IPsec VPN with Radius problems

Forum|Forum|13 years ago
June 17, 2012
2 replies
5751 views

We have our fortinet device for remote users to access out network through IPsec VPN' s. Everything works fine if we simply have them use a local user to authenticate with. However we would like to setup the fortinet device with phone factor (RADIUS server) for two-factor authentication. When we setup the device to use the RADIUS server the request is sent off properly to the RADIUS server and the person gets a phone call prompting them for their pin. However the fortinet device never hears back a response from the RADIUS server or atleast not one that it can understand. The fortinet device waits 60 seconds then closes the VPN connection since it doesnt have a response from the RADIUS server. The RADIUS server we know is working properly, as it is used with several other Cisco ASA devices for the same purpose and they have no issue authenticating people. Any ideas of how to monitor the radius communication on the fortinet device or anything specifically that I must configure differently? We have already changed the RADIUS port to 1645 and double checked the shared secret.

Steven798Author

New Member

Tried the following command and got the following output: Office_Fortinet # diag test authserver radius Fortinet_Radius pap username password authenticate ' username' against ' pap' failed(no response), assigned_rad_session_id=239599618(null) session_timeout=0 secs! Again though we received a phone call and the radius server shows it authenticating us. So not sure why no response is being sent back to the fortinet device when other devices are receiving responses just fine.

ede_pfau

SuperUser

Hi, and welcome to the forums. Where did you get the information about the ' diag test' command from? It looks like the sequence of parameters is not correct. What you could do is trace the whole communication with the RADIUS server. Use

 diag deb ena  diag deb app authd -1

and try an auth request. Double check the RADIUS IP address and stick to the standard port for the time being. The Fortigate just expects a positive or negative (= no) answer back from the server, it does not read into the reply. So you cannot use options etc. What I can' t see at the moment is how you are planning to input the PIN for 2factor auth. Is the user prompted by the FGT?

Steven798Author

New Member

Thanks for the response ede I will try the debug and let you know the output. As for the command I tried it was just something I had found online. As for the PIN input I should have been a bit more specific. When the RADIUS server gets a request for authentication it checks the username/password and then if those check out it will place a phone call to the phone number associated with that user. When the user answers the phone they are promtped to enter a 6 digit PIN, if entered correctly the RADIUS server should authenticate them successfully. Edit: Tried the debug command from Ede and not to much came through for results. I see the request being sent off and the fortinet device going to a status of " pending" . 60 seconds later (the timeout for remote authentication) I get two messages of: XAUTH 3997743 result 3 XAUTH 3997743 unknown I' m assuming the numbers are ID' s as the change from one attempt to the other.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded