Description
This article describes possible issues with SSLVPN and two-factor authentication expiry timers.
Useful link:
Fortinet Documentation:
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/490351/ssl-vpn-authentication
Solution
When SSL VPN is configured with two factor authentications (email, SMS, FortiToken), under some circumstances a longer token expiry can be required than the default 60 seconds.
Expiry timers can be configured as follows:
# config system global
set two-factor-ftk-expiry <in s>
set two-factor-ftm-expiry <in s>
set two-factor-sms-expiry <in s>
set two-factor-fac-expiry <in s>
set two-factor-email-expiry <in s>
end
However, while these timers apply to the tokens themselves (and the token codes will stay valid for as long as configured), SSL VPN does not necessarily accept it for the entire duration the tokens are valid.
To ensure SSLVPN accepts the token, another timer needs to be configured:
# config system global
set remoteauthtimeout <1-300s>
end
The maximum configurable timeout for this is five minutes.
SSLVPN waits 10x remotetimeout +30 (s) for a valid token code to be provided before closing down the connection, even if the token code is valid for longer.
Example: If 240s is set for two-factor-email-expiry so, the remote timeout must be greater or equals 21.
240 = 10x remotetimeout + 30 <=> remotetimeout = 21
Notes:
The remoteauthtimout setting does not only show how long SSLVPN waits for the token to be provided, but also for other remote authentication, like authentication against LDAP, RADIUS etc.
That means an increased timer can lead to the FortiGate.
Server is not reachable if the increased timer takes too long to lead the FortiGate.
For SSL VPN authentication with Azure SAML the remoteauthtimeout is doubled. For example, when setup as 30 seconds those will become 60 seconds when the client waits for the password.
