Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 20 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 3456 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Adjustable timeout for Active Directory Authentication?

JasP

Is there any way to change the timeout for Active Directory authentication? It appears to be set at 5s.

I realise that for most implementations this is not an issue but after posting an article on how to setup DUO 2FA with AD authentication, I have noticed that if I don't authenticate within 5s then the authentication fails. I hadn't noticed this before because I usually confirm the DUO prompt pretty quickly. DUO itself is set for a 30s timeout but this is meaningless if XG only waits 5s.

This doesn't happen with LDAP authentication which must have a longer timeout.



This thread was automatically locked due to age.

Top Replies

  • in reply to LuCar Toni +2 suggested

    V18.0 MR4 should give a workaround for this setup.

    You should be able to configure a UPN (domain name) for radius. Therefore you can include the Radius UPN, so the username (UPN) for radius and AD should be the same. So you can grap all needed information from AD authentication and use Radius for those services, you want to have OTP. 

    To have a AD Timeout, this is more work to do in the access_server (module). 

    Jump to answer
Parents
  • 0

    As far as i know, most OTP protocols rely on Radius for this. 

    Can DUO work via AD protocol? As far as i know, they only offer Radius for the authentication to the application, isnt it? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    https://community.sophos.com/xg-firewall/f/recommended-reads/124501/3-ways-to-setup-xg-18-with-duo-2fa

    DUO also works via LDAP(S) and as XG's AD authentication is done via LDAP then you can use DUO to do the authentication that way.

    I explain in the article why setting up DUO authentication via an XG AD server is the best way - users are created in userPrincipalName to match those created by STAS and Heartbeat, and there is groups support (this doesn't happen with RADIUS or LDAP authentication servers). The only snag I have just found is the timeout in your AD Server setup. Ideally there would be a timeout field as there is for RADIUS. As there isn't, I wondered if there was any way to change the timeout for all AD authentication.

Reply Children