Sophos AP/APX users may experience issues registering to Sophos Central. More info available here: Central Wireless
We'd love to hear about it! Click here to go to the product suggestion community
In Sophos XG, is there any way to increase the timeout for radius servers?
I'm having problems using SSL VPN authentication with radius when using 2-factor. If I bypass 2factor, I'm logging in fine.
If I enable 2factor, it seems to timeout and I get a second credential prompt before I get to accept the first request, rendering my first request invalid.
I've seen this question before and the answer was that the timout is hard coded. However that was a old thread:
Maybe things have changed?
In reply to BalazsZeller:
In reply to AndrzejSydorko:
I upgraded to v16 today as I was excited like a child about the news that it's been released.
It wasn't really straight forward, I hade to download and install the latest beta first to get it to see the GA update.
After the upgrade I was eager to try out 2fa so I activated it on my radius server once again.
To my horror 2fa failed again.
I got the authentication request on my phone but before I had time to accept it, the ssl vpn client disconnected, timing out as usual.
If I'm really fast, I meen really really ready, with the 2fa app open and my finger hoovering over the phone, I sometimes manage to authenticate before it times out !
I'm guessing there still isn't any way to increase the radius timeout on the XG?
Oh and I'm pretty sure its the XG, not the vpn client that is the issue as I 'm getting timeouts on the user portal as well.
Please sophos, you have to get this done right and soon, I have clients waiting for this stuff to work!
Bit of an interesting one, what 2FA provider are you using?
I'm not sure the XG has a configurable timeout and that feature request was for the SG UTM, not the XG so it may not be following it through.
In reply to EmileBelcourt:
I'm using Duo, but I guess anything that delays the authentication reply the slightest will result the same.
Typically it takes 5-7 seconds from the moment I press login in the client till I press accept on my phone.
We use Duo a lot and I'm really hoping Sophos will get this together.
I really like the XG but I'm not going to recommend a UTM without working 2fa to my clients.
Not being able to set a timeout for radius is just silly, especially when it seems to be so short per default.
The model we use is pretty common I think:
It just has to work, the people demand it.
I've been playing with the clients config this evening adding higher timeout values to available parameters but that didn't help...
The feature to configure access server timeout is considered in the ID NC-8393. It will be added in the future firmware releases.
In reply to sachingurung:
That is wonderful news.
Digging trough the net in search for answers, it seems this has been on the wishlist for a long time, even pre-XG.
Now the interesting question is when will it be released? Any idea?
I was the one that started the 1st thread, this is good news.
Hello, can you please provide an update regarding ID NC-8393? Is there a method for implementing a RADIUS timeout for out-of-band services such as Duo via shell?
In reply to GuidoGarcia:
If there is a nic opened, the feature is completely missing even from CLI.
Hope they will give us when this will be implemented v16.5, v17....
In reply to lferrara:
This is now a very important requirement from a compliance perspective. If I cannot get an answer on this, I may very well have to look at alternative solutions.
Are there an updates? I'm not sure how out-of-band radius authentication scenarios have not been considered.
What's the current status of NC-8393? When can we expect to see it in a release?
Hi there, are there any new informations about the radius timeout issue? We like to use Microsoft mfa an in the case that the Primary 2factor Fails the radius Connection will droped from the xg Firewall wile MS mfa tries to use the alternate 2 factor (SMS or phonecall for example).
Please provide an update on this. It seems many of us are facing the same challenges and the only options are to change MFA provider or reduce our VPN security (neither of which are ideal).