Thread Info
  • State Verified Answer
  • +8 person also asked this people also asked this
  • Locked Locked
  • Replies 46 replies
  • Answers 4 answers
  • Subscribers 47 subscribers
  • Views 101431 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN Radius with 2factor timout

AndrzejSydorko

In Sophos XG, is there any way to increase the timeout for radius servers?

I'm having problems using SSL VPN authentication with radius when using 2-factor. If I bypass 2factor, I'm logging in fine.

If I enable 2factor, it seems to timeout and I get a second credential prompt before I get to accept the first request, rendering my first request invalid.

I've seen this question before and the answer was that the timout is hard coded. However that was a old thread:

http://feature.astaro.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/2812151-authentication-configurable-radius-timeout

Maybe things have changed?




[locked by: FloSupport at 7:57 PM (GMT -7) on 25 Mar 2019]
  • 0 in reply to FloSupport

    FloSupport I PM'ed you my new case #

  • 0 in reply to FloSupport

    I wanted to add an update. I haven't received any useful information from support yet. At first they told me this isn't supported, then said that it is, they'd test it in their lab environment, but I haven't heard anything back. Doing some more testing of my own I've found something interesting. Duo 2FA works perfectly on the user portal. The user portal seems to have a longer timeout, so using the Duo radius proxy I can login, receive a push notification on my phone, and get in after approving it in Duo. I'm not sure exactly how long the timeout is but it seems to be at least 30 seconds or more. It still does not work for the admin logins or vpn. I've also tested bypassing 2FA for my account in Duo, so it should just accept a straight username/password, but that also fails. So it appears that the admin and vpn logins process radius authentication completely different from the user portal and the "Test Connection" button when creating the radius server, because that shows successful authentication.

    Can't they just make the other radius authentications work the same way as the user portal?? The XG is receiving a "success" message from the radius server, so I just don't understand why the XG recognizes that as a failed authentication when logging in one place, but recognizes it as successful in another. That just seems like poor design. Does that indicate lower security on the user portal, or just bad code on the others?

  • 0

    I'm also facing the same issue. Is there an update on this? Where can I vote to add this "feature" that's already in UTM...

    Thanks,

    Mike

  • +1 in reply to mlawrence

    Hi  

    [Update] This is a feature (NC-38557) that is planned for SFOS v18, apologies for any inconveniences caused.

    Regards,

  • 0 in reply to FloSupport

    It really shouldn't be "tentative".

    It should be "We are a security vendor moving into the large enterprise space with v18 so we will be providing the ability to put a RADIUS timeout to allow for Multi Factor Authentication".

    Not be an a** but it's in the UTM and so it should be in the XG. The amount of requests for Duo, Microsoft MFA and Safenet MFA (which hooks on the back of a RADIUS server to function) is noticeably higher over the past few years.

    Emile

  • 0 in reply to Emile Belcourt

    You've outlined my frustrations with this platform perfectly. We really need what should be considered basic RADIUS timeout functionality and integration with at least the major MFA providers.