Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Rajan_kohli
Staff
Staff

Created on ‎07-28-2024 02:50 PM Edited on ‎03-14-2025 09:23 AM By Staff

Article Id 328652

Technical Tip: TACACS+ and LDAP-proxy authentication stopped working after upgrading to FortiOS 7.4.4

Description

This article describes a recent change made in FortiOS 7.4.4 that affects TACACS+ and LDAP-proxy authentication. More specifically, authentication may begin failing due to connection timeout, even when it worked before upgrading firmware.
Scope FortiGate 7.4.4.
Solution

Starting FortiOS 7.4.4, a few changes were made in the fnbamd process that handles the authentication on the FortiGate against a remote server.

One of the changes resulted in enforced certificate validation for LDAPS connections, requiring admins to upload the LDAPS server’s CA certificate to the FortiGate.

 

See the following KB article for more information:

Technical Tip: LDAPS connections no longer work after update to v7.4.4


Another change was with the ldapconntimeout setting and what it controlled. Originally this setting only controlled the timeout used when measuring LDAP TCP session setup, but as of FortiOS 7.4.4 it now also measures the length of time for packet read/write by the fnbamd process.

This is because ldapconntimeout has a very short default value of 500ms, and this can potentially cause issues in the following scenarios:

  • If there are unexpected/random delays with the TACACS+ or LDAPS server that result in communication exceeding the 500ms timeout. For TACACS+, it can be validated by collecting the output of the debug command "diagnose debug application fnbamd -1" shows TACACS+ reachability timed out.

2024-06-03 08:11:44 [505] __tac_plus_conn_timeout-Connction withTACACS_SERVER:1.2.3.4 timed out. --> The packet capture indicates that the TACACS+ reply was reached after the FIN packet was sent from FortiGate.

 

KCS-Tacacs-edited2.jpg

 

  • If the client uses Multi-Factor Authentication (MFA) with ldap-proxy then 500ms may not be sufficient (since users need to respond to MFA push notifications).

To work around this issue, for LDAPS or TACACS+ change the ldapconntimeout to 2000ms or greater. If you have configured LDAP-proxy on the FortiGate then change ldapconntimeout to a similar value as remoteauthtimeout using the below commands:

 

config sys global

    set ldapconntimeout <time-in-milliseconds>

end

 

This new ldapconntimeout value will help to account for any delays with LDAPS or TACACS+ packets, and it will also provide users with enough time to respond to multi-factor push notifications when using LDAP-proxy with MFA.

 

This issue has been resolved in FortiOS versions 7.4.5 and 7.6.1.
779
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.