Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
hook95
New Contributor

Forticlient Fails to connect after trying MFA Authentication Twice

Hello all, 

 

I am currently assisting a user who cannot connect to our NJ vpn on her laptop. We are using Microsoft for MFA currently. The weird thing is- Forticlient will send the authentication code to the users phone, user approves it. Then it will get to like 60 percent, send the authentication code again after its already been entered- then it will fail with this message

Spoiler
 hook95_1-1671464191402.png 

Mind you- we have a backup option that our users connect to in Pennsylvania and the user can connect to that one with no issues. First, we made sure there were no issues with the NJ vpn, I can connect on my computer with no issues, my other teammates tried on their laptops and had no issues either. Myself, as well as 2 other people tried connecting to NJ on the users laptop and it failed for all of us. We tried repairing Forticlient, then completed a full uninstall/ reinstall of the Client and still the same results. We tried having the user connect using her wifi hotspot to make sure there wasnt an issue with her home network and it did the same thing for all of us. the Client sent the authentication verification 2 times and then failed with the same message each time. The laptop has been updated, wifi adapter re-installed. Performed a network reset on the laptop just in case to no avail. Has anyone experienced this or have any suggestions? Any advice is appreciated, thank you! 




4 REPLIES 4
Anonymous
Not applicable

Hello

 

Can you share the following debug while reproducing the issue

 

#dia de reset

#dia de console timestamp en

#dia de app fnbamd -1

#dia de app sslvpn -1

#dia de en

 

Let the output run for a few minutes while trying to establish a connection via SSL-VPN,

 

#dia de dis

#dia de reset

From your explnations seems like the user is not part of ldap group, or the ldap group is not referenced in the sslvpn policy

 

 

hook95

Thank you for the reply but I only have access to the user application on the laptop and will not be able to run these commands. 

Markus_M

Note that the FortiClient does NOT send the second factor.

The FortiClient will ask an authentication for the user against the FortiGate which in turn may ask some other server, probably a Microsoft RADIUS server.

The latter one will with a plugin for MFA send the code to the client/phone and in parallel advise the FortiGate to ask the client to input right that code.

 

The latter part is not working (sending the code back through FortiGate and then back to the server who requested it), and you need to see with the respective team.

 

The end user cannot and must not(!) be able to bypass authentication factors that are set by the servers. It would be a serious security issue.

 

Best regards,

 

Markus

hook95

Thanks for the reply. Yes we do use a radius server. I checked our nps logs as well as the mfa nps extension logs which receives the challenge response notice. Both logs indicate that our user mfa response is accepted. What I dont understand is why it is still failing from her laptop. I tried signing in as her on my laptop and it worked fine! I am thinking now something is up with her laptop. Everything is updated on it and it seems fine but this just doesnt make any sense. And what is really throwing me for a loop is the fact that she can reach our backup vpn but not her primary! Like why would it work for one and not the other? any way, just ranting now. I guess I will close this soon if no-one has any other suggestions.

Labels
Top Kudoed Authors