[Solved] Grant Access Immediately Upon Successful Authentication

Post your feature requests here
Post Reply
bwebb
Posts: 6
Joined: Fri Jul 02, 2021 6:37 pm

Fri Jul 02, 2021 7:00 pm

Currently we have a significant login delay in place because our external RADIUS server is an MFA agent. When a user logs in they are prompted on their phone so this delay is necessary to allow them to open the app and allow the connection. When a privileged local administrator account logs in, however, that bypasses MFA entirely but the delay is still processed every time instead of just allowing the user access.

If users were granted access immediately upon successful authentication without having to wait out the entire delay this would be a big help because we could extend the delay to whatever we want without impacting user experience negatively.
networknix
Posts: 9
Joined: Tue Mar 12, 2024 9:45 am

Tue Mar 12, 2024 10:16 am

Hi, we also have this issue.
User avatar
Tomas
Posts: 1272
Joined: Sat Jun 25, 2016 12:33 pm

Mon Apr 29, 2024 5:35 pm

Hi! Apologies an answer is only coming now, but I want to provide a bit more info on why you are likely seeing the long login time even for non-Radius users.

The most probable cause is actually that Radius Accounting-Request messages are timing out for local user logins. As per our docs on System Login, when Radius is enabled, all system logins (even if logins are through the local user DB, or even LDAP) are accounted into Radius.
bwebb wrote:
Fri Jul 02, 2021 7:00 pm
... When a privileged local administrator account logs in, however, that bypasses MFA entirely but the delay is still processed every time instead of just allowing the user access. If users were granted access immediately upon successful authentication without having to wait out the entire delay this would be a big help ...
Most likely the Radius server is ignoring and not responding to Accounting-Requests for these users, as they are not known to the Radius server. This will then make Unimus wait for the "radius-timeout", and only when the Accounting-Request times out, log in the local user.

There is currently no way to influence this behavior, but we will create 2 tickets into our backlog which will help:
- Accounting-Requests will be sent asynchronously, so users will be allowed to log in and the accounting request will be fired on a separate thread
- we will introduce a new configurable option to disable Radius accounting for non-Radius users
networknix wrote:
Tue Mar 12, 2024 10:16 am
Hi, we also have this issue.
Could you please let me know if the above described issues is also what you are running into, or if your issues is different? Thanks!
networknix
Posts: 9
Joined: Tue Mar 12, 2024 9:45 am

Fri May 10, 2024 10:12 am

Tomas wrote:
Mon Apr 29, 2024 5:35 pm

Could you please let me know if the above described issues is also what you are running into, or if your issues is different? Thanks!
Hi, as far as I know of the situation this seems to be the same issue. Your proposed changes would be able to make this a smoother experience.
Post Reply