Authentication: Configurable RADIUS timeout
The RADIUS timeout setting is hardcoded, and can't be adjusted from the UI. Third part two factor authentication systems like PhoneFactor use "out of band" methods to complete authentication. Such schemes can take 20-30 seconds to complete an Auth. With the current hardcoded RADIUS timeout Astrado is not compatible with these solutions as the timeout needs to be set appropriately.
Florentino Sanchez commented
Please note that RADIUS time out is configurable on SFOS v18
Bump. 6 years later...
Any update on this? Surely this isn't a difficult fix. With all the security concerns being raised today in the media more clients are looking at security and MFA is one important aspect of this. When do we expect a fix?
Matt Webb commented
Not sure how this is still in limbo. Can we get any update from the folks at sophos on this one? I'm going to have a lot of MFA frustration around here.
Peter Chick commented
We also need to use External RADIUS 2FA authentication (Microsoft / Azure). Being unable to adjust the timeout renders all these other solutions useless.
We need to use a unified 2FA solution for all our services.
Please can this be looked at as soon as possible.
We have used Astaro and Sophos UTM for more than 10 years. We managed to get async Two Factor Authentication with Azure MFA working by adjusting the timeout in a config file (which is not supported, but worked fine). Now (I think with one update) this configuration seems to be ignored and the timeout seems to be hardcoded to 15 seconds. So 2FA is not working anymore.
We are going to change the firewall product!
I am very disappointed from Sophos and I am glad we use only the Firewall, not WLAN and RED, so changing is easy for us.
How difficult could it be to implemet this???
I would also find this feature to be extremely useful. The ability to extend the RADIUS timeout would be an indispensable feature for those trying to integrate external dual factor authentication to the UTM's services such as WebAdmin, User Portal, VPN, etc...Andrew's suggestion seems to work, but it appears that you have to reset the change after some upgrades otherwise the timeout is too short again if using some sort of push authentication.
Andrew G commented
I have at least received this from Sophos Support:
You may run: sudo vi /var/aua/AuaConfig.pm then edit the value for $radius_timeout.
***Please be informed that it is not adviseable to edit this settings and Sophos Support is not liable if in case there's an issue happened after updating this settings.***
Doing this has stopped the timeout error but I haven't quite gotten it working, it only works when it's already cached the previous radius authentication
Radek Hruby commented
Hi Sophos, this has been requested back in 2012 - is it that hard to implement such a small change that might make your system compatible with many dual factor authentications???
I would like use two factor also with PhoneFactor with Microsoft Azur application
Please can you add this functionality ASAP because other competing solutions have well this setting why not you ?
this would be really useful
Harrison Heck commented
In this day and age, this is a must. This should be a very high priority.
I second this request. We are forced to have two factor authentication and PhoneFactor is pretty easy to roll-out.
Steve T. commented
I would really like to implement Phonefactor with our Sophos UTM but the timeout issue appears to be the only roadblock.
I second this request. Most of the tow factor authentication methods we have looked at are not compatible with the ASG. Our client base is moving towards two factor authentication.