In Sophos XG, is there any way to increase the timeout for radius servers?
I'm having problems using SSL VPN authentication with radius when using 2-factor. If I bypass 2factor, I'm logging in fine.
If I enable 2factor, it seems to timeout and I get a second credential prompt before I get to accept the first request, rendering my first request invalid.
I've seen this question before and the answer was that the timout is hard coded. However that was a old thread:
Maybe things have changed?
I upgraded to v16 today as I was excited like a child about the news that it's been released.
It wasn't really straight forward, I hade to download and install the latest beta first to get it to see the GA update.
After the upgrade I was eager to try out 2fa so I activated it on my radius server once again.
To my horror 2fa failed again.
I got the authentication request on my phone but before I had time to accept it, the ssl vpn client disconnected, timing out as usual.
If I'm really fast, I meen really really ready, with the 2fa app open and my finger hoovering over the phone, I sometimes manage to authenticate before it times out !
I'm guessing there still isn't any way to increase the radius timeout on the XG?
Oh and I'm pretty sure its the XG, not the vpn client that is the issue as I 'm getting timeouts on the user portal as well.
Please sophos, you have to get this done right and soon, I have clients waiting for this stuff to work!
Bit of an interesting one, what 2FA provider are you using?
I'm not sure the XG has a configurable timeout and that feature request was for the SG UTM, not the XG so it may not be following it through.
I'm using Duo, but I guess anything that delays the authentication reply the slightest will result the same.
Typically it takes 5-7 seconds from the moment I press login in the client till I press accept on my phone.
We use Duo a lot and I'm really hoping Sophos will get this together.
I really like the XG but I'm not going to recommend a UTM without working 2fa to my clients.
Not being able to set a timeout for radius is just silly, especially when it seems to be so short per default.
The model we use is pretty common I think:
It just has to work, the people demand it.
I've been playing with the clients config this evening adding higher timeout values to available parameters but that didn't help...
The feature to configure access server timeout is considered in the ID NC-8393. It will be added in the future firmware releases.
Sachin Gurung Team Lead | Sophos Technical Support Knowledge Base | @SophosSupport | Video tutorials Remember to like a post. If a post (on a question thread) solves your question use the 'This helped me' link.
That is wonderful news.
Digging trough the net in search for answers, it seems this has been on the wishlist for a long time, even pre-XG.
Now the interesting question is when will it be released? Any idea?
I was the one that started the 1st thread, this is good news.
Hello, can you please provide an update regarding ID NC-8393? Is there a method for implementing a RADIUS timeout for out-of-band services such as Duo via shell?