Hello all,
I am currently assisting a user who cannot connect to our NJ vpn on her laptop. We are using Microsoft for MFA currently. The weird thing is- Forticlient will send the authentication code to the users phone, user approves it. Then it will get to like 60 percent, send the authentication code again after its already been entered- then it will fail with this message
Created on 12-20-2022 04:58 AM
Hello
Can you share the following debug while reproducing the issue
#dia de reset
#dia de console timestamp en
#dia de app fnbamd -1
#dia de app sslvpn -1
#dia de en
Let the output run for a few minutes while trying to establish a connection via SSL-VPN,
#dia de dis
#dia de reset
From your explnations seems like the user is not part of ldap group, or the ldap group is not referenced in the sslvpn policy
Thank you for the reply but I only have access to the user application on the laptop and will not be able to run these commands.
Note that the FortiClient does NOT send the second factor.
The FortiClient will ask an authentication for the user against the FortiGate which in turn may ask some other server, probably a Microsoft RADIUS server.
The latter one will with a plugin for MFA send the code to the client/phone and in parallel advise the FortiGate to ask the client to input right that code.
The latter part is not working (sending the code back through FortiGate and then back to the server who requested it), and you need to see with the respective team.
The end user cannot and must not(!) be able to bypass authentication factors that are set by the servers. It would be a serious security issue.
Best regards,
Markus
Thanks for the reply. Yes we do use a radius server. I checked our nps logs as well as the mfa nps extension logs which receives the challenge response notice. Both logs indicate that our user mfa response is accepted. What I dont understand is why it is still failing from her laptop. I tried signing in as her on my laptop and it worked fine! I am thinking now something is up with her laptop. Everything is updated on it and it seems fine but this just doesnt make any sense. And what is really throwing me for a loop is the fact that she can reach our backup vpn but not her primary! Like why would it work for one and not the other? any way, just ranting now. I guess I will close this soon if no-one has any other suggestions.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.