Sophos Ideas / SG UTM

SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

Suggest an Idea...

← SG UTM

Authentication: Configurable RADIUS timeout

The RADIUS timeout setting is hardcoded, and can't be adjusted from the UI. Third part two factor authentication systems like PhoneFactor use "out of band" methods to complete authentication. Such schemes can take 20-30 seconds to complete an Auth. With the current hardcoded RADIUS timeout Astrado is not compatible with these solutions as the timeout needs to be set appropriately.

47 votes
Sign in Sign in with: Log in with your Sophos ID
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Benjamin Katz shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

16 comments

Sign in Sign in with: Log in with your Sophos ID
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Anonymous commented  ·   ·  Flag as inappropriate

    Any update on this? Surely this isn't a difficult fix. With all the security concerns being raised today in the media more clients are looking at security and MFA is one important aspect of this. When do we expect a fix?

  • Matt Webb commented  ·   ·  Flag as inappropriate

    Not sure how this is still in limbo. Can we get any update from the folks at sophos on this one? I'm going to have a lot of MFA frustration around here.

  • Peter Chick commented  ·   ·  Flag as inappropriate

    We also need to use External RADIUS 2FA authentication (Microsoft / Azure). Being unable to adjust the timeout renders all these other solutions useless.
    We need to use a unified 2FA solution for all our services.

    Please can this be looked at as soon as possible.

  • MichaelE commented  ·   ·  Flag as inappropriate

    We have used Astaro and Sophos UTM for more than 10 years. We managed to get async Two Factor Authentication with Azure MFA working by adjusting the timeout in a config file (which is not supported, but worked fine). Now (I think with one update) this configuration seems to be ignored and the timeout seems to be hardcoded to 15 seconds. So 2FA is not working anymore.
    We are going to change the firewall product!
    I am very disappointed from Sophos and I am glad we use only the Firewall, not WLAN and RED, so changing is easy for us.
    How difficult could it be to implemet this???

  • Daniel commented  ·   ·  Flag as inappropriate

    I would also find this feature to be extremely useful. The ability to extend the RADIUS timeout would be an indispensable feature for those trying to integrate external dual factor authentication to the UTM's services such as WebAdmin, User Portal, VPN, etc...Andrew's suggestion seems to work, but it appears that you have to reset the change after some upgrades otherwise the timeout is too short again if using some sort of push authentication.

  • Andrew G commented  ·   ·  Flag as inappropriate

    I have at least received this from Sophos Support:

    You may run: sudo vi /var/aua/AuaConfig.pm then edit the value for $radius_timeout.

    ***Please be informed that it is not adviseable to edit this settings and Sophos Support is not liable if in case there's an issue happened after updating this settings.***

    Doing this has stopped the timeout error but I haven't quite gotten it working, it only works when it's already cached the previous radius authentication

  • Radek Hruby commented  ·   ·  Flag as inappropriate

    Hi Sophos, this has been requested back in 2012 - is it that hard to implement such a small change that might make your system compatible with many dual factor authentications???

  • jcgillette commented  ·   ·  Flag as inappropriate

    I would like use two factor also with PhoneFactor with Microsoft Azur application

    Please can you add this functionality ASAP because other competing solutions have well this setting why not you ?

    Thanks

  • Anonymous commented  ·   ·  Flag as inappropriate

    I second this request. We are forced to have two factor authentication and PhoneFactor is pretty easy to roll-out.

  • Steve T. commented  ·   ·  Flag as inappropriate

    I would really like to implement Phonefactor with our Sophos UTM but the timeout issue appears to be the only roadblock.

  • MARK-KDT commented  ·   ·  Flag as inappropriate

    I second this request. Most of the tow factor authentication methods we have looked at are not compatible with the ASG. Our client base is moving towards two factor authentication.

SG UTM: Authentication

Categories

Feedback and Knowledge Base

(thinking…)
icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.