Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ITDavid
New Contributor

Issue with FortiClientVPN and DUO MFA - Connection is established without MFA request being accepted

Hello,


We have a Fortinet Fortigate 60F that we use to connect to our office with a VPN. And for a layer of security, we also have Duo MFA setup to send push notifications. Previously, in the Forticlient app, when it got to around 45% in the connection process, it would send an MFA push notification and if you did nothing with DUO. It would just sit there and eventually error out. Now I am seeing that the process gets to about 95% then if you don't touch the notification it just connects you anyway. In fact, no mater what you do (Accept, Ignore, Deny) it connects to the VPN if the AD credentials are still valid.

In the RADIUS Servers tab, I used the “Test User Credentials” option and it works as expected. When you accept the DUO Push it goes through. If you ignore it errors on both tests and then if you deny it, I get a successful connection Status, but the user credentials show as “Invalid credentials”.

What could be the issue?

13 REPLIES 13
ebilcari
Staff
Staff

What type of RADIUS server is deployed in this setup?

Based on your description, FGT is not aware and doesn't participate in the MFA process (it doesn't ask for a token input during the authentication). FGT will just wait for the RADIUS response (reject or accept), the push notification in this case is handled by the RADIUS server, so I guess you should focus the troubleshooting on the RADIUS server.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
ITDavid

I believe the RADIUS server is the Duo Auth Proxy Manager that is running on our PDC.

In the RADIUS tab in the FGT settings, it is pointing to that server as the main server. 

Which in fact has an update for 5.7.4 > 6.3.0. I'll be running that when I can.

ebilcari

Than most probably this behavior is not related to the FGT, it will just wait for the RADIUS response.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
Pittstate
New Contributor II

It looks like the account being used is matching the non-2FA criteria:

 

[256:root:6d9d]Auth successful for user ABC in group ABC-VPN_Users

...

[257:root:6d9b]sslvpn_user_match:1170 add user ABC in group ABC-VPN_Users

Labels
Top Kudoed Authors