OpenVPN Support Forum

Hi

I have a virtual appliance version 2.5 using radius for authentication. Radius is via NPS on a Windows server with the Azure NPS plugin for MFA installed. Users are processing a push notification on their device to accept the MFA challenge via the radius server.

For the most part this works, but occasionally for some users the MFA challenge takes longer than usual and in this circumstance the radius authentication times out. Usually if the user repeats the process, it then goes through.

I have done much research on how to modify the radius timeout via the CLI (there is no GUI option) or a config file, but everything I find seems to refer to config structures that are not present on this access server (e.g server.conf and radiusplugin.cnf which do not exist - this version appears to store radius configuration in a database config.db)

Is there a way to configure the radius retries and timeout in this version of access server?

Aaron

I'm reasonably certain there are no configurable options for that at this time, sorry. If I find any different I'll post here.

I am seeing the exact same issue on the exact same setup. Any news or resolution to this?

I've also just spent hours trying to figure out a solution for this. There doesn't seem to be a way to add a key to change the equivalent of "–connect-retry-max n" or "–connect-retry n [max]" with a normal server configuration file. My understanding is that the Access Server uses a database on the fly versus the traditional server config file. The closest thing i've found in the documentation is for the "Authentication failure lockout policy" but this is not what is needed. It's when a user reconnects and doesn't reach the MFA in time before getting locked out.

Support helped me
I also configured the server to allow multiple sessions per user.

#go to scripts folder
cd /usr/local/openvpn_as/scripts/

#check server timeout
./sacli configquery | grep "auth.radius.0.per_server_timeout"

#change server time out and update running server
.scripts/confdba -mk auth.radius.0.per_server_timeout -v 60
./sacli start

Hi wander,

Thanks for updating - yes that function is now present!

Kind regards,
Johan

I am having this exact issue but when I run those commands I get an error

chrish@VPN01:/usr/local/openvpn_as/scripts$ ./sacli ConfigQuery | grep "auth.radius.0.per_server_timeout"
ERROR: [Errno 2] No such file or directory: 'out/tmp-2Es7nl3p6vMm.tmp': util/options:79,sagent/sacli:510,util/file:142,util/file:137,util/file:130,util/simplefile:11 (exceptions.IOError)


I am not a linux expert but I just don't understand why I can't execute these calls when everything seems to be in the scripts folder.

UPDATE: Problem was that that sudo needed to be used and then this worked! Thanks!