Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

User Duo lockout SSLVPN

Hello everyone,

We are running into an issue where the SSL VPN client will drop a connection and then cause a DUO lockout after sending multiple auth attempts.

Has anybody found a way to use DUO for SSL (via DUO Radius Server) that will not continually try to reauthenticate the user in their absence?

We have 2FA Duo working just fine until a connection issue occurs and the user is not watching for a Duo push notification. 

We were thinking auto connect set to "no" but that does not seem to help. 

What options in the .ovpn configuration file or on the XGS 4500 running SFOS 20 can we use to correct this behavior?

Ideally, if the client loses connection, we would like for it to wait for the user to initiate the SSLVPN tunnel with a new authentication attempt. 

Is this possible? How do we do it?

Thank you,

Lance



This thread was automatically locked due to age.
  • Hello Lance,

    We also use DUO via the Radius proxy. We have solved the problem by setting a timeout there that is less than the timeout that is stored in the RADIUS settings on Sophos.

    The timeout in Sophos is 60 seconds (the possible maximum)
    In the DUO authproxy.cfg we have set "api_timeout=55" in the radius server section.

    This means that after a connection is lost, there is a single reconnect which is answered by the DUO proxy after 55 seconds with auth failed, which interrupts the reconnect loop if the MFA request is ignored or not answered.

    Regards,
    Lukas

  • Lukas,

    Thank you very much for your response. 

    I have added "api_timeout=55" to the radiius_server_challenge section of the authentication proxy configuration file. 

    The Radius server settings on the Sophos show the timeout at 60 seconds.

    I hope this works. 

    Thank you,

    Lance