After we upgraded Win10/11 clients to the Forticlient 7.4 version, we experienced the forever connecting issues like others. Additionally, we found that after supplying the fortitoken on the first connection, the subsequent attempt did not prompt for a token/code. This was repeatable behavior on the 7.4 client and occurred after an immediate reconnect and rebooting before reconnecting.
We worked with support to troubleshoot and found that backing down to Forticlient 7.0.13 resolved the connectivity and token issues. We do not pay for client support so our tech was unable to reach out to the client team on this MFA/token issue.
Has anyone else experienced this behavior in Forticlient 7.4?
Reinstalling the redistributable did not help with these issues either.
Hello,
If you are using SAML, there is a known issue related with FortiClient 7.4
But following debugs may help you further when reproducing the issue:
get system status
config vpn ssl settings
Show full
get
end
diagnose debug reset
diagnose debug application sslvpn -1
diagnose debug application fnbamd -1
diagnose debug console timestamp enable
diagnose vpn ssl debug-filter src-addr4 x.x.x.x <---------------Clients Public IP
diagnose debug enable
diagnose debug application samld -1
if there is no token promt you could enter password+token in password field too.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
The problem is that we are connecting to VPN on subsequent attempts without being prompted for a token. This is using Fortitokens and not a third-party MFA.
Hello,
Can you please check the username, Fortigate is case sensitive by default.
Also for testing, can you try to remove the token and re-assign the token for a user and test the login again.
We are aware of the case sensitivity and that is not the issue here. We did revoke and reissue, with this fixing the problem. However, after a few connections, we found the Forticlient 7.4 experiencing the same behavior with the new token.
just to avoid misunderstandings: what I wrote can also be done in FortClient. If it don't promt for Tokencode try to enter it behind the password in password field. FortiGate side will handle this.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
The issue is more that the Forticlient is making a successful connection without prompting for the Fortitoken.
Hi @shamalpha,
In that case, you need to collect debugs and check your configuration to make sure MFA is actually enabled for that user.
diagnose debug reset
diagnose debug application sslvpn -1
diagnose debug application fnbamd -1
diagnose debug console timestamp enable
diagnose vpn ssl debug-filter src-addr4 x.x.x.x <---------------Clients Public IP
diagnose debug enable
Regards,
We verified the debug logs with support on the call and examining the output. MFA was absolutely enabled both times. At the end of the call our Fortinet support agent agreed that this seemed like a client issue with MFA not prompting and continuing to connect successfully. Unfortunately without support on Forticlient, the tech was unable to reach out to the product development team.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.