SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

Suggest an Idea...

Authentication: Configurable RADIUS timeout

The RADIUS timeout setting is hardcoded, and can't be adjusted from the UI. Third part two factor authentication systems like PhoneFactor use "out of band" methods to complete authentication. Such schemes can take 20-30 seconds to complete an Auth. With the current hardcoded RADIUS timeout Astrado is not compatible with these solutions as the timeout needs to be set appropriately.

39 votes
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Benjamin KatzBenjamin Katz shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    12 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • Matt WebbMatt Webb commented  ·   ·  Flag as inappropriate

        Not sure how this is still in limbo. Can we get any update from the folks at sophos on this one? I'm going to have a lot of MFA frustration around here.

      • Peter ChickPeter Chick commented  ·   ·  Flag as inappropriate

        We also need to use External RADIUS 2FA authentication (Microsoft / Azure). Being unable to adjust the timeout renders all these other solutions useless.
        We need to use a unified 2FA solution for all our services.

        Please can this be looked at as soon as possible.

      • MichaelEMichaelE commented  ·   ·  Flag as inappropriate

        We have used Astaro and Sophos UTM for more than 10 years. We managed to get async Two Factor Authentication with Azure MFA working by adjusting the timeout in a config file (which is not supported, but worked fine). Now (I think with one update) this configuration seems to be ignored and the timeout seems to be hardcoded to 15 seconds. So 2FA is not working anymore.
        We are going to change the firewall product!
        I am very disappointed from Sophos and I am glad we use only the Firewall, not WLAN and RED, so changing is easy for us.
        How difficult could it be to implemet this???

      • DanielDaniel commented  ·   ·  Flag as inappropriate

        I would also find this feature to be extremely useful. The ability to extend the RADIUS timeout would be an indispensable feature for those trying to integrate external dual factor authentication to the UTM's services such as WebAdmin, User Portal, VPN, etc...Andrew's suggestion seems to work, but it appears that you have to reset the change after some upgrades otherwise the timeout is too short again if using some sort of push authentication.

      • Andrew GAndrew G commented  ·   ·  Flag as inappropriate

        I have at least received this from Sophos Support:

        You may run: sudo vi /var/aua/AuaConfig.pm then edit the value for $radius_timeout.

        ***Please be informed that it is not adviseable to edit this settings and Sophos Support is not liable if in case there's an issue happened after updating this settings.***

        Doing this has stopped the timeout error but I haven't quite gotten it working, it only works when it's already cached the previous radius authentication

      • Radek HrubyRadek Hruby commented  ·   ·  Flag as inappropriate

        Hi Sophos, this has been requested back in 2012 - is it that hard to implement such a small change that might make your system compatible with many dual factor authentications???

      • jcgillettejcgillette commented  ·   ·  Flag as inappropriate

        I would like use two factor also with PhoneFactor with Microsoft Azur application

        Please can you add this functionality ASAP because other competing solutions have well this setting why not you ?

        Thanks

      • Anonymous commented  ·   ·  Flag as inappropriate

        I second this request. We are forced to have two factor authentication and PhoneFactor is pretty easy to roll-out.

      • Steve T.Steve T. commented  ·   ·  Flag as inappropriate

        I would really like to implement Phonefactor with our Sophos UTM but the timeout issue appears to be the only roadblock.

      • MARK-KDTMARK-KDT commented  ·   ·  Flag as inappropriate

        I second this request. Most of the tow factor authentication methods we have looked at are not compatible with the ASG. Our client base is moving towards two factor authentication.

      Feedback and Knowledge Base

      icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-lightbulbCreated with Sketch.