I have a Fortigate, a remote Microsoft NPS server with an Azure AD extension. Azure AD MFA is enabled. The goal is to use my AD domain credentials as an admin on my firewalls and use the same MFA as I use for Microsoft 365.
I followed the instructions here: https://kb.fortinet.com/kb/viewContent.do?externalId=FD36127
If I have the Microsoft Authenticator app pulled up and open, I get my authentication push and it works just fine. However, if my phone is locked and I am not in the app, buy the time I unlock my phone, open the app, get the prompt, the Fortigate authentication fails. The timing is right around 15 - 20 seconds.
Debug logs indicate some kind of a timeout, but I cannot find where. If test with others systems like a Remote Access Gateway, I don't have this issue. I have attached some notes.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
What do you see in "diag debug app fnbamd -1" as in the article? That would show you exactly what happens.
By the way, what do you see at your FGT if you run below? Mine is multi-vdom env. so ignore the first (global).
fgxxx-utm (global) # config sys global fgxxx-utm (global) # get | grep remote remoteauthtimeout : 5
If I can shed some light since I just got thru going thru this also. You might want to look at the following on timeout and discards.
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension
I would also do a diag sniffer packet any "host 1.2.3.4" to witness the packets from Radius-Client ( fgt ) to the Radius-Server (NPS )
And secondly did you test radius authentication and non-MFA 1st?
Ken Felix
PCNSE
NSE
StrongSwan
I got the same issue, I solved the problem by increase the remote auth timeout on the Fortigate by running the following command:
fgxxx-utm#
config system global
end
!
By increasing the remote auth timout value to 60 second (default is 5 second), it give enought time for Azure to send the MFA prompt notification and the user to authorize the connection.
Created on 10-20-2022 12:30 PM Edited on 10-20-2022 12:36 PM
I have the same issue and using the command "set remoteauthtimeout 60" fixed my mfa timeout issue.
Thank you! Your solution is still solving other's problems more than 2 years later. Now I understand that there is a login timeout (ours was set to 180) but Microsoft's MFA NPS extension is covered by the remoteauthtimeout setting that you gave. Ours was not set, so the default was being used and most people were not doing it fast enough which was causing errors and some getting temporarily locked out of the VPN.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.