Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Allow Setting RADIUS Timeout for EAP-RADIUS?

    IPsec
    3
    8
    1129
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      ltctech last edited by

      There is currently no way to adjust the RADIUS timeout for EAP-RADIUS authentication in conjunction with Mobile IKEv2. The "Authentication Timeout" setting in System -> User Manager -> Authentication Servers is ignored.

      Instead the following defaults are used:
      https://github.com/strongswan/strongswan/blob/5.6.0/conf/plugins/eap-radius.opt

      
      charon.plugins.eap-radius.retransmit_base = 1.4
      	Base to use for calculating exponential back off.
      
      charon.plugins.eap-radius.retransmit_timeout = 2.0
      	Timeout in seconds before sending first retransmit.
      
      charon.plugins.eap-radius.retransmit_tries = 4
              Number of times to retransmit a packet before giving up.
      
      charon.plugins.eap-radius.sockets = 1
              Number of sockets (ports) to use, increase for high load.
      
      

      Retransmit explained: https://wiki.strongswan.org/projects/1/wiki/Retransmission

      To use 2FA/MFA with RADIUS the timeout needs to be adjusted to 60s, retries eliminated, and sockets need to be adjusted to allow more than one concurrent authentication.

      For now I made a hardcoded change under the eap-radius section in /etc/inc/vpn.inc:
      https://github.com/pfsense/pfsense/blob/v2.4.2_1/src/etc/inc/vpn.inc

      
      	/* write an eap-radius config section if appropriate */
      	if (strlen($radius_server_txt) && ($mobile_ipsec_auth === "eap-radius")) {
      		$strongswan .= << <eod<br>eap-radius {
      			class_group = yes
      			eap_start = no
      
                              sockets = 10
                              retransmit_tries = 1
                              retransmit_base = 1.0
                              retransmit_timeout = 60.0
      
      			{$radius_accounting}
      			servers {
                                  {$radius_server_txt}
      			}
      		}</eod<br> 
      

      It'd be great if these four settings were added to the "Extended Authentication (Xauth)" section in VPN -> IPsec -> Mobile Clients.

      1 Reply Last reply Reply Quote 0
      • viktor_g
        viktor_g Netgate last edited by

        feature request created: https://redmine.pfsense.org/issues/11211

        K 1 Reply Last reply Reply Quote 0
        • K
          keyser @viktor_g last edited by

          @viktor_g said in Allow Setting RADIUS Timeout for EAP-RADIUS?:

          feature request created: https://redmine.pfsense.org/issues/11211

          Sorry to “wake” this thread again. But I can see from redmine request #11211 that it is completed/done and included in 21.05 / 2.5.2 but:

          I cannot see what the fix really did? As there are no new/additional GUI settings as first requested, does the fix then just make EAP-Redius in IPsec respect the radius time-out setting in user-manager -> authentication servers?

          Or is all it does make some advanced settings available in strongswan.conf that you can edit without having to hardcode it in build files?

          K 1 Reply Last reply Reply Quote 0
          • K
            keyser @keyser last edited by

            @keyser BUMP… anyone?

            viktor_g 1 Reply Last reply Reply Quote 0
            • viktor_g
              viktor_g Netgate @keyser last edited by

              @keyser see the VPN / IPsec / Mobile Clients page:
              Screenshot from 2021-11-16 08-03-30.png

              K 1 Reply Last reply Reply Quote 2
              • K
                keyser @viktor_g last edited by

                @viktor_g Cool, I didn’t notice that.

                Do you have e breif explanation how to cover “best use” scenario’s?

                The primary problem is that a lot of users are in countries where azure MFA notifications might take a while to surface on users authenticate app on phones.

                viktor_g 1 Reply Last reply Reply Quote 0
                • viktor_g
                  viktor_g Netgate @keyser last edited by

                  @keyser You can try to increase the Retransmit Timeout (>10) to give your users time for MFA

                  K 1 Reply Last reply Reply Quote 1
                  • K
                    keyser @viktor_g last edited by

                    @viktor_g Thanks - i'll give that a try

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post