Project

General

Profile

Feature #3135

Android client - settings for connection re-try

Added by Karel Hendrych about 1 year ago. Updated almost 1 year ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
android
Target version:
-
Start date:
05.08.2019
Due date:
Estimated time:
Resolution:

Description

Hello, please consider enhancing Android client by an option allowing configuration of connection retries, with an option to disable entirely. Current behavior seem to be indefinite connection attempts.

Current implementation with EAP (username/password) can practically trigger user lock-out. For example if there is RADIUS Multi Factor Authentication proxy (doing push to mobile app, asking for authorization of connection) then unconfirmed EAP username/password authentication attempts (during retries) are happening. Triggering the user being locked-out on MFA solution sooner or later. Namely this applies to DUO MFA (and similar solutions):

strongSwan-Android-App====IKEv2-headened====DUO-MFA-proxy====RADIUS-backend

Thanks!

History

#1 Updated by Tobias Brunner almost 1 year ago

  • Status changed from New to Feedback

Current behavior seem to be indefinite connection attempts.

Yes, that's on purpose. Until the user manually disconnects the client attempts to reestablish it and blocks traffic. I guess we could make this more configurable, but that currently has no priority.

Current implementation with EAP (username/password) can practically trigger user lock-out. For example if there is RADIUS Multi Factor Authentication proxy (doing push to mobile app, asking for authorization of connection) then unconfirmed EAP username/password authentication attempts (during retries) are happening.

Yeah, I guess that could be problematic with reauthentication in the background. Try avoiding reauthentication (e.g. by configuring the server appropriately).

#2 Updated by Karel Hendrych almost 1 year ago

Hello, well, it's the client triggering new authentication attempts. It can easily lead to account lock-out in common scenarios with password backends too (besides the multi-factor scenario described initially). For example user password gets changed, while Android client is connected. Then after dropping off from network it would try indefinitely with old password possibly triggering lockout.

Would be nice to put re-try settings to enhancements list.

#3 Updated by Tobias Brunner almost 1 year ago

well, it's the client triggering new authentication attempts.

Not necessarily. The server can request reauthentication (see ExpiryRekey) and due to its configuration it could make reestablishing the connection unnecessarily necessary (e.g. if DPD intervals are too low and clients roam between networks and can't update to a new IP because the server already killed the connection).

#4 Updated by Karel Hendrych almost 1 year ago

good one, I believe practically most of the new authentications will be coming from mobile client after some connection blip.

Thanks!

Also available in: Atom PDF