Description | This article describes how to resolve SSL VPN authentication errors that occur before completing the DUO 2FA push. |
Scope |
FortiClient, DUO. |
Solution |
When using DUO with FortiClient, the VPN authentication might fail before the end user completes the DUO MFA push to their mobile or token device. This can result in a 'permission denied' error in FortiClient, followed by a DUO push notification that no longer functions.
It is possible to confirm specifically what is occurring by running an FNBAMD debug. Here would be the commands to do that: di de res di de app fnbamd -1 di de en Try to connect. The following is the expected output if the connection to the LDAP server is timing out: 2024-08-26 14:38:22 [594] __ldap_conn_timeout-Connction with LDAP:192.168.x.x timed out.
This issue occurs because the 'ldapconntimeout' timer in the FortiGate is set too low, causing the authentication to expire before the DUO process finishes. To resolve this, increase the 'ldapconntimeout' timer (the default is 500 milliseconds) using the CLI command below:
config sys global
Related article: |
Great, thank you @jguerra !
Well done @jguerra and @MaryBolano First KA of the month! I encourage you et al to keep up the good work!
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.