Feature #11211
closed
GUI option to set RADIUS Timeout for EAP-RADIUS
0%
Description
see https://forum.netgate.com/topic/108637/ipsec-ikev2-with-eap-radius-vpn-azure-multi-factor-authentication
and https://forum.netgate.com/topic/128539/allow-setting-radius-timeout-for-eap-radius
There is currently no way to adjust the RADIUS timeout for EAP-RADIUS authentication in conjunction with Mobile IKEv2. The "Authentication Timeout" setting in System -> User Manager -> Authentication Servers is ignored.
Instead the following defaults are used:
https://github.com/strongswan/strongswan/blob/5.9.0/conf/plugins/eap-radius.opt:
charon.plugins.eap-radius.retransmit_base = 1.4
Base to use for calculating exponential back off.
charon.plugins.eap-radius.retransmit_timeout = 2.0
Timeout in seconds before sending first retransmit.
charon.plugins.eap-radius.retransmit_tries = 4
Number of times to retransmit a packet before giving up.
charon.plugins.eap-radius.sockets = 1
Number of sockets (ports) to use, increase for high load.
To use 2FA/MFA with RADIUS the timeout needs to be adjusted to 60s, retries eliminated, and sockets need to be adjusted to allow more than one concurrent authentication.
it would be nice to add "RADIUS Advanced options" to vpn_ipsec_mobile.php
Updated by Viktor Gurov almost 4 years ago
Updated by Jim Pingle almost 4 years ago
- Status changed from New to Pull Request Review
- Target version set to CE-Next
Updated by Renato Botelho almost 4 years ago
- Status changed from Pull Request Review to Feedback
- Assignee set to Viktor Gurov
PR has been merged. Thanks!
Updated by Jim Pingle over 3 years ago
- Target version changed from CE-Next to 2.6.0
Updated by Jim Pingle over 3 years ago
- Subject changed from Allow Setting RADIUS Timeout for EAP-RADIUS to GUI option to set RADIUS Timeout for EAP-RADIUS
Updating subject for release notes.
Updated by Viktor Gurov over 3 years ago
works as expected on 21.05.r.20210526.1807 -
I can see advanced parameter in the `/var/etc/ipsec/strongswan.conf`:
eap-radius {
load = 2
class_group = yes
eap_start = no
retransmit_base = 2
retransmit_timeout = 5
retransmit_tries = 6
sockets = 2
servers {
localradius {
address = 127.0.0.1
secret = "123"
auth_port = 1812
acct_port = 1813
}
}
}
but it doesn't allow to enter numeric with a decimal point in the "Retransmit Base" and "Retransmit Timeout" fields.
fix:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/269
but this is not critical
Updated by Jim Pingle over 3 years ago
- Target version changed from 2.6.0 to 2.5.2
Updated by Jim Pingle over 3 years ago
Open a fresh issue for that input validation concern, we can work on that for the next release separate from this.