|
Run authentication and SSL VPN debug:
diagnose debug reset
diagnose debug application fnbamd -1
diagnose vpn ssl debug-filter clear
diagnose vpn ssl debug-filter src-addr4 a.b.c.d --> Public IP address of the remote PC.
diagnose debug application sslvpn -1
diagnose debug enable
Get the debug below after the Duo user has denied the passcode:
find_matched_usr_grps-Group 'Ldap-grp' passed group matching
find_matched_usr_grps-Add matched group 'Ldap-grp'
……
deconstruct_session_id:429 decode session id ok, user=[test],group=[Ldap-grp],authserver=[ldap],portal=[tunnel-access], host=[*.*.*.*]
The Duo user also belongs to the LDAP user group 'Ldap-grp'.
In the SSLVPN authentication-rule setting, if both the LDAP user group and Duo user group are set at the same time, Duo user connection might be authenticated by the LDAP method instead of the RADIUS method, because FortiGate sends a request to all available remote servers at the same time, and considers the first successful result.
The realm can resolve the issue.
The realm provides different paths to different authentication methods.
Set the LDAP user group in one realm, and the Duo user group in another realm.
Do not mix different authentication methods in one realm, so the LDAP user group and the Duo user group should not be put in the same realm.
config vpn ssl settings
config authentication-rule
edit 1
set groups " Ldap-grp”
set portal "tunnel-access"
set realm "ldap"
next
edit 2
set groups "Duo-grp"
set portal "tunnel-access"
set realm "duo"
next
end
The global setting 'remoteauthtimeout' is set to 5 seconds by default.
For Duo MFA authentication, it will take more than 5 seconds.
Extend the timer, for example, to 60 seconds. The maximum is 300 seconds.
config system global
set remoteauthtimeout 60
end
Note: Starting from FortiOS v7.6.3, the SSL VPN tunnel mode will no longer be supported, and SSL VPN web mode will be called 'Agentless VPN'.
Related document:
SSL VPN multi-realm
|
