Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
GTI
New Contributor

Created on ‎07-25-2023 08:38 PM

Cisco Duo with Fortigate IPSec VPN problem

I followed the document to set up Duo for Fortigate’s SSL VPN in my client environment.
Everything works as expected but the problem is that the connection still works even before I receive the push notification on my cell. And even if I decline the connection, it still works fine…
So the radius server configuration works fine in the Fortigate, but the VPN connection gets established without me having to approve it beforehand.

 

I tried to create a LAB environment using Fortigate-VM and followed the same step to integrate DUO, then it works, and no issue. So I think maybe some missing or wrong config on Fortigate

 

Does anyone know this problem?

Labels:
2174
0 Kudos
6 REPLIES 6
aguerriero
Contributor II

Created on ‎07-25-2023 09:59 PM

You should test your radius connection against the duo server with a valid user account.  You should not get a successful connection status and user credentials status if the duo push is not acknowledged. This would point to a duo configuration error for the duo radius client setup.

You should also check your remoteauthtimeout value in the global configuration.

duo radius.PNG

 

2155
0 Kudos
GTI
New Contributor
In response to aguerriero

Created on ‎07-25-2023 10:29 PM

The RADIUS test was successful, and at the same time, my cell receive the DUO 2FA push.

The parameter of remoteauthtimeout is 60.

 

2023-07-26 13 14 25.png

 

S__68706309.jpg

 

2023-07-26 13 22 03.png

 

 

 

2147
0 Kudos
aguerriero
Contributor II

Created on ‎07-25-2023 10:36 PM

do you get the successful test without using the duo push?

2142
0 Kudos
GTI
New Contributor
In response to aguerriero

Created on ‎07-25-2023 11:04 PM

Because the RADIUS is DUO, so if I test RADIUS, my cell will receive the push message.

If I chose reject or did nothing, the test will be invalid.

2135
0 Kudos
aguerriero
Contributor II

Created on ‎07-25-2023 10:45 PM

If your radius auth fails without you doing anything with duo then the radius and duo back end authentication are good.

It could then point to your group or user configuration. It could also point to your ssl vpn portal/realm or settings.

possibly you aren't mapping the radius user/group in ssl vpn settings and you allow all other users to the portal.

You could post some configurations or screen shots of how you have everything configured.
- Radius server

- user/group

- ssl vpn portal

- ssl vpn realm

- ssl vpn settings.

2138
0 Kudos
GTI
New Contributor
In response to aguerriero

Created on ‎07-25-2023 11:23 PM

Yes, I agree

But for now, I still have not found the root cause for which config was missing or wrong.


Thank you for your explanation ~

2128
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.