Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 20 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 3212 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Adjustable timeout for Active Directory Authentication?

JasP

Is there any way to change the timeout for Active Directory authentication? It appears to be set at 5s.

I realise that for most implementations this is not an issue but after posting an article on how to setup DUO 2FA with AD authentication, I have noticed that if I don't authenticate within 5s then the authentication fails. I hadn't noticed this before because I usually confirm the DUO prompt pretty quickly. DUO itself is set for a 30s timeout but this is meaningless if XG only waits 5s.

This doesn't happen with LDAP authentication which must have a longer timeout.



This thread was automatically locked due to age.
Parents
  • 0

    As far as i know, most OTP protocols rely on Radius for this. 

    Can DUO work via AD protocol? As far as i know, they only offer Radius for the authentication to the application, isnt it? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    V18.0 MR4 should give a workaround for this setup.

    You should be able to configure a UPN (domain name) for radius. Therefore you can include the Radius UPN, so the username (UPN) for radius and AD should be the same. So you can grap all needed information from AD authentication and use Radius for those services, you want to have OTP. 

    To have a AD Timeout, this is more work to do in the access_server (module). 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I have edited my 'Recommended Read' article to reflect this information.

    Do you have any details how exactly this will be implemented?

    I can envisage three scenarios:

    1. RADIUS server will always return UPN instead of SAN format username.
    2. User will be able to specify which format to return in RADIUS Server setup.
    3. RADIUS server will return the same format that the user logs in with.

    Personally, 2 would be the best option as it is the most flexible.
    1. would be an issue for existing people who have already setup SAN format users.
    3. would require users to remember to login with UPN format username. Users will forget that requirement and you will still end up with two user accounts and users complaining that their service doesn't work.

  • 0 in reply to JasP

    Hi ,

    I posted your idea to the ideas portal.

    ideas.sophos.com/.../42133204-adjustable-timeout-for-active-directory-authentica

    Bart van der Horst

    Sophos XG v18(.5) / v19 Certified Architect
    https://www.bpaz.nl

  • 0 in reply to Bart van der Horst

    Hi

    Thanks, I had spotted that and already voted but if they make the changes to RADIUS as mentioned by then I suppose that will achieve what we want. It partly depends on how they implement it.

  • 0 in reply to JasP

    It will be able to specify a Domain per Radius. XG will add the domain to the user after radius authentication. 

    __________________________________________________________________________________________________________________

Reply Children
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?