When configuring 2FA with Radius authentication and encountering two token requests simultaneously.

The main reason for these duplicate requests is that FortiGate fails to authenticate the user within a specified time frame.

Here are some Wireshark captures demonstrating the duplicate requests:

The above capture confirms that we have received duplicate authentication requests for the user.

These captures were taken on the firewall, where the destination interface connected to the Radius server is selected and the port was set to 1812 as the default port for Radius authentication.

Here is an example:

Execute the following debug commands to determine whether the authentication request timed out on the firewall or elsewhere:

diagnose debug reset

diagnose debug application fnbamd -1

diagnose debug enable

To stop debugs, run 'diagnose debug disable'

Here is the sample output:

201F_FAR_MDF_FORTIGATE (INET-EDGE) # [1906] handle_req-Rcvd auth req 979039458 for Fortinet_tac in  opt=00200421 prot=11

[466] __compose_group_list_from_req-Group 'Radius_GROUP', type 1

[616] fnbamd_pop3_start-Fortinet_tac

[587] __fnbamd_cfg_get_radius_list_by_group-Loading RADIUS server 'FTNT_RADIUS' for usergroup 'Radius_GROUP' (2)

[342] fnbamd_create_radius_socket-Opened radius socket 12

[342] fnbamd_create_radius_socket-Opened radius socket 13

[1394] fnbamd_radius_auth_send-Compose RADIUS request

[1351] fnbamd_rad_dns_cb-172.25.x.x ->172.25.x.x

[1323] __fnbamd_rad_send-Sent radius req to server 'FTNT_RADIUS': fd=12, IP=172.25.x.x(172.25.x.x:1812) code=1 id=12 len=134 user="Fortinet_tac" using PAP

[319] radius_server_auth-Timer of rad 'FTNT_RADIUS' is added

[754] auth_tac_plus_start-Didn't find tac_plus servers (0)

[1034] __fnbamd_cfg_get_ldap_list_by_group-

[1150] fnbamd_cfg_get_ldap_list-Total ldap servers to try: 0

[491] ldap_start-Didn't find ldap servers

[633] create_auth_session-Total 1 server(s) to try

[47] handle_rad_timeout-rad 'FTNT_RADIUS' 172.25.x.x timed out, resend request.

[1323] __fnbamd_rad_send-Sent radius req to server 'FTNT_RADIUS': fd=12, IP=172.25.x.x(172.25.x.x:1812) code=1 id=12 len=134 user="Fortinet_tac" using PAP

[63] handle_rad_timeout-Timer of rad 'FTNT_RADIUS' is added

[2812] handle_auth_timeout_with_retry-Retry

[443] radius_stop-Timer of rad 'FTNT_RADIUS' is deleted

The above debug confirms that Fortinet is failing to authenticate the user within a specified time frame.

To resolve the issue, increase the authentication timeout.

Here are the commands:

config system global

    set remoteauthtimeout <0s-300s> <----- By default, it is 5 seconds but the recommended time is 60s

end

For VDOM users:

config global

(global) config system global

             set remoteauthtimeout <0s-300s>         

         end

After increasing the timeout, no additional duplicate requests will be visible.

Here is the output:

[1323] __fnbamd_rad_send-Sent radius req to server 'FTNT_RADIUS': fd=12, IP=172.25x.x(172.25x.x:1812) code=1 id=27 len=134 user="Fortinet_tac" using PAP

[63] handle_rad_timeout-Timer of rad 'FTNT_RADIUS' is added

[1360] fnbamd_auth_handle_radius_result-Timer of rad 'FTNT_RADIUS' is deleted

[1802] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2

[1385] fnbamd_auth_handle_radius_result-->Result for radius svr 'FTNT_RADIUS' 172.25.169.24(1) is 0

[1653] fnbam_user_auth_group_match-req id: 979039478, server: FTNT_RADIUS, local auth: 0, dn match: 0

[1622] __group_match-Group ‘Radius_GROUP’ passed group matching

[1625] __group_match-Add matched group 'Radius_GROUP' (2)

[277] find_matched_usr_grps-Passed group matching

Note:
Another value to take into consideration is 'set timeout' under the Radius setting. Refer to this KB article: Technical Tip: Explaining global 'set remoteauthtimeout', user radius 'set timeout', and how they wo... 

Related article:

Troubleshooting Tip: SSL VPN and two-factor expiry timers