SSL VPN Radius with 2factor timout

In Sophos XG, is there any way to increase the timeout for radius servers?

I'm having problems using SSL VPN authentication with radius when using 2-factor. If I bypass 2factor, I'm logging in fine.

If I enable 2factor, it seems to timeout and I get a second credential prompt before I get to accept the first request, rendering my first request invalid.

I've seen this question before and the answer was that the timout is hard coded. However that was a old thread:

Maybe things have changed?

  • Hi All,

    The feature is pending and unfortunately, v16 will not see the feature. We have a buffer full of feature requests and the developers will consider these requests on the account of Votes it receives. Please cast your votes and raise a support case to push the development team to prioritize it. I'll start a group conversation for this request and try to prioritize it.


  • In reply to sachingurung:

    I hope that's not the only metric you're using to roll requests into future firmware updates. This seems like a critical bug, not a feature request. How do you get them reclassified? People can't even login because there's no way to set the timer and your partners are losing business because of it. Relying on votes for this seems counter intuitive.

  • In reply to sachingurung:

    Can you point us to where to vote on this? I agree that this shouldn't even be in the "feature request" status. This is a fairly critical issue for many companies. For us it has prevented us from fully implementing the UTM's we purchased over a year ago. We have to "protect" them behind ASA's that can handle 2FA for things like VPN access. If we'd have known that something as basic as 2FA had not yet been fully implemented in the platform we likely would have chosen a different product. 2FA has become a standard, and it's not something that happened recently. OTP's are old school and not something that organizations want to force on their users if everything else in their environment can be logged into without the hassle.


    Just as a note, the only reason we've kept these around this long is because we keep being told that this basic functionality is coming out "any day now"


    I see here that it has been added in 9.5 but for some reason has not been done in the XG platform.

  • In reply to sachingurung:

    Any word regarding whether the latest V17 release corrects this issue (2FA timeout)?  It doesn't appear to be listed specifically in the release notes, but still hopeful . . .



  • In reply to sachingurung:

    Where can we cast votes for this feature and get it moved up?  What is the escalation procedure?  This is a SOC 2 requirement for client VPN services and we cannot use the product.

    Thank you.

  • In reply to GuidoGarcia:

    I second this.  Is there no workaround??   This was supposed to be a good replacement for Microsoft TMG, but won't even work well with Microsoft MFA due to timeouts issue.

  • In reply to sachingurung:

    So I'm in the process of selling yet another firewall and I see Sophos still hasn't fixed this in the latest firmware (SFOS 17.0.2 MR-2), so it won't be a Sophos unit this time either.

  • In reply to sachingurung:

    Can you please provide us with additional information regarding this?  

  • In reply to GuidoGarcia:

    Yeah, more and more "features" being released but I have yet to see this (which can be done at the code level on the VPN engine being used - btw). Additionally, still haven't really resolved all of their basic IKEv2 issues.

  • I recently opened a support ticket with Sophos to get an update about this. Below is the response I have received (spoiler: issue is not resolved yet).

    "About this [NC-8393] the bad news is that there is not a work around with Radius, however as a "work around" for dual authentication that another client have been using is with Google Authenticator or using the firewall. 

    This function is coming in an upcoming release of the 17 version, 17.3, but it might be before due to the demand about this feature with Radius."


    I asked for further clarification regarding what the support engineer meant when he said "using the firewall" is a work around, even after he directly said that there is no work around with RADIUS. I also asked for further clarification regarding when version 17.3 might be released. I'm awaiting further details on both of these follow ups.

  • In reply to David Ballagh:

    I have a further update and a correction from support:


    The fix for NC-8393 will be available in version 17.2 which is due to be released between September or October of this year (2018). Version 17.1 is coming out in the summer but won't have this feature. 

    As for the workaround provided, Google Authenticator is apparently one way to go but saying that the firewall could also be used was a typo. Instead the support engineer meant that One-Time Password could be used in place of multi-factor authentication. OTP can be used for WebAdmin, User Portal, SSL and IPSEC remote access.

  • In reply to sachingurung:

    Can we get a definitive answer on using a 3rd party MFA/2FA solution with the Sophos XG?

    Is the XG capable of integrating a 3rd party MFA (such as SecurEnvoy, Swivel, Duo, Vasco...) for SSL-VPN clients?

  • In reply to David Ballagh:

    Will this fix be included in 17.5 or will it be a release before that point (we're on 17.1.3 now)?  This timeout is holding back our implementation of 3rd party 2fa/mfa--the OTP on the XGs is great, but when you have lots of them and lots of other 2fa/mfa in the environment, we really want to try and centralize a bit.


  • In reply to JBernard_EP:

    Seems like it is postponed to V18. 

    V17.5 is in Beta and all features are included. No Radius timeout there.

    But - do not forgot, most of the time, the value of XG (30 sec) can be configured on the 2factor system. So it should be possible to use those systems.

    Had a discussion with a smaller vendor of 2factor. This vendor was a startup - so he was able to change quickly in his product and could adjust this value fast in his system. 

  • In reply to LuCar Toni:

    Is Sophos's response really that all the 2FA companies should change rather than Sophos?

    A simple change for Sophos on a patch release would be to make the timeout 60 secs whilst we wait for it to be configurable?