Welcome to the Sophos User Bulletin Board.
If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Reply
 
LinkBack Thread Tools Display Modes
Junior Member
Join Date: Apr 2012
Posts: 8
#1 (permalink)  
Old 04-28-2012, 11:20 PM
Default

I am evaluating Astaro to replace a mix of Fortigate & Barracuda products, and I have hit a roadblock with RADIUS authentication.

We use phonefactor for two factor authentication scheme which means the RADIUS server can take up to 60 seconds to authenticate.

When I test a RADIUS server using Astaro and I provide the incorrect password the RADIUS server responds immediately with auth failed, and all is well. However when I provide a correct password and test the Radius setup Astaro replies immediately with "Timeout" - this is because my RADIUS system can take up 60 seconds to report successful Auth when password is correct (because phonefactor then proceeds with calling the users's phone to complete the two factr authentication).

I had the exact same issue with Fortigate product, but they have a command line setting so the timeout value could be set high enough to give the RADIUS server time to respond.

Anyway that is the background - and the question is how can I configure Astaro to wait longer for my RADIUS Server to respond.

Any help appreciated

Thanks

Ben

PS So far product looks great.

Last edited by benkatz; 04-29-2012 at 03:31 AM.
Reply With Quote
Wizard
Join Date: Sep 2009
Location: Düren, NRW, Germany
Posts: 760
#2 (permalink)  
Old 04-29-2012, 09:02 AM
Default

Hi,

I think there is no way to configure that in WebAdmin. But if you can ssh into the box there is normaly a way to change things in conf files of the radius client. I don't know the exact file or path but with a little searching you will find the right place (assuming that you have some linux/unix skills). But have to be aware that changing things on the command line is not supported.

Regards
Manfred
Reply With Quote
BAlfson's Avatar
Grandis Professorem Astaro
Join Date: Mar 2007
Location: Oklahoma City
Posts: 20,085
#3 (permalink)  
Old 04-29-2012, 03:46 PM
Default

Hi, benkatz, and welcome to the User BB!

You should ask your reseller to submit a ticket to Astaro Support. They likely have a command that will make a permanent change for you. Although they might allow you to do it yourself, they likely will want to do it themselves. In preparation for that, in 'WebAdmin Settings', add 207(dot)190(dot)231(dot)649(slash)27 to 'Allowed networks' and add a user "astaro" to the "SuperAdmins" group. Don't forget to hit [Apply].

Cheers - Bob
__________________
ACE V7 - Astaro Preferred Partner since V3
SCA/UTM - Sophos Gold Solution Partner
www.MediaSoftUSA.com
Addicted to my iPhone!
Reply With Quote
Junior Member
Join Date: Apr 2012
Posts: 8
#4 (permalink)  
Old 04-29-2012, 04:45 PM
Default

That's a good suggestion - Alas I've not selected a reseller yet, as am just evaluating the VM Appliance and just downloaded it from the site. Looks like a nice product - except for this RADIUS issue it seems a good choice.
Reply With Quote
Junior Member
Join Date: Apr 2012
Posts: 8
#5 (permalink)  
Old 04-29-2012, 09:38 PM
Default

I actually managed to figure this out myself. For anyone else who needs a solution...

ssh to the box...

sudo vi /var/aua/AuaConfig.pm

edit the value for $radius_timeout to whatever is required (in my case 30, for 30 seconds)

Logout of ssh session and reboot using the WebUI.

Works great, but of course it must be at risk from being lost in any upgrade, and it does make me worry about selecting a product which doesn't support what I need without a hack - hopefully it will be added as a setting in the UI one day... But for now that seems to work.
Reply With Quote
Scott_Klassen's Avatar
Agent of the System
Join Date: Feb 2006
Posts: 4,650
#6 (permalink)  
Old 04-30-2012, 12:51 PM
Default

If you'd like to see this setting be persistent and configurable from WebAdmin, please add a request to Astaro Security Gateway Feature Requests: Hot (1025 ideas)
__________________
ACE/SCA
Sophos UTM 9.3x...still have a v5 install disk in a box somewhere.

http://xkcd.com
http://www.tedgoff.com/mb
http://www.projectcartoon.com/cartoon/1
Reply With Quote
BrucekConvergent's Avatar
Master of Reality
Join Date: Oct 2005
Location: SC, USA
Posts: 4,841
#7 (permalink)  
Old 04-30-2012, 01:24 PM
Default

This is good info -- the last time I contacted Astaro Support about this issue, they weren't much help (but it may be that the tech I talked to wasn't aware of this workaround). Definitely vote for the feature request at feature.astaro.com, as this is becoming more of an issue, and now it appears there is a simple fix. --- should be trivial to add this to confd / webadmin / middleware I would think.
__________________
Convergent Information Security Solutions, LLC
Sophos Platinum Solution Partner

Last edited by BrucekConvergent; 04-30-2012 at 02:37 PM.
Reply With Quote
BAlfson's Avatar
Grandis Professorem Astaro
Join Date: Mar 2007
Location: Oklahoma City
Posts: 20,085
#8 (permalink)  
Old 04-30-2012, 01:32 PM
Default

I just looked at this solution. I don't see anything that would protect this from Up2Dates, although it does survive reboots. I suspect that this file might not be in the config backup, but you could test that by making a new backup, restoring an old one, and seeing if your change is left in place after the restore.

Cheers - Bob
PS I just ran this test myself. It appears that the AuaConfig.pm is NOT in the backup, and so is not immune to resets by Up2Date.
__________________
ACE V7 - Astaro Preferred Partner since V3
SCA/UTM - Sophos Gold Solution Partner
www.MediaSoftUSA.com
Addicted to my iPhone!

Last edited by BAlfson; 04-30-2012 at 09:56 PM. Reason: PS
Reply With Quote
Reply

Tags
fortigate, phonefactor, radius, timeout

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT. The time now is 08:45 AM.


Powered by vBulletin® Version 3.8.6
Copyright ©2000 - 2015, Jelsoft Enterprises Ltd.

These pages are specifically maintained for the discussion of firewall issues within the Open Source community, and might already reflect new alpha/beta releases under development. Please refer to our product specifications for the functionality of the actual release. Discussions of new/enhanced functionality does not constitute a commitment of Astaro, to integrate this functionality into future releases.