VPN300 ignores "Search time limit" settings in AAA AD server

michku
michku Posts: 2  Freshman Member
First Comment
edited April 2021 in Security

When I log on to the Zywall VPN300 with an external domain account, Zywall waits for only 10 seconds and reports "Login denied" (inexistent username).

I need a longer time for user authentication because the process on the external AD server includes 2FA authentication. If 2FA validation succeeds within 10 seconds, the login is OK, but normally a longer time for 2FA validation is required.

In the Zyxel settings I have set a timeout of 300 seconds (see attached image), but Zyxel ignores it.

I also tried it on the Zywall 1100 (all with the latest firmware), with the same result: Zyxel always waits only 10 seconds.

All Replies

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments

    Hi @michku ,

    It’s different. Search time limit is a value to define spend answering a search request on server side, it tells AD server how long you can search. 

    But in your case, it timeout between USG to windows AD connection. It does not have CLI to adjust the response time out value at current design, I would like to move it to ideal section as feature request.

  • michku
    michku Posts: 2  Freshman Member
    First Comment

    I'm sorry, but I don't understand much.

    The user guide contains an explanation of the "search time limit": Specify the timeout period (between 1 and 300 seconds) before the Zyxel Device disconnects from the AD or LDAP server. In this case, user authentication fails. Search timeout occurs when either the user information is not in the AD or LDAP server(s) or the AD or LDAP server(s) is down.

    So it should be exactly what you call "timeout between USG to windows AD connection".

    If your explanation is correct, then I don't understand the meaning of the setting. Zyxel tells the AD server how long it can search, but does not wait for a response?

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    Zyxel VPN "Search time limit" maps to FreeRadius "timelimit".
    As for your requirement, it maps to "timeout" field in Freeradius.
    It is in our to do list, we will support it in the future.

Security Highlight