[Note that I have previously posted this question on Experts Exchange... but have not found a solution yet].
We are a small business and would like to switch to two-factor authentication for VPN connections. We spent nearly a year helping Barracuda debug their small business VPN appliance and finally they took their boxes back and gave us back our money - they just couldn't get file sharing to work consistently with some new firmware they had to install due to a patent case.
So... now we are trying Phonefactor.
Our VPN setup is RRAS on a Windows Server 2003 domain controller.
We have installed Phonefactor, enabled it as a Radius server, and configured RRAS to point to Phonefactor for Radius authentication. We configured phonefactor to send text messages for authentication, as we figured that would be less disruptive than a phone call.
It all works except... the timeout for VPN clients is only 20 seconds! By the time we receive the text message on a cell phone, sometimes there is only 5 or 6 seconds to get the six digit code typed into a reply on the cell phone... and unless we are really nimble, that is frequently not enough time!
When the VPN client times out, it gives an Error 718 "The connection was terminated because the remote computer did not respond in a timely manner."
How can we increase the timeout on the VPN clients, so we can more reliably enter the authentication code in a reply back to phonefactor?
Things we have tried:
1) Connecting (PPTP) from different Windows clients to see if we get different timeout limits. So far we have tried several Windows 7 boxes and a Windows Server 2003 as the client, but in all cases the timeout is 20 seconds.
2) On the windows clients: Searching through the PPTP client settings to see if there is one labeled "connection timeout". So far we have found nothing.
3) On the windows 2003 server: Modifying the RRAS Radius Server time-out to be 30 seconds, 60 seconds, 300 seconds. We've tried restarting RRAS after these changes, but the client connection timeout is still 20 seconds.
4) In the phonefactor configuration: Searching through the radius server settings to see if there is one labeled "connection timeout". So far we have found nothing.
5) Using NTRadPing to connect directly to the phonefactor radius server. With NTRadPing we were able to wait more than 60 seconds without a timeout from phonefactor. So we don't *think* at this point that the issue is within phonefactor.
6) We have asked phonefactor support, but their response is "hmmm... good question, we don't know, that sounds like a problem with your vpn client". And they could well be correct.
7) Search the web for how to increase either the stock windows VPN client timeout, or the RRAS radius authentication timeout. No luck so far.
8) Try this registry hack: http://windowsitpro.com/networking/solving-ras-718-error. Didn't help.
Thanks for the post.
However, generally, we first type User Name, Password, then click connect to establish the VPN connection. Such as:
Therefore, I have a little confusion about the timeout you mentioned. Would you please provide us more details.
Regarding error 718, please check if the following could help:
If you have a third-party VPN server which does not support MS-CHAPv2 as an authentication method and supports only MS-CHAPv1, you will need to use either CHAP or PAP to connect from the Windows Vista VPN client until the server you use starts supporting MS-CHAPv2.
Steps to follow for resolution:
(1) Check if the Routing and Remote Access Server (RRAS) is configured to allow connections with MS-CHAPv2
(2) Check if the RADIUS server policy supports MSCHAPv2 (This step is needed if you control access to clients using Remote Access Policies on the IAS/NPS server)
Quote from: Troubleshooting Vista VPN problems.
Hope this helps.
TechNet Community Support
Thanks for the reply.
1) We are using that same connecting dialog that you show in your screen snapshot. The problem occurs after we enter our username and password and click "connect". What happens then:
1a) A dialog appears as it connects to our Windows 2003 Server / RRAS.
1b) The dialog switches to "verifying username/password"
1c) RRAS communicates to Phonefactor (configured as a radius server) and asks for authentication
1d) Phonefactor sends a text message to our cell phone containing a six-digit authentication code.
1e) We must reply to this text message by typing in the six-digit authentication code.
1f) Phonefactor replies back to RRAS with a "success" message.
1g) We are successfully connected to the VPN.
2) Our problem is that we only have 20 seconds to complete steps (1a) through (1f), otherwise we get the error 718.
3) 20 seconds is not quite enough... often it takes ~10 seconds for the text message to arrive on our phones, so we only have 10 seconds to enter the six digit number. This can be done but you have to be very fast!
4) So... we would just like to know how to increase this 20 second limit so we can use Phonefactor authentication without having it be a test of our typing skills each time we connect :-)
I believe that Microsoft now owns Phonefactor: https://www.phonefactor.com/microsoft/
So... our attempt to make Phonefactor (now a Microsoft product) work seamlessly with the Microsoft VPN client running on Microsoft Windows seems reasonable, I think!
Based on my research, this timeout value should be set on server side.
Please check if the following could help:
Remote access RADIUS attributes
Hope this helps.
TechNet Community Support
Agreed - it looks like a timeout issue between RRAS and the RADIUS server.
I would love to use Set-RemoteAccessRadius to set the TimeOut value on our RRAS -> RADIUS connection... but we are using Windows Server 2003 and it appears from http://technet.microsoft.com/en-us/library/hh918417.aspx that Set-RemoteAccessRadius applies only in Windows Server 2012. Can this cmdlet be used in Windows Server 2003?
And, does this cmdlet do anything more than what is accomplished by setting the timeout parameter highlighted below from within the RRAS user interface? We have already set this Time-out to many different values, tried restarting the RRAS service, tried rebooting, etc.