Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
nmarche1
New Contributor II

MFA Timeout settings for third party authenticator

Hello everyone, 

We have started enrolling into PING ID authentication in my company and we are having trouble setting up the MFA wait time on the Fortigate VPN (The time it sits on 45%). 

Is there any way to set the time for third party authenticators on the fortigate CLI (or GUI but i was not able to find those settings anywhere on the GUI) or are those settings on the RADIUS side of the authentication. Currently i was able to somehow set the time from 5 to about 40 seconds even though every parameter i put into the CLI was 60+ seconds.

Thanks in advance for any help.

Nikola Marceta
Nikola Marceta
1 Solution
aahmadzada
Staff
Staff

Maybe you have vdoms?

 

In that case yo should run these commands under a certain vdom.

 

Ahmad

Ahmad

View solution in original post

6 REPLIES 6
AEK
SuperUser
SuperUser

Hello

I think you are looking for this one:

config user radius
    edit radius1
        set timeout X  (default is 5)

Or:

config system global
    set remoteauthtimeout 5

 

AEK
AEK
nmarche1
New Contributor II

I have tried both of these, unfortunately they do not work.
No matter what value i put in the timeout time is at around 40 seconds but i do not have the 40 seconds in any parameter on my fortigate. 

 

Nikola Marceta
Nikola Marceta
aahmadzada
Staff
Staff

Well, in such a case I would recommend running debugs on the FGT and pcap of the radius traffic just to see, if the Fortigate is the one, that is doing something wrong after 40 seconds.

Connect to Fortigate via putty(enabled session logging) and run these commands on
 
#diag deb reset
#diag debug console timestamp en
#diagnose debug application fnbamd -1
#diag debug enable

Parallelly run the Pcket capture between Fortigate and the Radius server via webgui
 
Now reproduce the issue.
Once reproduced, check the debug outputs to see, if the Fortigate is destroying the authentication session before the configured remoteauthtimeout value

Also, check the packet capture outputs, you might see something interesting as well.
 
Ahmad

Ahmad
nmarche1
New Contributor II

Maybe i am doing something wrong, 

I can get into my fortigate with SSH without problems but these commands are not working for me...

Anything i should enable for it to work?

 

Nikola Marceta
Nikola Marceta
AEK

Either you are on the wrong VDOM or you logged-in with a low privileged user.

Also make sure you configured the radius' timeout params via CLI in the right VDOM.

AEK
AEK
aahmadzada
Staff
Staff

Maybe you have vdoms?

 

In that case yo should run these commands under a certain vdom.

 

Ahmad

Ahmad
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors