This article explains the global 'set remoteauthtimeout' and user radius 'set timeout', as well as how they work together.
The two timeout values have different uses:
Consider a scenario where multiple RADIUS servers are in use, such as in the configuration below:
config user radius
set server "10.200.0.100"
set secret ENC hY5pf3kB6I194o7Sxy5xvndg+XubFJsunCcJ6pK2e5zEtYT9DM/Xe+M6M3QV2jY6I/GvHYWCEOcKufrPTGmO9e/TCzGGREg3djgRFpQ7Kf1kONvZcxlUoLCY3lmVke6XavSThFfwU23nj9KUgosAFz65BxlBFS4zbf4+UWN9oh+RlkVMbJ5R9hZNegBdrsmbH8rqrQ==
set secondary-server "10.200.0.101"
set secondary-secret ENC Rj8GoTTyJfLFq9/kESCUlFLIfyeGKP+ej6LuX+DgKQ9sD94PcpMoX78ghTnYfQMN5lb9Q2IiuTUtleSDAS+Mfrm22BHib7iGcD4CD8TcWtjiW79YMwuJOV9NCdkXhFsK+E8tsJ6LzRwJ+/v/iYSMRh3o6GnoKpxyuoMF+VmtCAjtqU8YGf1yAzhp9doNSu+b5qInHg==
The FortiGate will try to use server 10.200.0.100 first and, after a certain period of time with no response (determined by remoteauthtimeout), will abort the attempt and connect to the second server, 10.200.0.101.
The default value of remoteauthtimeout is 5 seconds.
get | grep remoteauthtimeout
remoteauthtimeout : 5
This means that, after 5 seconds, the FortiGate will use 10.200.0.101:
However, there is a second timeout value that controls the interval that the FortiGate will wait before it queries the same server again. The value can be set under 'config user radius'. Its default setting is also 5 seconds.
config user radius
get | grep timeout
timeout : 5
If both globals are set to their default, the FortiGate will make a second attempt to connect to the first server before aborting the attempt and connecting to the second server instead:
If remoteauthtimeout is changed to a higher value, the FortiGate will make as many attempts as 'set interval' fits into the value. For example, when remoteauthtimeout is 10 seconds and the default interval between retries is 5 seconds, FortiGate will attempt 2 retries before the secondary server is used:
Finally, if the timeout value under user radius is higher than remoteauthtimeout, no retry will be attempted. The secondary server will be used as soon as remoteauthtimeout is reached.
Take in consideration that these timers don't affect Wireless connection, because the Wifi cannot wait longer time to complete the authentication.
Example global change:
config system global
set remoteauthtimeout 10