In Sophos XG, is there any way to increase the timeout for radius servers?
I'm having problems using SSL VPN authentication with radius when using 2-factor. If I bypass 2factor, I'm logging in fine.
If I enable 2factor, it seems to timeout and I get a second credential prompt before I get to accept the first request, rendering my first request invalid.
I've seen this question before and the answer was that the timout is hard coded. However that was a old thread:
Maybe things have changed?
I recently opened a support ticket with Sophos to get an update about this. Below is the response I have received (spoiler: issue is not resolved yet).
"About this [NC-8393] the bad news is that there is not a work around with Radius, however as a "work around" for dual authentication that another client have been using is with Google Authenticator or using the firewall. This function is coming in an upcoming release of the 17 version, 17.3, but it might be before due to the demand about this feature with Radius."
I asked for further clarification regarding what the support engineer meant when he said "using the firewall" is a work around, even after he directly said that there is no work around with RADIUS. I also asked for further clarification regarding when version 17.3 might be released. I'm awaiting further details on both of these follow ups.
I have a further update and a correction from support:
The fix for NC-8393 will be available in version 17.2 which is due to be released between September or October of this year (2018). Version 17.1 is coming out in the summer but won't have this feature. As for the workaround provided, Google Authenticator is apparently one way to go but saying that the firewall could also be used was a typo. Instead the support engineer meant that One-Time Password could be used in place of multi-factor authentication. OTP can be used for WebAdmin, User Portal, SSL and IPSEC remote access.
Will this fix be included in 17.5 or will it be a release before that point (we're on 17.1.3 now)? This timeout is holding back our implementation of 3rd party 2fa/mfa--the OTP on the XGs is great, but when you have lots of them and lots of other 2fa/mfa in the environment, we really want to try and centralize a bit.
Seems like it is postponed to V18.
V17.5 is in Beta and all features are included. No Radius timeout there.
But - do not forgot, most of the time, the value of XG (30 sec) can be configured on the 2factor system. So it should be possible to use those systems.
Had a discussion with a smaller vendor of 2factor. This vendor was a startup - so he was able to change quickly in his product and could adjust this value fast in his system.
Is Sophos's response really that all the 2FA companies should change rather than Sophos?
A simple change for Sophos on a patch release would be to make the timeout 60 secs whilst we wait for it to be configurable?
It is not quite that simple to change this value. So there are reasons behind this change postponed to V18.
And i gave you a simple workaround or at least a way to ask your 2FA Company vendor. Maybe there is a way to change it, maybe there is not.
And if this change would be as simple as you suggest, why could not the 2FA vendor change this value?
Because it is not just one 2FA provider that has this issue and when you have many customers using many different 2FA providers; we don't have relationships with all of them.
There is one common denominator in the XG which would be the logical place to fix this issue.
In the meantime, customers wait or select/change to new NGFW providers.