User Duo lockout SSLVPN

Question

Hello everyone, 
 We are running into an issue where the SSL VPN client will drop a connection and then cause a DUO lockout after sending multiple auth attempts. 
 Has anybody found a way to use DUO for SSL (via DUO Radius Server) that will not continually try to reauthenticate the user in their absence? 
 We have 2FA Duo working just fine until a connection issue occurs and the user is not watching for a Duo push notification. 
 We were thinking auto connect set to "no" but that does not seem to help. 
 What options in the .ovpn configuration file or on the XGS 4500 running SFOS 20 can we use to correct this behavior? 
 Ideally, if the client loses connection, we would like for it to wait for the user to initiate the SSLVPN tunnel with a new authentication attempt. 
 Is this possible? How do we do it? 
 
 Thank you, 
 
 Lance

LuNie · Accepted Answer

Hello Lance, 
 We also use DUO via the Radius proxy. We have solved the problem by setting a timeout there that is less than the timeout that is stored in the RADIUS settings on Sophos. 
 The timeout in Sophos is 60 seconds (the possible maximum) In the DUO authproxy.cfg we have set "api_timeout=55" in the radius server section. 
 This means that after a connection is lost, there is a single reconnect which is answered by the DUO proxy after 55 seconds with auth failed, which interrupts the reconnect loop if the MFA request is ignored or not answered. 
 Regards, Lukas

User Duo lockout SSLVPN

Top Replies