Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mmjo
New Contributor II

Forticlientems vpn ipsec stuck on machine auth

Hi.

I'v got a forticlient ems poc installation on 7.2.5 (about to upgrade to 7.2.6) 

 

Iv got the before_os to connect with the machine cert (with a ldap check to the ad that then computer is there with dns) and then the auto connect when log in to user cert (again with the ldap to check if the user is there with cn) and that works fine.

But sometimes when i have the computers lid closed and open it and login with Windows Hello pin or face its stuck on the machine auth, thats a major problem cause iv got firewall policies som the machine auth only allows for password reset and the user cert to allow more.

Anyone have problem with this thing? if i can't fix it im think about going with the before logon option with the button so the only auto connect tunnel is the user.

Morten

2 REPLIES 2
sjoshi
Staff
Staff

To address the issue of FortiClient EMS getting stuck on machine authentication when logging in with Windows Hello pin or face recognition, you can consider configuring the VPN to automatically connect before logon using the user certificate only. This way, you can ensure a smoother authentication process without encountering the issue of being stuck on machine authentication. By setting up the auto-connect tunnel with the user certificate, you can avoid the limitations of the machine authentication and allow for more flexibility in your firewall policies.

 
Let us know if this helps.
Salon Raj Joshi
mmjo
New Contributor II

That's what iv got, and as i understand you can't use the user certificate before the user logges in because it's not visible in the user store before the user logges in.

as i wrote iv got the before os as the machine cert and the user cert as the auto connect tunnel, but it looks like the windows hello is not trickering the login mecasime on the forticlient, i can see others having problem with FSSO and forticlient agent and the Windows hello.

The funny thing is that its not every time it fails, it's 50/50

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors