Description
This article describes how to adjust Hard FortiTokens for clock drift when used as Two Factor Authentication for VPN connections (SSL VPN and/or IPsec VPN).
If a user experiences clock drift, it may be the result of incorrect time settings on the unit.
If so, make sure that the clock is accurate by confirming the network time and correct timezone.
If the unit clock is set correctly the issue could be the for example, the FortiGate and FortiTokens being initialized prior to setting an NTP server.
This will result in a time difference that is too large to correct with the synchronize function.
To avoid this, selected FortiTokens can be manually drift adjusted.
Solution
The following procedure is intended to be used only in special cases where some FortiTokens are severely out-of-sync.
Only activated FortiTokens can be adjusted.
User may notice that it is not possible to login with the account and shows the error like below:
This article describes how to adjust Hard FortiTokens for clock drift when used as Two Factor Authentication for VPN connections (SSL VPN and/or IPsec VPN).
If a user experiences clock drift, it may be the result of incorrect time settings on the unit.
If so, make sure that the clock is accurate by confirming the network time and correct timezone.
If the unit clock is set correctly the issue could be the for example, the FortiGate and FortiTokens being initialized prior to setting an NTP server.
This will result in a time difference that is too large to correct with the synchronize function.
To avoid this, selected FortiTokens can be manually drift adjusted.
Solution
The following procedure is intended to be used only in special cases where some FortiTokens are severely out-of-sync.
Only activated FortiTokens can be adjusted.
User may notice that it is not possible to login with the account and shows the error like below:
FortiToken clock drift detected (code: 468308). Please input the next code and continue
Note that the authentication has an expiration time (by default is 30 seconds) and also FortiToken codes are sent depend on the configuration (every 30 or 60 seconds).
The remote authentication timeout need to be changed, so there is time for the next code to be added.
The remote authentication timeout need to be changed, so there is time for the next code to be added.
For example.
# config system globalWhen the user log in from the FortiClient (SSL VPN tunnel mode or IPSec VPN) or from SSL VPN web mode the user has the necessary time to add the first code.
set remoteauthtimeout 120 <----- This is in seconds.
end
Wait until the next code appears and add the second code of the FortiToken.
In the end the user is able to log in normally.
Recommendations: For security reason,revert the change made for this purpose.
https://docs.fortinet.com/document/fortiauthenticator/6.1.0/interoperability-guide-for-2fa/181198/ap...
Recommendations: For security reason,revert the change made for this purpose.
# config system globalOn FortiGate it is possible to adjust the drift with on CLI as:
set remoteauthtimeout 30
end
# exec fortitoken sync <id>On a FortiAuthenticator it is possible as described in the 2FA operability guide:
https://docs.fortinet.com/document/fortiauthenticator/6.1.0/interoperability-guide-for-2fa/181198/ap...
Related Articles
Technical Tip: How to change FortiToken mobile code refresh timer to 30 seconds
Troubleshooting Tip: FortiToken Mobile clock drift adjustment
