Description

This article describes possible issues with SSL VPN and two-factor authentication expiry timers.

Related link:
SSL VPN authentication

Scope

FortiGate.

Solution

When SSL VPN is configured with two-factor authentication (email, SMS, FortiToken), under some circumstances, a longer Token expiry can be required than the default 60 seconds.

Expiry timers can be configured as follows.

config system global
    set two-factor-ftk-expiry <in s>
    set two-factor-ftm-expiry <in s>
    set two-factor-sms-expiry <in s>
    set two-factor-fac-expiry <in s>
    set two-factor-email-expiry <in s>
end

However, while these timers apply to the Tokens themselves (and the token codes will stay valid for as long as configured), SSL VPN does not necessarily accept them for the entire duration the tokens are valid.
To ensure SSL VPN accepts the Token, another timer needs to be configured:

config system global
    set remoteauthtimeout <1-300s>
end

The maximum configurable timeout for this is five minutes.
To configure the remote authentication timeout

Notes:

• The 'remoteauthtimeout' setting not only shows how long SSL VPN waits for the Token to be provided, but also for other remote authentication, like authentication against LDAP, RADIUS, etc. That means an increased timer can lead to the FortiGate. The server is not reachable if the increased timer takes too long to reach the FortiGate.
• For SSL VPN authentication with Azure SAML, the remoteauthtimeout is doubled. For example, when set to 30 seconds, those will become 60 seconds when the client waits for the password.
• For v7.4.1+, if 2FA token Expiry time -> remote_auth_timeout * 10 + 30 sec, use 2FA token expiry time as the timeout for a user to enter the token.
• If 2FA token Expiry time -> remote_auth_timeout * 2 > 30 sec, use 2FA token expiry time as the timeout for FortiGate to verify the token entered by the user.

Related article:

Troubleshooting Tip: SSL VPN and two-factor expiry timers