Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ncorreia
Staff
Staff

Created on ‎11-07-2022 10:10 AM Edited on ‎01-23-2025 10:30 AM By Moderator

Article Id 229136

Technical Tip: Explaining global 'set remoteauthtimeout', user radius 'set timeout', and how they work together

Description

 

This article explains the global 'set remoteauthtimeout' and user radius 'set timeout', as well as how they work together.

 

Scope

 

FortiOS.

 

Solution

 

The two timeout values have different uses:

 

  • remoteauthtimeout (global setting): It defines the whole process time that RADIUS authentication takes in FortiGate, including Access-Request, Access-Challenge, Access-Accept, or Access-Reject.
  • timeout (radius setting): defines how long the FortiGate will wait before re-sending the same RADIUS Access-Request ID.

 

Consider a scenario where multiple RADIUS servers are in use, such as in the configuration below:

 

config user radius

edit "1"
set server "10.200.0.100"
set secret ENC hY5pf3kB6I194o7Sxy5xvndg+XubFJsunCcJ6pK2e5zEtYT9DM/Xe+M6M3QV2jY6I/GvHYWCEOcKufrPTGmO9e/TCzGGREg3djgRFpQ7Kf1kONvZcxlUoLCY3lmVke6XavSThFfwU23nj9KUgosAFz65BxlBFS4zbf4+UWN9oh+RlkVMbJ5R9hZNegBdrsmbH8rqrQ==
set secondary-server "10.200.0.101"
set secondary-secret ENC Rj8GoTTyJfLFq9/kESCUlFLIfyeGKP+ej6LuX+DgKQ9sD94PcpMoX78ghTnYfQMN5lb9Q2IiuTUtleSDAS+Mfrm22BHib7iGcD4CD8TcWtjiW79YMwuJOV9NCdkXhFsK+E8tsJ6LzRwJ+/v/iYSMRh3o6GnoKpxyuoMF+VmtCAjtqU8YGf1yAzhp9doNSu+b5qInHg==
next

end

 

The FortiGate will try to use server 10.200.0.100 first and, after a certain period of time with no response (determined by remoteauthtimeout), will abort the attempt and connect to the second server, 10.200.0.101.
The default value of remoteauthtimeout is 5 seconds.

 

get | grep remoteauthtimeout
remoteauthtimeout : 5

 

This means that, after 5 seconds, the FortiGate will use 10.200.0.101:

 

ncorreia_1-1667841274643.png

 

However, there is a second timeout value that controls the interval that the FortiGate will wait before it queries the same server again. The value can be set under 'config user radius'. Its default setting is also 5 seconds.

 

config user radius

edit 1

get | grep timeout
timeout : 5

 

If both globals are set to their default, the FortiGate will make a second attempt to connect to the first server before aborting the attempt and connecting to the second server instead:

 

ncorreia_2-1667841304168.png

 

If remoteauthtimeout is changed to a higher value, the FortiGate will make as many attempts as 'set interval' fits into the value. For example, when remoteauthtimeout is 10 seconds and the default interval between retries is 5 seconds, FortiGate will attempt 2 retries before the secondary server is used:

 

ncorreia_3-1667841326673.png

 

Finally, if the timeout value under user radius is higher than remoteauthtimeout, no retry will be attempted. The secondary server will be used as soon as remoteauthtimeout is reached.

 

To successfully authenticate, the remoteauthtimeout should be extended to cover the Access-Request and Access-Challenge if necessary.

 

Be default, the Access-Challenge timeout is 90 seconds. FortiGate will wait for the Access-Challenge for 90 seconds. This value is hardcoded and it is not configurable. 

 

Take in consideration that these timers don't affect Wireless connection, because the Wi-Fi cannot wait longer time to complete the authentication.

 

Example global change:

 

config system global

set remoteauthtimeout 10

end

13427
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.