Anyone here set this up? I have tried, get the authentication from Duo, but the 40Gate denies entry. Any hints or tips would be appreciated.
Thanks in advance.
Using SSL VPN connectivity through the firewall with LDAP authentication, by the way.
Fortigate 800C HA Firmware Version v5.2.3,build670 (GA)
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Solved! Go to Solution.
You may want to do a trace to see what traffic the box is seeing (or not). My first thought is that there is some timeout that is being exceeded because of the need to wait for the 2nd factor to go through. It's expecting a quick yes/no response from an ldap server, but the duo system can't send a response until you've authenticated with the app, etc...
After checking the cli reference, there are a few commands that may be of use here...
config system global
set remoteauthtimeout
set ldapconntimeout
CISSP, NSE4
Hi Bob,
unfortunately your post makes not much of sense to me.
Any config backup ?Any explanation what is that "Duo" and how it communicates/authenticate .. is it RADIUS/LDAP or even TACACS based ?
Any error transcript or screenshot of "denied entry" from FGT ?
kind regards,
Tomas
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Duo is a two factor authentication product that my former employer has purchased. It's LDAP based. Their LDAP server is a pass through for Active Directory, and depending on the AD group, it will then send out a challenge via SMS, phone call, etc. before access is granted. Their server works as designed, but before the end user receives the challenge request, the FGT denies the login. I'm not able to get more information at this time, but I will be able to later this afternoon (EDT).
Thank you
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
You may want to do a trace to see what traffic the box is seeing (or not). My first thought is that there is some timeout that is being exceeded because of the need to wait for the 2nd factor to go through. It's expecting a quick yes/no response from an ldap server, but the duo system can't send a response until you've authenticated with the app, etc...
After checking the cli reference, there are a few commands that may be of use here...
config system global
set remoteauthtimeout
set ldapconntimeout
CISSP, NSE4
Thanks all and especially Kenundrum. The timeout extension seems to have resolved the issue.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.