Currently we have a significant login delay in place because our external RADIUS server is an MFA agent. When a user logs in they are prompted on their phone so this delay is necessary to allow them to open the app and allow the connection. When a privileged local administrator account logs in, however, that bypasses MFA entirely but the delay is still processed every time instead of just allowing the user access.
If users were granted access immediately upon successful authentication without having to wait out the entire delay this would be a big help because we could extend the delay to whatever we want without impacting user experience negatively.
[Solved] Grant Access Immediately Upon Successful Authentication
Hi! Apologies an answer is only coming now, but I want to provide a bit more info on why you are likely seeing the long login time even for non-Radius users.
The most probable cause is actually that Radius Accounting-Request messages are timing out for local user logins. As per our docs on System Login, when Radius is enabled, all system logins (even if logins are through the local user DB, or even LDAP) are accounted into Radius.
There is currently no way to influence this behavior, but we will create 2 tickets into our backlog which will help:
- Accounting-Requests will be sent asynchronously, so users will be allowed to log in and the accounting request will be fired on a separate thread
- we will introduce a new configurable option to disable Radius accounting for non-Radius users
The most probable cause is actually that Radius Accounting-Request messages are timing out for local user logins. As per our docs on System Login, when Radius is enabled, all system logins (even if logins are through the local user DB, or even LDAP) are accounted into Radius.
Most likely the Radius server is ignoring and not responding to Accounting-Requests for these users, as they are not known to the Radius server. This will then make Unimus wait for the "radius-timeout", and only when the Accounting-Request times out, log in the local user.bwebb wrote: ↑Fri Jul 02, 2021 7:00 pm... When a privileged local administrator account logs in, however, that bypasses MFA entirely but the delay is still processed every time instead of just allowing the user access. If users were granted access immediately upon successful authentication without having to wait out the entire delay this would be a big help ...
There is currently no way to influence this behavior, but we will create 2 tickets into our backlog which will help:
- Accounting-Requests will be sent asynchronously, so users will be allowed to log in and the accounting request will be fired on a separate thread
- we will introduce a new configurable option to disable Radius accounting for non-Radius users
Could you please let me know if the above described issues is also what you are running into, or if your issues is different? Thanks!
-
- Posts: 9
- Joined: Tue Mar 12, 2024 9:45 am
Hi, as far as I know of the situation this seems to be the same issue. Your proposed changes would be able to make this a smoother experience.