Skip to main content
tim5700
tim5700
New Member
August 21, 2021
Question

Fortigate w/ Microsoft NPS & Azure MFA Admin

  • August 21, 2021
  • 2 replies
  • 13119 views

I have a Fortigate, a remote Microsoft NPS server with an Azure AD extension.  Azure AD MFA is enabled.  The goal is to use my AD domain credentials as an admin on my firewalls and use the same MFA as I use for Microsoft 365.

I followed the instructions here: https://kb.fortinet.com/kb/viewContent.do?externalId=FD36127

If I have the Microsoft Authenticator app pulled up and open, I get my authentication push and it works just fine.  However, if my phone is locked and I am not in the app, buy the time I unlock my phone, open the app, get the prompt, the Fortigate authentication fails.  The timing is right around 15 - 20 seconds.

 

Debug logs indicate some kind of a timeout, but I cannot find where.  If test with others systems like a Remote Access Gateway, I don't have this issue.  I have attached some notes.

    2 replies

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    August 21, 2021

    What do you see in "diag debug app fnbamd -1" as in the article? That would show you exactly what happens.

    By the way, what do you see at your FGT if you run below? Mine is multi-vdom env. so ignore the first (global).

     

    fgxxx-utm (global) # config sys global fgxxx-utm (global) # get | grep remote remoteauthtimeout   : 5

      emnoc
      emnoc
      New Member
      August 22, 2021

      If I can shed some light since I just got thru going thru this also. You might want to look at the following on timeout and discards.

       

      https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension

       

      I would also do a diag sniffer packet any "host 1.2.3.4" to witness the packets from Radius-Client ( fgt ) to the Radius-Server (NPS )

       

      And secondly did you test radius authentication and non-MFA 1st?

       

      Ken Felix

      PhilForti23
      PhilForti23
      Explorer
      April 22, 2022

      I got the same issue, I solved the problem by increase the remote auth timeout on the Fortigate by running the following command:

      fgxxx-utm#

      config system global

          set remoteauthtimeout 60

      end

      !

       

      By increasing the remote auth timout value to 60 second (default is 5 second), it give enought time for Azure to send the MFA prompt notification and the user to authorize the connection.

        Netsyssupport
        Netsyssupport
        New Member
        October 20, 2022

        I have the same issue and using the command "set remoteauthtimeout 60" fixed my mfa timeout issue.

        Terms & ConditionsAccessibility statement