CA Single Sign On Secure Proxy Server (SiteMinder)CA Single Sign On SOA Security Manager (SiteMinder)CA Single Sign-On
Issue/Introduction
We're running a Policy Server 12.8, and when user tries to access a resource protected by Radius Auth Scheme, then the XAuthRadius module doesn't work properly and reports error :
[26380/140479939110656][Wed Aug 22 2018 15:45:34][AgentAuth.cpp:321][INFO][sm-log-00000] Execution time exceeded threshold. (CSm_Auth_Message::ProcessAgentMessage, 17117, 5000, agent=mymachine.mydomain.com client=*10.0.0.1 server=https://mymachine.mydomain.com resource=/xauth/ action=GET user=myuser)
We've set the registry key ExecutionTimeThreshold when set to 0x61A8 (25000), and the Policy Server doesn't apply it to call to XAuthRadius.
Why do we have this behavior ?
Environment
Release: MSPSSO99000-12.8-Single Sign-On-for Business Users-MSP Component:
Cause
As the Policy Server traces show, the Radius server doesn't respond in 15 seconds and as such, the call fails.
The 15 seconds are probably defined in the XAuthRadius config file, where a timeout is set :
Configuration File Format
"The configuration file contains IP numbers and RADIUS secret for each RADIUS server utilized by at least one user within the directory. It also specifies port number, timeout and number of retries for a RADIUS server."
XauthRADIUS Integration for CA Single Sign-On Installation and Configuration Version 6.3
and as such, this is not the Policy Server that stop the executing of the thread before it finishes. The XAuthRadius module reports the timeout first.
[09/05/2018][16:08:52.406][16:08:52][11608][140410265532160] [SmAuthUser.cpp:775][ServerTrace][][][][][][][][][][][][][] [][][][][][][No RADIUS Server available to authenticate user][XauthRADIUS: No RADIUS Server available to authenticate user][][][][][][][][][][][][][][][][][][][][][][][][][][][] [][][][][][][][][][][]
[09/05/2018][16:08:52.406][16:08:52][11608][140410265532160] [SmAuthUser.cpp:775][ServerTrace][][][][][][][][][][][][][] [][][][][][][Authentication timed out or was not possible] [XauthRADIUS: Authentication timed out or was not possible] [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] [][][][][][][][]
Resolution
- Check the connection and the configuration of the Radius server; - Adjust the timeout in the configuration file of the XAuthRadius module if needed;