I'm working on an integration of CPPM with Duo for multi-factor authentication, and for the most part everything seems to be working as intended. The problem I'm running into at the moment is that there appears to be a 10 second timeout for TACACS+ authentication. The flow at the moment is that the switch accepts username and password, then sends to CPPM, which in turn sends to Duo proxy for authentication.
-I've set the timeout on the switch (Cisco 3560-CX) to 30 seconds, and set the timeout in Duo to 30 seconds.
-The set timeouts work fine for RADIUS, only the TACACS+ service seems to still have this 10 second timeout. Generally 10 seconds is fine, however, if someone has their phone in their pocket it can easily be 10 seconds to pull out the phone, unlock it, open the prompt and accept, so it would be best if we could turn this up to at least 15 - 20 seconds.
-When it times out, the failure reason is recorded by CPPM as below:
Error Category: | Internal error |
Error Code: | Internal error in performing authentication |
Alerts for this Request :Tacacs server | Session failed for Host=http://localhost:8080/networkservices/webauthservice/BasicAuthentication, Reason=[post::<easy_perform>, (error=28) Timeout was reached]. Failed to authenticate user= |