Allow Setting RADIUS Timeout for EAP-RADIUS?



  • There is currently no way to adjust the RADIUS timeout for EAP-RADIUS authentication in conjunction with Mobile IKEv2. The "Authentication Timeout" setting in System -> User Manager -> Authentication Servers is ignored.

    Instead the following defaults are used:
    https://github.com/strongswan/strongswan/blob/5.6.0/conf/plugins/eap-radius.opt

    
    charon.plugins.eap-radius.retransmit_base = 1.4
    	Base to use for calculating exponential back off.
    
    charon.plugins.eap-radius.retransmit_timeout = 2.0
    	Timeout in seconds before sending first retransmit.
    
    charon.plugins.eap-radius.retransmit_tries = 4
            Number of times to retransmit a packet before giving up.
    
    charon.plugins.eap-radius.sockets = 1
            Number of sockets (ports) to use, increase for high load.
    
    

    Retransmit explained: https://wiki.strongswan.org/projects/1/wiki/Retransmission

    To use 2FA/MFA with RADIUS the timeout needs to be adjusted to 60s, retries eliminated, and sockets need to be adjusted to allow more than one concurrent authentication.

    For now I made a hardcoded change under the eap-radius section in /etc/inc/vpn.inc:
    https://github.com/pfsense/pfsense/blob/v2.4.2_1/src/etc/inc/vpn.inc

    
    	/* write an eap-radius config section if appropriate */
    	if (strlen($radius_server_txt) && ($mobile_ipsec_auth === "eap-radius")) {
    		$strongswan .= << <eod<br>eap-radius {
    			class_group = yes
    			eap_start = no
    
                            sockets = 10
                            retransmit_tries = 1
                            retransmit_base = 1.0
                            retransmit_timeout = 60.0
    
    			{$radius_accounting}
    			servers {
                                {$radius_server_txt}
    			}
    		}</eod<br> 
    

    It'd be great if these four settings were added to the "Extended Authentication (Xauth)" section in VPN -> IPsec -> Mobile Clients.


Log in to reply