Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
chethan
Contributor

Created on ‎01-09-2022 09:13 PM

FortiAuthenticator: FortiToken 2FA fails (sometimes)

Hi Everyone,

 

We have created and are using SSL-VPN on FortiGate with 2FA configured on FortiAuthenticator for remote employees for almost a year now.

 

The users are Remote LDAP users and FortiToken is configured on FortiAuthenticator.

 

Recently we started noticing that, when the VPN users when they login through FortiClient, the authentication fails.

 

The logs on FortiAuthenticator shows this: "Remote LDAP user authentication(mschap) with FortiToken failed: remote server supports pap only"

 

And, this issue is not permanent. The same user when he/she tries to login with token after few minutes the authentication succeeds without any problem.

 

How do we fix this issue? As the users need to wait a long time before they login again.

 

Thank you

Chethan
NSE 4
ChethanNSE 4
Labels:
3295
0 Kudos
3 REPLIES 3
Debbie_FTNT
Staff
Staff

Created on ‎01-10-2022 03:07 AM

Hey Chethan,

if you have the FortiGate authenticate to FortiAuthenticator via RADIUS, and RADIUS checks the credentials against LDAP, the FortiGate-FortiAuthenticator connection must use either PAP, or MSCHAPv2 if FortiAuthenticator is joined to the domain and Windows AD Authentication is toggled on.

By default, FortiGate will try CHAP, MSCHAPv2, then PAP, when authenticating against RADIUS. Try setting PAP in FortiGate:

Debbie_FTNT_0-1641812724969.png

That should at least fix the errors related to 'remote server supports pap only'.

If 2FA only fails on occasion, you could also be looking at a timeout issue on FortiGate. If the issue persists, perhaps increasing the "remoteauthtimeout" value will help:
#config global
#config system global

#set remoteauthtimeout 60  <-- in seconds; this is how long FortiGate will wait for authentication to complete before declaring a timeout

#end

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
3233
chethan
Contributor
In response to Debbie_FTNT

Created on ‎03-17-2022 10:00 PM

Thank you.

 

I had set it to PAP on FortiGate, and did the mentioned things above. But was still receiving that error.

 

We reset the AD admin password and re-synced it. 

It is stable for a month now.

 

 

Chethan
NSE 4
ChethanNSE 4
2959
0 Kudos
Debbie_FTNT
Staff
Staff
In response to chethan

Created on ‎03-18-2022 02:11 AM

Hey Chethan,

good to hear :)

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
2951
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.