Allow Setting RADIUS Timeout for EAP-RADIUS?

ltctech

There is currently no way to adjust the RADIUS timeout for EAP-RADIUS authentication in conjunction with Mobile IKEv2. The "Authentication Timeout" setting in System -> User Manager -> Authentication Servers is ignored.

Instead the following defaults are used:
https://github.com/strongswan/strongswan/blob/5.6.0/conf/plugins/eap-radius.opt


charon.plugins.eap-radius.retransmit_base = 1.4
	Base to use for calculating exponential back off.

charon.plugins.eap-radius.retransmit_timeout = 2.0
	Timeout in seconds before sending first retransmit.

charon.plugins.eap-radius.retransmit_tries = 4
        Number of times to retransmit a packet before giving up.

charon.plugins.eap-radius.sockets = 1
        Number of sockets (ports) to use, increase for high load.

Retransmit explained: https://wiki.strongswan.org/projects/1/wiki/Retransmission

To use 2FA/MFA with RADIUS the timeout needs to be adjusted to 60s, retries eliminated, and sockets need to be adjusted to allow more than one concurrent authentication.

For now I made a hardcoded change under the eap-radius section in /etc/inc/vpn.inc:
https://github.com/pfsense/pfsense/blob/v2.4.2_1/src/etc/inc/vpn.inc


	/* write an eap-radius config section if appropriate */
	if (strlen($radius_server_txt) && ($mobile_ipsec_auth === "eap-radius")) {
		$strongswan .= << <eod<br>eap-radius {
			class_group = yes
			eap_start = no

                        sockets = 10
                        retransmit_tries = 1
                        retransmit_base = 1.0
                        retransmit_timeout = 60.0

			{$radius_accounting}
			servers {
                            {$radius_server_txt}
			}
		}</eod<br>

It'd be great if these four settings were added to the "Extended Authentication (Xauth)" section in VPN -> IPsec -> Mobile Clients.

viktor_g

feature request created: https://redmine.pfsense.org/issues/11211

keyser

@viktor_g said in Allow Setting RADIUS Timeout for EAP-RADIUS?:

feature request created: https://redmine.pfsense.org/issues/11211

Sorry to “wake” this thread again. But I can see from redmine request #11211 that it is completed/done and included in 21.05 / 2.5.2 but:

I cannot see what the fix really did? As there are no new/additional GUI settings as first requested, does the fix then just make EAP-Redius in IPsec respect the radius time-out setting in user-manager -> authentication servers?

Or is all it does make some advanced settings available in strongswan.conf that you can edit without having to hardcode it in build files?

keyser

@keyser BUMP… anyone?

viktor_g

@keyser see the VPN / IPsec / Mobile Clients page:
Screenshot from 2021-11-16 08-03-30.png

keyser

@viktor_g Cool, I didn’t notice that.

Do you have e breif explanation how to cover “best use” scenario’s?

The primary problem is that a lot of users are in countries where azure MFA notifications might take a while to surface on users authenticate app on phones.

viktor_g

@keyser You can try to increase the Retransmit Timeout (>10) to give your users time for MFA

keyser

@viktor_g Thanks - i'll give that a try