Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mle2802
Staff
Staff

Created on ‎11-21-2024 10:00 PM

Article Id 359218

Troubleshooting Tip: Slow SSL VPN authentication with MFA Radius server

Description This article describes how to troubleshoot the slow authentication process with SSL VPN when using the MFA Radius server.
Scope FortiGate.
Solution

Users experience slow delays in MFA authentication when connecting to SSL VPN on FortiClient and are stuck at 45% for a while.

stuck.png

Running fnbamd debug on FortiGate, the following debug is observed:

FGT1# diagnose debug reset

FGT1# diagnose debug application fnbamd -1

FGT1# diagnose debug enable


[1916] handle_req-Rcvd auth req 54100917 for xxx in opt=00200421 prot=11
[475] __compose_group_list_from_req-Group 'xxx', type 1
[616] fnbamd_pop3_start-xxx
[587] __fnbamd_cfg_get_radius_list_by_group-Loading RADIUS server 'xxx' for usergroup 'xxx' (3)
[342] fnbamd_create_radius_socket-Opened radius socket 13
[342] fnbamd_create_radius_socket-Opened radius socket 14
[1396] fnbamd_radius_auth_send-Compose RADIUS request
[1353] fnbamd_rad_dns_cb-10.100.0.7->10.100.0.7
[1325] __fnbamd_rad_send-Sent radius req to server 'xxx': fd=13, IP=10.100.0.7(10.100.0.7:1812) code=1 id=240 len=124 user="xxx" using PAP
[319] radius_server_auth-Timer of rad 'xxx' is added
[754] auth_tac_plus_start-Didn't find tac_plus servers (0)
[1034] __fnbamd_cfg_get_ldap_list_by_group-
[1150] fnbamd_cfg_get_ldap_list-Total ldap servers to try: 0
[491] ldap_start-Didn't find ldap servers
[642] create_auth_session-Total 1 server(s) to try
[2781] receive_parse_radius_check_response-No response from the RADIUS server.

Checking Radius config, the primary server is not able to connect while the secondary is and this was the reason for the delay as the authentication is sent to the primary first. This setting can be found under User & Authentication -> RADIUS Servers.

2 radius.png

 

Switching secondary to primary and the authentication process is not delayed any more:

switch.png
[1325] __fnbamd_rad_send-Sent radius req to server 'xxx': fd=17, IP=10.100.0.6(10.100.0.6:1812) code=1 id=9 len=162 user="xxx" using PAP
[1215] send_radius_challenge_rsp-Timer of rad 'xxx' is added
[1360] fnbamd_auth_handle_radius_result-Timer of rad 'xxx' is deleted
[1805] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2
[1385] fnbamd_auth_handle_radius_result-->Result for radius svr 'xxx' 10.100.0.6(1) is 0
[1658] fnbam_user_auth_group_match-req id: 54100939, server: xxx, local auth: 0, dn match: 0
[1627] __group_match-Group 'xxx' passed group matching
[1630] __group_match-Add matched group 'xxx'(3)
[286] find_matched_usr_grps-Passed group matching
[216] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 54100939, len=2193
566
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.