Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AWoroch
New Contributor

Fortigate SSL VPN + Duo Security + RADIUS Authentication + VDOM's

Good evening.  

 

I have a pair of FGT-100D's in HA configuration, WITH VDOM's.  I'm trying to configure the Duo Security RADIUS 2FA using the details here: https://duo.com/docs/fortinet.  It's pretty clear that when using RADIUS auth, you need to increase the timeout or you won't have time to accept the push, and the default is 5 seconds - which is exactly what i'm seeing from my FortiClient in testing.  

 

Their document includes:

#config system global #set remoteauthtimeout 60 #end

Which of course is not 'correct' for a VDOM configuration, which should be:

# conf global

# conf system global

# set remoteauthtimeout 60

# end

 

Based on my observation though, it appears that this does nothing to affect a VDOM with a RADIUS auth source configured. Is there a hidden command setting somewhere I might need to make this work? I do have an open ticket with both Fortinet and Duo, but thought I'd ask in the forums.  If I get a working answer back, I'll update.  In the interim, I need to find a non-HA, and/or non-VDOM configuration to test with and see/confirm if that is in fact the issue, or if there is something else.  

 

Thanks.

4 REPLIES 4
Jeff_FTNT
Staff
Staff

Hello,

You may try use CLI:config global/config system global/    set two-factor-fac-expiry 300 /end, if your Radius server return Challenge to ask 2FA, thanks.

 

khangaroo

I wanted to try the DUO for two-factor authentication.  Were you able to figure out the fix?

emnoc
Esteemed Contributor III

Here's a short blog on what we've done with duo

 

http://socpuppet.blogspot...slvpn-with-mfa-by.html

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
geseront

Hi, this did not work for me and I am experiencing the same problem. In 5 seconds the auth times out and the push comes after, even with these settings both at 300. How do we get the timer to 300 for a VDOM which contains the SSL VPN portal and settings?

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors