO application >> on my mobile asks for approval, but unless I'm really quick with the approval >> the auth fails. It must be something like 5 seconds max. >> I tried specifying "auth-timeout = 30" in ocserv.conf to give me more time, but >> it doesn't seem to fix the issue. >> >> Any ideas? >> >> ocserv[7916]: radius-auth: communicating username (foobar) and password >> ocserv[7922]: common.c:609: recvmsg: Connection timed out >> ocserv[7922]: worker: 172.16.5.34 worker-auth.c:688: error receiving auth reply >> message > > That seems to be in the communication between the worker process and > the security module process. I guess that you have to type your reply > before the worker thinks that the security module is stuck providing > its response, that's by default 10 secs. > > Does this address your issue? > https://gitlab.com/ocserv/ocserv/commit/ede5d97be86cf94f5e88cccc850f3626295f9028 > > > regards, > Nikos
