Hi everyone,
We just configured our SSL VPN with SSO/SAML and are facing issues.
Some users get stuck at 40% after logging in with their Entra account and going through the MFA process while others are able to connect without any problem. When it gets stuck at 40%, we don't see any logs on the Fortigate, but we can see that it went through the Entra App successfully.
We are using a custom port, Let's Encrypt Cert and we disabled the web mode for the split-tunnel.
The users with issues are in the same group as the one that works successfully. FortiClient is V7.4.0.1658. Fortigate 101F is v7.2.9.
Thanks
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Steps to follow toward solving the problem:
1- Extend authentication timeout on Fortigate as per ->
config sys global
set remoteauthtimeout 120
end
2-Enable web-mode SSLVPN portal and check if users who have problems are able to connect. If they're able this indicates it's Forticlient issue.
3-Use this article on common problems and causes when using SAML with SSL VPN:
4-Compare the non working users with the working users in terms of Forticlient firmware version, used operating system, security settings on their PCs, any other applications that may interfere with Forticlient connection, etc and try to enable DTLS on Forticlient
Hope this helps
Hello,
Please run the following debug command while testing connection
diagnose debug console timestamp enable
diagnose debug application samld -1
diagnose debug application sslvpn -1
diagnose debug enable
Refer to the document
Steps to follow toward solving the problem:
1- Extend authentication timeout on Fortigate as per ->
config sys global
set remoteauthtimeout 120
end
2-Enable web-mode SSLVPN portal and check if users who have problems are able to connect. If they're able this indicates it's Forticlient issue.
3-Use this article on common problems and causes when using SAML with SSL VPN:
4-Compare the non working users with the working users in terms of Forticlient firmware version, used operating system, security settings on their PCs, any other applications that may interfere with Forticlient connection, etc and try to enable DTLS on Forticlient
Hope this helps
Looks like the remoteauthtimeout was the culprit. Setting it to 120 immediately fixed the issue. Thank you!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.