Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Houl
New Contributor

Created on ‎12-27-2021 04:03 AM Edited on ‎12-27-2021 04:18 AM

Is it possible to raise the priority of RADIUS authentication in SSL VPN authentication rules?

Good day.

 

I'm struggling with next problem

 

We are using SSL VPN connection with two auth services LDAP and RADIUS (2FA thought FortiAuthenticator).

And we were surprised that FortiGate sends auth queries (according to authentication rules in SSL VPN configuration) simultaneously. It's f***** ridiculous.

My bosses cardinally against of using realms. They demand to use single URL.

Yes usually we don't have problems because use individual groups.

But we have several groups which must use 2FA but, if FAC will lay down, they have to use LDAP.

And without realms it's impossible to do auth rules configuration for these groups.

Is it possible to delimit users (without and with 2FA) with using single URL and without realms?

 

For example:

config authentication-rule
edit 1
set groups "User_Group_1_2FA"
set portal "User_Group_1"
set auth radius
next
edit 2
set groups "User_Group_2"
set portal "User_Group_2"

set auth ldap
next
edit 3

set groups "User_Group_1"
set portal "User_Group_1"
set auth ldap
next

end

 

Labels:
5972
0 Kudos
1 Solution
Debbie_FTNT
Staff
Staff
In response to Toshi_Esumi

Created on ‎12-28-2021 03:43 AM

I wrote a KB detailling how FortiGate goes about SSLVPN authentication: https://community.fortinet.com/t5/FortiGate/Technical-Tip-A-quick-guide-to-FortiGate-SSLVPN-authenti...

hope this answers any questions you might have :)

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

View solution in original post

5913
0 Kudos
9 REPLIES 9
Toshi_Esumi
SuperUser
SuperUser

Created on ‎12-27-2021 07:41 AM

How about separating policies and put the one with RADIUS/User_Group_1_2FA at the top?

 

Toshi

5877
0 Kudos
Houl
New Contributor
In response to Toshi_Esumi

Created on ‎12-27-2021 08:08 AM

This doesn't work.

 

At first step SSL VPN deamon gets all groups from default realm and policies.

At second it sends simultaneously query to all auth services which were found in default realm auth rule.

After it uses the first answer from auth services. So... in this situation RADIUS will be always the last one.

 

5871
0 Kudos
Debbie_FTNT
Staff
Staff
In response to Houl

Created on ‎12-28-2021 02:04 AM

Hey Houl,

I'm sorry to say that without realms to force authentication against specific groups, FortiGate will send the authentication request to all possible authentication servers based on SSLVPN policies as you have outlined above.
The intention behind it is to keep login latency low; if FortiGate checks one server after the other it would have to wait for failure/timeout each time and depending on setup, this could cause login wait times to quickly become ridiculous.
I agree that in cases such as yours the FortiGate design has limitations, but at present the only workaround FortiGate offers is using SSLVPN realms to ensure the user is only authenticated against very specific groups (and thus very specific authentication servers) instead of all.
Other than that, a feature request to allow designation of preferred authentication server or backup-only authentication servers might be an option, but feature requests need to be submitted via Fortinet Sales, that's not something I can do, my apologies.

Sorry for the bad news :(

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
5844
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎12-27-2021 08:45 AM

Really? I need to test it myself then.

5858
0 Kudos
Debbie_FTNT
Staff
Staff
In response to Toshi_Esumi

Created on ‎12-28-2021 03:43 AM

I wrote a KB detailling how FortiGate goes about SSLVPN authentication: https://community.fortinet.com/t5/FortiGate/Technical-Tip-A-quick-guide-to-FortiGate-SSLVPN-authenti...

hope this answers any questions you might have :)

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
5914
0 Kudos
Houl
New Contributor
In response to Debbie_FTNT

Created on ‎12-28-2021 06:22 AM

Thanks for full description!

5831
0 Kudos
Houl
New Contributor
In response to Debbie_FTNT

Created on ‎01-28-2022 03:14 AM

Good day.

Could you provide more info about next resolved Bug in FortiOS 7.0.4. Does it mean that you fixed topic problem?

748085

SSL VPN authentication is not working for RADIUS users because the LDAP responds first.

5593
0 Kudos
Debbie_FTNT
Staff
Staff
In response to Houl

Created on ‎01-28-2022 05:17 AM

Hey Houd,

the bug ID you referenced is a little more complicated as the topic makes it out. In greater detail - in the KB I wrote, I mentioned realms, and how specific user groups (and authentication servers) can be forced via realm selection. It was found that when users connect to the default realm (/), groups that are bound to specific realms are also considered for authentication.
With the fix, groups that are bound to specific realms are excluded from authentication against the default realm.

I will reach out to our documentation team to update the description to avoid confusion.

The basic function of SSLVPN authentication (against all possible servers at the same time) still remains.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
5586
0 Kudos
Houl
New Contributor
In response to Debbie_FTNT

Created on ‎01-28-2022 05:21 AM

Thanks for explanation!

5586
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.