Allow Setting RADIUS Timeout for EAP-RADIUS?
- 
 There is currently no way to adjust the RADIUS timeout for EAP-RADIUS authentication in conjunction with Mobile IKEv2. The "Authentication Timeout" setting in System -> User Manager -> Authentication Servers is ignored. Instead the following defaults are used: 
 https://github.com/strongswan/strongswan/blob/5.6.0/conf/plugins/eap-radius.optcharon.plugins.eap-radius.retransmit_base = 1.4 Base to use for calculating exponential back off. charon.plugins.eap-radius.retransmit_timeout = 2.0 Timeout in seconds before sending first retransmit. charon.plugins.eap-radius.retransmit_tries = 4 Number of times to retransmit a packet before giving up. charon.plugins.eap-radius.sockets = 1 Number of sockets (ports) to use, increase for high load.Retransmit explained: https://wiki.strongswan.org/projects/1/wiki/Retransmission To use 2FA/MFA with RADIUS the timeout needs to be adjusted to 60s, retries eliminated, and sockets need to be adjusted to allow more than one concurrent authentication. For now I made a hardcoded change under the eap-radius section in /etc/inc/vpn.inc: 
 https://github.com/pfsense/pfsense/blob/v2.4.2_1/src/etc/inc/vpn.inc/* write an eap-radius config section if appropriate */ if (strlen($radius_server_txt) && ($mobile_ipsec_auth === "eap-radius")) { $strongswan .= << <eod<br>eap-radius { class_group = yes eap_start = no sockets = 10 retransmit_tries = 1 retransmit_base = 1.0 retransmit_timeout = 60.0 {$radius_accounting} servers { {$radius_server_txt} } }</eod<br>It'd be great if these four settings were added to the "Extended Authentication (Xauth)" section in VPN -> IPsec -> Mobile Clients. 
- 
 feature request created: https://redmine.pfsense.org/issues/11211 
- 
 @viktor_g said in Allow Setting RADIUS Timeout for EAP-RADIUS?: feature request created: https://redmine.pfsense.org/issues/11211 Sorry to “wake” this thread again. But I can see from redmine request #11211 that it is completed/done and included in 21.05 / 2.5.2 but: I cannot see what the fix really did? As there are no new/additional GUI settings as first requested, does the fix then just make EAP-Redius in IPsec respect the radius time-out setting in user-manager -> authentication servers? Or is all it does make some advanced settings available in strongswan.conf that you can edit without having to hardcode it in build files? 
- 
 @keyser BUMP… anyone? 
- 
 @keyser see the VPN / IPsec / Mobile Clients page: 
  
- 
 @viktor_g Cool, I didn’t notice that. Do you have e breif explanation how to cover “best use” scenario’s? The primary problem is that a lot of users are in countries where azure MFA notifications might take a while to surface on users authenticate app on phones. 
- 
 @keyser You can try to increase the Retransmit Timeout (>10) to give your users time for MFA 
- 
 @viktor_g Thanks - i'll give that a try 

