Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tim5700
New Contributor

Fortigate w/ Microsoft NPS & Azure MFA Admin

I have a Fortigate, a remote Microsoft NPS server with an Azure AD extension.  Azure AD MFA is enabled.  The goal is to use my AD domain credentials as an admin on my firewalls and use the same MFA as I use for Microsoft 365.

I followed the instructions here: https://kb.fortinet.com/kb/viewContent.do?externalId=FD36127

If I have the Microsoft Authenticator app pulled up and open, I get my authentication push and it works just fine.  However, if my phone is locked and I am not in the app, buy the time I unlock my phone, open the app, get the prompt, the Fortigate authentication fails.  The timing is right around 15 - 20 seconds.

 

Debug logs indicate some kind of a timeout, but I cannot find where.  If test with others systems like a Remote Access Gateway, I don't have this issue.  I have attached some notes.

5 REPLIES 5
Toshi_Esumi
SuperUser
SuperUser

What do you see in "diag debug app fnbamd -1" as in the article? That would show you exactly what happens.

By the way, what do you see at your FGT if you run below? Mine is multi-vdom env. so ignore the first (global).

 

fgxxx-utm (global) # config sys global fgxxx-utm (global) # get | grep remote remoteauthtimeout   : 5

emnoc
Esteemed Contributor III

If I can shed some light since I just got thru going thru this also. You might want to look at the following on timeout and discards.

 

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension

 

I would also do a diag sniffer packet any "host 1.2.3.4" to witness the packets from Radius-Client ( fgt ) to the Radius-Server (NPS )

 

And secondly did you test radius authentication and non-MFA 1st?

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
PhilForti23
New Contributor

I got the same issue, I solved the problem by increase the remote auth timeout on the Fortigate by running the following command:

fgxxx-utm#

config system global

    set remoteauthtimeout 60

end

!

 

By increasing the remote auth timout value to 60 second (default is 5 second), it give enought time for Azure to send the MFA prompt notification and the user to authorize the connection.

Netsyssupport

I have the same issue and using the command "set remoteauthtimeout 60" fixed my mfa timeout issue.

mmccurry

Thank you!  Your solution is still solving other's problems more than 2 years later.  Now I understand that there is a login timeout (ours was set to 180) but Microsoft's MFA NPS extension is covered by the remoteauthtimeout setting that you gave.  Ours was not set, so the default was being used and most people were not doing it fast enough which was causing errors and some getting temporarily locked out of the VPN.  

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors