Project

General

Profile

Feature #11211

Allow Setting RADIUS Timeout for EAP-RADIUS

Added by Viktor Gurov about 2 months ago. Updated 9 days ago.

Status:
Feedback
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
01/02/2021
Due date:
% Done:

0%

Estimated time:

Description

see https://forum.netgate.com/topic/108637/ipsec-ikev2-with-eap-radius-vpn-azure-multi-factor-authentication
and https://forum.netgate.com/topic/128539/allow-setting-radius-timeout-for-eap-radius

There is currently no way to adjust the RADIUS timeout for EAP-RADIUS authentication in conjunction with Mobile IKEv2. The "Authentication Timeout" setting in System -> User Manager -> Authentication Servers is ignored.

Instead the following defaults are used:
https://github.com/strongswan/strongswan/blob/5.9.0/conf/plugins/eap-radius.opt:

charon.plugins.eap-radius.retransmit_base = 1.4
    Base to use for calculating exponential back off.

charon.plugins.eap-radius.retransmit_timeout = 2.0
    Timeout in seconds before sending first retransmit.

charon.plugins.eap-radius.retransmit_tries = 4
    Number of times to retransmit a packet before giving up.

charon.plugins.eap-radius.sockets = 1
    Number of sockets (ports) to use, increase for high load.

To use 2FA/MFA with RADIUS the timeout needs to be adjusted to 60s, retries eliminated, and sockets need to be adjusted to allow more than one concurrent authentication.

it would be nice to add "RADIUS Advanced options" to vpn_ipsec_mobile.php

Associated revisions

Revision 6542fe08 (diff)
Added by Viktor Gurov 9 days ago

RADIUS Advanced parameters. Feature #11211

History

#2 Updated by Jim Pingle about 2 months ago

  • Status changed from New to Pull Request Review
  • Target version set to CE-Next

#3 Updated by Renato Botelho 9 days ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Viktor Gurov

PR has been merged. Thanks!

Also available in: Atom PDF