Troubleshooting Tip: Users randomly fail to connect to SSLVPN with MFA using RADIUS authentication

lfrancelj · ‎04-17-2020

Description
Users randomly fail to connect to SSLVPN with 2FA/MFA using RADIUS authentication service.

'Login failed' is visible in the event logs with messages similar to 'sslvpn_login_unknown_user'or 'Timeout for connection …' while performing debug on FortiGate with these commands:

# diag debug reset
# diag debug console timestamp enable
# diag debug app sslvpn -1
# diag debug app fnbamd -1
# diag debug enable

This issue is occured in case of increased amount of authentication requests from the SSLVPN service towards RADIUS authentication server which can cause a delay in response from the RADIUS server.

This articles describes how to avoid this issue.

Solution
Default value of authentication timeouts is set to 5 seconds on most of the FortiGates.

Authentication timeouts can be increased to allow FortiGate to wait a longer for RADIUS server to reply on authentication requests.

Modify settings following these commands:

# config system global
    set remoteauthtimeout 30
end

# config user radius
    edit <RADIUS Server>
        set timeout 30
end

The best timeout setting for your environment is visible in the debug with timestamps; see how long the RADIUS server is taking to send a response for the query is possible.

Related links:

https://docs.fortinet.com/document/fortigate/6.2.1/cli-reference/1620/system-global

https://docs.fortinet.com/document/fortigate/6.2.1/cli-reference/403620/user-radius

https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/551553/ssl-vpn-with-radius-and-fortitoke...

https://docs.fortinet.com/document/fortigate/6.2.0/azure-cookbook/517582/configuring-forticlient-vpn...

Related Articles

Technical Tip: Explanation of auth-timeout types for Firewall authentication users

Troubleshooting Tip: Users randomly fail to connect to SSLVPN with MFA using RADIUS authentication

You are leaving our website