Allow Setting RADIUS Timeout for EAP-RADIUS?

  • There is currently no way to adjust the RADIUS timeout for EAP-RADIUS authentication in conjunction with Mobile IKEv2. The "Authentication Timeout" setting in System -> User Manager -> Authentication Servers is ignored.

    Instead the following defaults are used:

    charon.plugins.eap-radius.retransmit_base = 1.4
    	Base to use for calculating exponential back off.
    charon.plugins.eap-radius.retransmit_timeout = 2.0
    	Timeout in seconds before sending first retransmit.
    charon.plugins.eap-radius.retransmit_tries = 4
            Number of times to retransmit a packet before giving up.
    charon.plugins.eap-radius.sockets = 1
            Number of sockets (ports) to use, increase for high load.

    Retransmit explained:

    To use 2FA/MFA with RADIUS the timeout needs to be adjusted to 60s, retries eliminated, and sockets need to be adjusted to allow more than one concurrent authentication.

    For now I made a hardcoded change under the eap-radius section in /etc/inc/

    	/* write an eap-radius config section if appropriate */
    	if (strlen($radius_server_txt) && ($mobile_ipsec_auth === "eap-radius")) {
    		$strongswan .= << <eod<br>eap-radius {
    			class_group = yes
    			eap_start = no
                            sockets = 10
                            retransmit_tries = 1
                            retransmit_base = 1.0
                            retransmit_timeout = 60.0
    			servers {

    It'd be great if these four settings were added to the "Extended Authentication (Xauth)" section in VPN -> IPsec -> Mobile Clients.

Log in to reply