Hi Everyone,
We have created and are using SSL-VPN on FortiGate with 2FA configured on FortiAuthenticator for remote employees for almost a year now.
The users are Remote LDAP users and FortiToken is configured on FortiAuthenticator.
Recently we started noticing that, when the VPN users when they login through FortiClient, the authentication fails.
The logs on FortiAuthenticator shows this: "Remote LDAP user authentication(mschap) with FortiToken failed: remote server supports pap only"
And, this issue is not permanent. The same user when he/she tries to login with token after few minutes the authentication succeeds without any problem.
How do we fix this issue? As the users need to wait a long time before they login again.
Thank you
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hey Chethan,
if you have the FortiGate authenticate to FortiAuthenticator via RADIUS, and RADIUS checks the credentials against LDAP, the FortiGate-FortiAuthenticator connection must use either PAP, or MSCHAPv2 if FortiAuthenticator is joined to the domain and Windows AD Authentication is toggled on.
By default, FortiGate will try CHAP, MSCHAPv2, then PAP, when authenticating against RADIUS. Try setting PAP in FortiGate:
That should at least fix the errors related to 'remote server supports pap only'.
If 2FA only fails on occasion, you could also be looking at a timeout issue on FortiGate. If the issue persists, perhaps increasing the "remoteauthtimeout" value will help:
#config global
#config system global
#set remoteauthtimeout 60 <-- in seconds; this is how long FortiGate will wait for authentication to complete before declaring a timeout
#end
Thank you.
I had set it to PAP on FortiGate, and did the mentioned things above. But was still receiving that error.
We reset the AD admin password and re-synced it.
It is stable for a month now.
Hey Chethan,
good to hear :)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1633 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.