Hi there
We are rolling out MFA to our Forticlient VPN users. When user clicks connect a popup window appears for the SMAL idp, titled "Forticlient SAML Authentication". There is a timeout counter in the tile window that starts counting down from 300 seconds.
When the popup appears, we can see in the FortiClient window, above the VPN Name box it says "status:connecting". The user needs to enter a login name, then a password, then a passcode, each on a different screen within the popup window. The popup closes and the user is returned to the Forticlient window which then goes through the connection stages and connects to VPN.
The issue we are having is that if the user does not enter their login details within 30 seconds in the popup window, when the popup closes, the "status: connecting" message disappears and no other connection messages appear and the user is not connected to VPN. Even if we do nothing in the popup window, the "status: connecting" message disappears within 60 seconds.
I've already set remoteauthtimeout to 240. I have tried changing some of the settings in the SSL-VPN settings, such as login-timeout, http-request-body-timeout and http-request-header-timeout. But we still have the same issue.
We still have the same issue if we enable the option "Use external browser as user-agent for saml user authentication"
I did try to connect with a standard VPN connection, i.e. without MFA. This uses the Forticlient VPN login. If a password is entered, but you wait 30 seconds before clicking connect, the password is cleared from the password box.
Somewhere there is a 30 second timeout in Forticlient, where if it does not see a connection attempt, it clears the down the attempt.
Has anyone seen this issue? Is there a timeout somewhere in Forticlient that I can set? Or is there something else I need to set on the Fortigate?
For reference we are using FortiClient v.7.4.0.1658. The Fortigate is on 7.0.14. And we are using CyberArk for the MFA authentication.
Any help would be appreciated.
Thanks
Roy
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You could also test 7.4.1. It's got a bunch of SAML-related fixes, maybe one of them will deal with your issue.
https://docs.fortinet.com/document/forticlient/7.4.1/windows-release-notes/22791/resolved-issues
Both FortiGate and FortiClient track their own timeouts, and in FCT versions 7.2.4+ it's not coordinated. FCT has static 300 seconds, while FortiGate's timeout is configurable, with default being 25 seconds.
It is set in:
config system global
set remoteauthtimeout <X> (5-300 seconds, default 5)
end
Note that for SAML the actual value used is <remoteauthtimeout> + 20.
I would recommend setting it to somewhere around 280-300 if you use only SAML for remote authentication. If you're using other methods (LDAP, RADIUS) be aware that this option influences them as well, so if there happens to be connectivity issues with the LDAP/RADIUS server, you may see a long waiting period before that fails out (if you use a high value for remoteauthtimeout).
We had the remoteauthtimeout setting on the Fortigate already set to 240. I have actually increased it to 300 but it makes no difference.
If I use a browser, i am able to login successfully using the SAML authentication even if I take more than 2 minutes to enter my username, password and code. Therefore I don't believe the issue on the gateway.
The issue appears to be that FortiClient call the SAML idp authentication process, which requires a popup window. Once I have entered my username, then password, then code and click connect, that is when the popup closes and "control" is passed back to Forticlient. But if this takes more than 30-45 seconds, then Forticlient has timed out and VPN is not established.
However, in the CyberArk MFA portal, I can see successful authentications, so the popup window is communicating the IDP absolutely fine and as expected.
Thanks
Roy
I am personally not a fan of vague advice like this... but I've seen lots of complaints about FCT 7.4.0. Any chance you can go back a bit and try something like 7.2.5? That seems to run fine as far as I can see.
There is one more knob you can try tweaking:
config vpn ssl setting
set login-timeout <X> <10-180, default 30, seconds>
end
So, I've reverted back to v.7.2.5 on a test machine. That appears to work now. I left the popup window for 2 minutes and could still log in. I'll continue testing and see if that continues to work.
The question therefore, is what is the difference between 7.2.5 and 7.4.0? Is there any way to get this looked in to by Fortinet?
I'm not particularly relishing the prospect of downgrading all of our clients.
You could also test 7.4.1. It's got a bunch of SAML-related fixes, maybe one of them will deal with your issue.
https://docs.fortinet.com/document/forticlient/7.4.1/windows-release-notes/22791/resolved-issues
Deploying 7.4.1 has resolved this issue now. Thanks.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1714 | |
1093 | |
752 | |
447 | |
232 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.