FortiGate 80F and MFA Issues

Hello Sean,

I am sorry to hear about your experience with MFA. 
Did you try to increase the remoteauthtimeout on Fortigate?
# config system global
    set remoteauthtimeout <1-300s>
end
The default timer is 5 seconds only and if you are using the Remote users to authenticate with Fortitoken, the athentication can timeout. 
Kindly refer to this article for reference:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SSL-VPN-and-two-factor-expiry-timers/ta-p/191661#:~:text=The%20remoteauthtimout%20setting%20does%20not,can%20lead%20to%20the%20FortiGate.

I would also recommend testing with your Fortigates Local Users as well. 

Thank you I believe I did this along with username sensitivity set to disable. I will check right now and report back.

I think this is good?

Yes, this looks good. now you can test it.
I wonder if you have Webmode in SSL VPN as well. Just in case this is something related to the FortiClient only. You can test your user in SSL VPN Web mode.
----

Arun

Hello @seanmd ,

The values looks fine. Please also check the latency between Fortigate and domain controllers; if they are on the same site then these values should be fine. Moreover, these debugs will help you see what is happening during authentication.

diagnose debug console timestamp enable

diagnose debug app fnbamdd -1

diagnose debug app sslvpn -1

diagnose debug enable

****reproduce the issue****

regards,

Sheikh

Thank you! I will reach out to the user who was having problems this morning and I will turn two-factor back on and test with him. The web mode SSLVPN is disabled per our cyber insurance.

No issues with latency to my DC's

PING 192.168.1.12 (192.168.1.12): 56 data bytes
64 bytes from 192.168.1.12: icmp_seq=0 ttl=128 time=0.3 ms
64 bytes from 192.168.1.12: icmp_seq=1 ttl=128 time=3.3 ms
64 bytes from 192.168.1.12: icmp_seq=2 ttl=128 time=0.3 ms
64 bytes from 192.168.1.12: icmp_seq=3 ttl=128 time=0.2 ms
^[[A64 bytes from 192.168.1.12: icmp_seq=4 ttl=128 time=0.2 ms

--- 192.168.1.12 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.2/0.8/3.3 ms

RRK-Fortigate-2 # execute ping 192.168.1.99
PING 192.168.1.99 (192.168.1.99): 56 data bytes
64 bytes from 192.168.1.99: icmp_seq=0 ttl=128 time=0.2 ms
64 bytes from 192.168.1.99: icmp_seq=1 ttl=128 time=0.3 ms
64 bytes from 192.168.1.99: icmp_seq=2 ttl=128 time=0.2 ms
64 bytes from 192.168.1.99: icmp_seq=3 ttl=128 time=0.3 ms
64 bytes from 192.168.1.99: icmp_seq=4 ttl=128 time=0.2 ms

Hello @seanmd 

This looks fine, you can try to increase the "remoteauthtimeout" value and also check the output of debugs.

regards,

Sheikh

Sorry for the late response, but none of the aforementioned changes worked. I had two users last week who could not connect when MFA is enabled. The only fix was to disable MFA, reboot, and then the user was able to login to the VPN. Very frustrating for everyone.

Hi,

don't have the exact same scenario... I don't use a LDAP-Server for that.

All users are configured as local users and MFA via mail works fine.

Can you try your setup with a local user instead of a LDAP user?

I know that it doesn't solve your current problem, but maybe it narrows down to the actual source of the error.

Best regards

Immu