Project

General

Profile

Feature #11211

GUI option to set RADIUS Timeout for EAP-RADIUS

Added by Viktor Gurov 5 months ago. Updated 10 days ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
01/02/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
21.05
Release Notes:
Default

Description

see https://forum.netgate.com/topic/108637/ipsec-ikev2-with-eap-radius-vpn-azure-multi-factor-authentication
and https://forum.netgate.com/topic/128539/allow-setting-radius-timeout-for-eap-radius

There is currently no way to adjust the RADIUS timeout for EAP-RADIUS authentication in conjunction with Mobile IKEv2. The "Authentication Timeout" setting in System -> User Manager -> Authentication Servers is ignored.

Instead the following defaults are used:
https://github.com/strongswan/strongswan/blob/5.9.0/conf/plugins/eap-radius.opt:

charon.plugins.eap-radius.retransmit_base = 1.4
    Base to use for calculating exponential back off.

charon.plugins.eap-radius.retransmit_timeout = 2.0
    Timeout in seconds before sending first retransmit.

charon.plugins.eap-radius.retransmit_tries = 4
    Number of times to retransmit a packet before giving up.

charon.plugins.eap-radius.sockets = 1
    Number of sockets (ports) to use, increase for high load.

To use 2FA/MFA with RADIUS the timeout needs to be adjusted to 60s, retries eliminated, and sockets need to be adjusted to allow more than one concurrent authentication.

it would be nice to add "RADIUS Advanced options" to vpn_ipsec_mobile.php

Associated revisions

Revision 6542fe08 (diff)
Added by Viktor Gurov 4 months ago

RADIUS Advanced parameters. Feature #11211

Revision f5ab9736 (diff)
Added by Viktor Gurov 9 days ago

Allow to use numeric with decimal point for RADIUS Advanced Parameters. Feature #11211

Revision 8bbc34a2 (diff)
Added by Viktor Gurov 9 days ago

Allow to use numeric with decimal point for RADIUS Advanced Parameters. Feature #11211

(cherry picked from commit f5ab9736059e616e4a037591ef6f89d1c14e23ed)

History

#2 Updated by Jim Pingle 5 months ago

  • Status changed from New to Pull Request Review
  • Target version set to CE-Next

#3 Updated by Renato Botelho 4 months ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Viktor Gurov

PR has been merged. Thanks!

#4 Updated by Jim Pingle about 1 month ago

  • Target version changed from CE-Next to 2.6.0

#5 Updated by Jim Pingle about 1 month ago

  • Plus Target Version set to 21.05

#6 Updated by Jim Pingle about 1 month ago

Already in 21.05 branch.

#7 Updated by Jim Pingle about 1 month ago

  • Subject changed from Allow Setting RADIUS Timeout for EAP-RADIUS to GUI option to set RADIUS Timeout for EAP-RADIUS

Updating subject for release notes.

#8 Updated by Viktor Gurov 16 days ago

works as expected on 21.05.r.20210526.1807 -
I can see advanced parameter in the `/var/etc/ipsec/strongswan.conf`:

        eap-radius {
            load = 2
            class_group = yes
            eap_start = no
            retransmit_base = 2
            retransmit_timeout = 5
            retransmit_tries = 6
            sockets = 2
            servers {
                localradius {
                    address = 127.0.0.1
                    secret = "123" 
                    auth_port = 1812
                    acct_port = 1813
                }
            }
        }

but it doesn't allow to enter numeric with a decimal point in the "Retransmit Base" and "Retransmit Timeout" fields.
fix:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/269

but this is not critical

#9 Updated by Jim Pingle 16 days ago

  • Target version changed from 2.6.0 to 2.5.2

#10 Updated by Jim Pingle 16 days ago

Open a fresh issue for that input validation concern, we can work on that for the next release separate from this.

#11 Updated by Jim Pingle 10 days ago

  • Status changed from Feedback to Closed

Also available in: Atom PDF