multi-factor authentication

Hi,

If you are trying to implement two-factor authentication where a User should go through two level of authentication processes, then I suggest you implement Radius server which supports two factor and configure it in XG.

Thanks

Does it work with certifcate or smartcard auth?

Hi,

You need a 3rd-party solution that will handle the 2FA for you, most of these solutions rely on Radius as Sachin already mentioned.

On Cyberoam I used Swivel Secure to handle the 2FA. Haven't worked with Swivel on SF_OS / XG, but I suppose it will work.

Cheers

Danny Oosterveer

Cyberoam CCT | Sophos XG Architect

Hi,

I try to configure multifactor authentication for VPN connections with the MFA server from Microsoft Azure.
https://azure.microsoft.com/fr-fr/documentation/articles/multi-factor-authentication-advanced-vpn-configurations/

So I defined this server as a radius at the XG Sophos, but when I test the connection it fails after a few seconds ,while I am receiving the phone call to confirm authentication. I think it would be enough to be granted more time to the process for it to succeed. (If I specify a wrong login or password it's immediately refused, which makes me think it works except that there is not enough time for the whole process)

Do you know if it is possible to increase the timeout of the response of the radius server? Do you have other ways to make this work?

Thank you

Yves

Hi Yves,

I'm not sure if this is a setting on the Radius Server, It should be somewhere in the IAS policy on the MS side.

Hi Danny,

I missed your answer, sorry.

With exactly the same configuration MS side, but just replacing the Sophos by a Watchguard and it works fine...

Regardes,

I know this thread is a bit old, but I am trying to set up MFA using the XG and MS Azure MFA. The setup works except, the XG appears to be hard coded to time out the Radius Auth after about 6 or 7 seconds. Because of this, almost all authentications time out during the time it takes the radius server to do the phone call/app auth process. 

There needs to be a time out setting on the XG such at 15 or 20 seconds to allow sufficient time for the radius server verify the end user via cell phone. The hard coded 5 to 7 seconds is only good for a straight single factor radius authentication. 

Therefore, unless you can complete your 2nd factor auth in under 5 to 7 seconds which is nearly impossible, you cannot successfully set up MFA on the XG.

THIS NEEDS TO BE ADDRESSED!!!!

I know this thread is a bit old, but I am trying to set up MFA using the XG and MS Azure MFA. The setup works except, the XG appears to be hard coded to time out the Radius Auth after about 6 or 7 seconds. Because of this, almost all authentications time out during the time it takes the radius server to do the phone call/app auth process. 

There needs to be a time out setting on the XG such at 15 or 20 seconds to allow sufficient time for the radius server verify the end user via cell phone. The hard coded 5 to 7 seconds is only good for a straight single factor radius authentication. 

Therefore, unless you can complete your 2nd factor auth in under 5 to 7 seconds which is nearly impossible, you cannot successfully set up MFA on the XG.

THIS NEEDS TO BE ADDRESSED!!!!

Sorry for bringing back old thread again, but it does not necessarily appear to be a timeout.  One issue I am seeing is that multiple authentication attempts are being performed on the WAF and they begin to fail when they stack up.  I believe the radius timeout may be hardcoded at 30 seconds, according to what I have heard and read elsewhere on the forum.

There are plans to bring this configurable in V18. 

Would assume this is the next upcoming release in 2019.