Skip to main content
rwpatterson
rwpatterson
New Member
May 24, 2016
Solved

Fortigate and Duo

  • May 24, 2016
  • 1 reply
  • 9581 views

Anyone here set this up? I have tried, get the authentication from Duo, but the 40Gate denies entry. Any hints or tips would be appreciated.

 

Thanks in advance.

 

Using SSL VPN connectivity through the firewall with LDAP authentication, by the way.

Fortigate 800C HA Firmware Version v5.2.3,build670 (GA)

 

    Best answer by Kenundrum

    You may want to do a trace to see what traffic the box is seeing (or not). My first thought is that there is some timeout that is being exceeded because of the need to wait for the 2nd factor to go through. It's expecting a quick yes/no response from an ldap server, but the duo system can't send a response until you've authenticated with the app, etc...

    After checking the cli reference, there are a few commands that may be of use here...

     

    config system global

         set remoteauthtimeout

         set ldapconntimeout

     

    1 reply

    xsilver_FTNT
    Staff
    xsilver_FTNT
    Staff
    May 25, 2016

    Hi Bob,

    unfortunately your post makes not much of sense to me.

    Any config backup ?Any explanation what is that "Duo" and how it communicates/authenticate .. is it RADIUS/LDAP or even TACACS based ?

    Any error transcript or screenshot of "denied entry" from FGT ?

     

    kind regards,

    Tomas

    rwpatterson
    rwpattersonAuthor
    New Member
    May 25, 2016

    Duo is a two factor authentication product that my former employer has purchased. It's LDAP based. Their LDAP server is a pass through for Active Directory, and depending on the AD group, it will then send out a challenge via SMS, phone call, etc. before access is granted. Their server works as designed, but before the end user receives the challenge request, the FGT denies the login. I'm not able to get more information at this time, but I will be able to later this afternoon (EDT).

     

    Thank you

    Kenundrum
    KenundrumAnswer
    New Member
    May 25, 2016

    You may want to do a trace to see what traffic the box is seeing (or not). My first thought is that there is some timeout that is being exceeded because of the need to wait for the 2nd factor to go through. It's expecting a quick yes/no response from an ldap server, but the duo system can't send a response until you've authenticated with the app, etc...

    After checking the cli reference, there are a few commands that may be of use here...

     

    config system global

         set remoteauthtimeout

         set ldapconntimeout

     

    Terms & ConditionsAccessibility statement