Adjustable timeout for Active Directory Authentication?

As far as i know, most OTP protocols rely on Radius for this. 

Can DUO work via AD protocol? As far as i know, they only offer Radius for the authentication to the application, isnt it? 

As far as i know, most OTP protocols rely on Radius for this. 

Can DUO work via AD protocol? As far as i know, they only offer Radius for the authentication to the application, isnt it? 

https://community.sophos.com/xg-firewall/f/recommended-reads/124501/3-ways-to-setup-xg-18-with-duo-2fa

DUO also works via LDAP(S) and as XG's AD authentication is done via LDAP then you can use DUO to do the authentication that way.

I explain in the article why setting up DUO authentication via an XG AD server is the best way - users are created in userPrincipalName to match those created by STAS and Heartbeat, and there is groups support (this doesn't happen with RADIUS or LDAP authentication servers). The only snag I have just found is the timeout in your AD Server setup. Ideally there would be a timeout field as there is for RADIUS. As there isn't, I wondered if there was any way to change the timeout for all AD authentication.

Hi JasP : Unfortunately we do not have any settings on UI at the moment to increase timeout for Active Directory Authentication. You may raise a request on Ideas Portal.

I wanted the AD Duo setup because of the naming and groups but ran in to the famous timeout for Duo push, in radius you can set the timeout but you have to react within 5 sec for AD. is there a way to set an timeout on AD as well? Maybe through (advanced) command line?

JasP Awesome post https://community.sophos.com/xg-firewall/f/recommended-reads/124501/3-ways-to-setup-xg-18-with-duo-2fa

V18.0 MR4 should give a workaround for this setup.

You should be able to configure a UPN (domain name) for radius. Therefore you can include the Radius UPN, so the username (UPN) for radius and AD should be the same. So you can grap all needed information from AD authentication and use Radius for those services, you want to have OTP. 

To have a AD Timeout, this is more work to do in the access_server (module). 

LuCar ToniI have edited my 'Recommended Read' article to reflect this information.

Do you have any details how exactly this will be implemented?

I can envisage three scenarios:

1. RADIUS server will always return UPN instead of SAN format username.
2. User will be able to specify which format to return in RADIUS Server setup.
3. RADIUS server will return the same format that the user logs in with.

Personally, 2 would be the best option as it is the most flexible.
1. would be an issue for existing people who have already setup SAN format users.
3. would require users to remember to login with UPN format username. Users will forget that requirement and you will still end up with two user accounts and users complaining that their service doesn't work.

Hi JasP,

I posted your idea to the ideas portal.

ideas.sophos.com/.../42133204-adjustable-timeout-for-active-directory-authentica

Hi Bart van der Horst

Thanks, I had spotted that and already voted but if they make the changes to RADIUS as mentioned by LuCar Toni then I suppose that will achieve what we want. It partly depends on how they implement it.

It will be able to specify a Domain per Radius. XG will add the domain to the user after radius authentication. 

That will do it then. Maybe any eta on MR4? This problem makes it difficult for our support staff to troubleshoot user vpn problems.

Hi LuCar Toni

Tested 18.0.4 today on my test rig. Domain set to local domain in radius setup. Works for known AD users, New vpn users are met with no vpn policy in the client. After logging in to the userportal (with AD Auth) the firewall sees the user correctly with Radius login.

One thing user Known and New are placed in the default group after radius login. So one step forward more to take.