Hi,
We are migrating from AnyConnect to FortiClient and encountering many problems. Currently, a RADIUS server (NPS) is being used, which passes Cisco RADIUS attributes such as IP address, subnet mask, and a dynamic ACL (DAC) for each user.
For each user created in Active Directory, a static IP is assigned, the RADIUS profile to use is specified, and the corresponding ACL policies are created on the ASA.
On the Fortigate side, I have configured the RADIUS servers and set up the entire SSL portal. Since the IP is passed statically, I found a guide that suggested setting "set ip-mode user-group" under the portal.
I also created the corresponding ACL that allows from SSL VPN to any, but as soon as the MFA notification arrives with Duo, I get permission denied (error -455) and the process stops at 43%.
Does anyone have any suggestions?
I've tried everything but can't solve it.
Below is the configuration.
config vpn ssl web portal
edit "RADIUS1_PORTAL" <---- my 1st portal
set tunnel-mode enable
set ip-mode user-group
set ip-pools "Pool_Vpn"
next
edit "RADIUS2_PORTAL" <---- my 2nd portal
set tunnel-mode enable
set ip-mode user-group
set ip-pools "Pool_Vpn"
next
end
config vpn ssl settings
set banned-cipher SHA1 SHA256 SHA384
set tunnel-ip-pools "Pool_Vpn"
set dns-server1 8.8.8.8
set source-interface "outise_vpn"
set source-address "all"
set default-portal "tunnel-access"
config authentication-rule
edit 1
set groups "radius1" <-------1st radius i'm using
set portal "RADIUS1_PORTAL"
next
edit 3
set groups "radius2" <-------2nd radius i'm using
set portal "RADIUS2_PORTAL"
next
end
end
config vpn ssl web portal
edit "RADIUS1_PORTAL"
set tunnel-mode enable
set ip-mode user-group <------------------to use framed-ip from radius attributes (radius is passing the ip statically)
set ip-pools "Pool_Vpn"
next
edit "RADIUS2_PORTAL"
set tunnel-mode enable
set ip-mode user-group <------------------to use framed-ip from radius attributes (radius is passing the ip statically)
set ip-pools "Pool_Vpn"
next
end
POLICY CONFIGURATION
config firewall policy
edit 1
set name "Vpn to inside"
set uuid 6bc672ce-0fd1-5
set srcintf "ssl.Vpn"
set dstintf "any"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
set groups "radius1" "radius2"
next
end
Solved! Go to Solution.
Hi @maulishshah ,
i founded i was hitting the radius blast bug, and solved it with the following:
Thank you for the tips
Greetings!
It could be the reason that the VPN authentication might fail before the end user completes the DUO MFA push to their mobile or token device. This can result in a 'permission denied' error in FortiClient, followed by a DUO push notification that no longer functions.
Regards!
Created on ‎04-07-2025 06:59 AM Edited on ‎04-07-2025 07:01 AM
Hello @Dhruvin_patel , @maulishshah ,
i'm using radius not ldap, i've followed your tips and incremented the timer from 5 to 10 ("set remoteauthtimeout 10"), bu the login is still failing, once i receive the DUO push notification and accept, it is correctly authorized on the smartphone app, but i'm given the 455 error.
Following the debug:
FIREWALL (VPNSLLCONTEXT) # [1757] handle_req-Rcvd auth req 60486181335043 for John Bebal in opt=00201420 prot=9 svc=5
[333] __compose_group_list_from_req-Group 'John Bebal', type 5
[333] __compose_group_list_from_req-Group 'radius1', type 1
[333] __compose_group_list_from_req-Group 'radius2', type 1
[508] create_auth_session-Session created for req id 60486181335043
[357] auth_local-started for John Bebal
[429] auth_local-No conclusion, FNBAM_UNKNOWN
[590] fnbamd_cfg_get_tac_plus_list-
[441] __fnbamd_cfg_get_tac_plus_list_by_user-
[389] __fnbamd_cfg_add_tac_plus_by_user-
[389] __fnbamd_cfg_add_tac_plus_by_user-
[389] __fnbamd_cfg_add_tac_plus_by_user-
[389] __fnbamd_cfg_add_tac_plus_by_user-
[606] fnbamd_cfg_get_tac_plus_list-Total tac+ servers to try: 0
[840] fnbamd_cfg_get_ldap_list-
[629] __fnbamd_cfg_get_ldap_list_by_user-
[563] __fnbamd_cfg_add_ldap_by_user-
[563] __fnbamd_cfg_add_ldap_by_user-
[563] __fnbamd_cfg_add_ldap_by_user-
[563] __fnbamd_cfg_add_ldap_by_user-
[856] fnbamd_cfg_get_ldap_list-Total LDAP servers to try: 0
[416] ldap_start-Didn't find ldap servers
[316] radius_start-eap_local=0
[896] fnbamd_cfg_get_radius_list-
[692] __fnbamd_cfg_get_radius_list_by_user-
[639] __fnbamd_cfg_add_radius_by_user-
[376] verify_local_user_match_and_update-Found a matching user in CMDB 'John Bebal'
[456] fnbamd_rad_get-vfid=5, name='radius1'
[645] __fnbamd_cfg_add_radius_by_user-Loaded RADIUS server 'radius1' for user 'John Bebal' (16777218)
[639] __fnbamd_cfg_add_radius_by_user-
[639] __fnbamd_cfg_add_radius_by_user-
[639] __fnbamd_cfg_add_radius_by_user-
[918] fnbamd_cfg_get_radius_list-Total rad servers to try: 1
[936] fnbamd_rad_get_auth_server-
[1172] fnbamd_rad_auth_ctx_init-User ha_relay? 0.
[295] fnbamd_radius_get_next_auth_prot-Next auth prot MS-CHAPv2
[1107] __auth_ctx_svr_push-Added addr 192.168.1.111:1812 from rad 'radius1'
[930] __fnbamd_rad_get_next_addr-Next available address of rad 'radius1': 192.168.1.111:1812.
[1125] __auth_ctx_start-Connection starts radius1:192.168.1.111, addr 192.168.1.111:1812 proto: UDP
[280] __rad_udp_open-Opened radius socket 12, sa_family 2
[945] __rad_conn_start-Socket 12 is created for rad 'radius1'.
[807] __rad_add_job_timer-
[439] fnbamd_cfg_get_pop3_list-
[417] __fnbamd_cfg_get_pop3_list_by_group-
[422] __fnbamd_cfg_get_pop3_list_by_group-Group 'radius1'
[422] __fnbamd_cfg_get_pop3_list_by_group-Group 'radius2'
[449] fnbamd_cfg_get_pop3_list-Total pop3 servers to try: 0
[434] start_remote_auth-Total 1 server(s) to try
[1900] handle_req-r=4
[828] __rad_rxtx-fd 12, state 1(Auth)
[830] __rad_rxtx-Stop rad conn timer.
[837] __rad_rxtx-
[605] fnbamd_rad_make_access_request-
[328] __create_access_request-Compose RADIUS request
[588] __create_access_request-Created RADIUS Access-Request. Len: 218.
[1171] fnbamd_socket_update_interface-vfid is 5, intf mode is 0, intf name is , server address is 192.168.1.111:1812, source address is null, protocol number is 17, oif id is 0
[353] __rad_udp_send-oif=0, intf_sel.mode=0, intf_sel.name=
[868] __rad_rxtx-Sent radius req to server 'radius1': fd=12, IP=192.168.1.111(192.168.1.111:1812) code=1 id=44 len=218
[877] __rad_rxtx-Start rad conn timer.
[828] __rad_rxtx-fd 12, state 1(Auth)
[830] __rad_rxtx-Stop rad conn timer.
[880] __rad_rxtx-
[431] __rad_udp_recv-Recved 317 bytes. Buf sz 8192
[1125] __rad_chk_resp_authenticator-The Message Authenticator validation is mandatory now
[1158] __rad_chk_resp_authenticator-No Message Authenticator
[1212] fnbamd_rad_validate_pkt-Invalid digest
[905] __rad_rxtx-Error validating radius rsp
[1028] __rad_error-Ret 5, st = 1.
[295] fnbamd_radius_get_next_auth_prot-Next auth prot MS-CHAPv2
[1077] __rad_error-
[306] __rad_udp_close-closed.
[964] __rad_conn_stop-Stop rad conn timer.
[1286] fnbamd_rad_process-Result from radius svr 'radius1' is 5, req 60486181335043
[1485] fnbamd_rad_process-Challenged: 0, FTK_Challenge: 0, CHG_PWD: 0, Invaid_Digest: 1, State_Len: 0
[2802] fnbamd_rad_result-Error (5) for req 60486181335043
[239] fnbamd_comm_send_result-Sending result 5 (nid 0) for req 60486181335043, len=6688
[600] destroy_auth_session-delete session 60486181335043
[1347] fnbamd_rads_destroy-
[516] fnbamd_rad_auth_ctx_free-Freeing 'radius1' ctx
[1219] fnbamd_rad_auth_ctx_uninit-
[969] __rad_stop-
[964] __rad_conn_stop-Stop rad conn timer.
[784] __rad_del_job_timer-
[364] fnbamd_rad_free-Freeing radius1, ref:2
[41] __rad_server_free-Freeing 192.168.1.111, ref:2
[519] fnbamd_rad_auth_ctx_free-
[1350] fnbamd_rads_destroy-
[1865] fnbamd_ldaps_destroy-
[1041] fnbamd_tacs_destroy-
[902] fnbamd_pop3s_destroy-
[1070] fnbamd_ext_idps_destroy-
Hello, @Dhruvin_patel , @maulishshah ,
i'm not using Ldap but radius, so as @maulishshah advised, i have extended the "set remoteauthtimeout" from 5 to 10, but i'm still unable to login.
Once i connect with forticlient, i'm able to receive the DUO push notification, i accept it, but soon i receive the 455 connection error.
I took some debug but found nothing useful (the due push notification is correctly accept as i can see on the smartphone).
FIREWALL (VPNSLLCONTEXT) # [1757] handle_req-Rcvd auth req 60486181335043 for John Bebal in opt=00201420 prot=9 svc=5
[333] __compose_group_list_from_req-Group 'John Bebal', type 5
[333] __compose_group_list_from_req-Group 'radius1', type 1
[333] __compose_group_list_from_req-Group 'radius2', type 1
[508] create_auth_session-Session created for req id 60486181335043
[357] auth_local-started for John Bebal
[429] auth_local-No conclusion, FNBAM_UNKNOWN
[590] fnbamd_cfg_get_tac_plus_list-
[441] __fnbamd_cfg_get_tac_plus_list_by_user-
[389] __fnbamd_cfg_add_tac_plus_by_user-
[389] __fnbamd_cfg_add_tac_plus_by_user-
[389] __fnbamd_cfg_add_tac_plus_by_user-
[389] __fnbamd_cfg_add_tac_plus_by_user-
[606] fnbamd_cfg_get_tac_plus_list-Total tac+ servers to try: 0
[840] fnbamd_cfg_get_ldap_list-
[629] __fnbamd_cfg_get_ldap_list_by_user-
[563] __fnbamd_cfg_add_ldap_by_user-
[563] __fnbamd_cfg_add_ldap_by_user-
[563] __fnbamd_cfg_add_ldap_by_user-
[563] __fnbamd_cfg_add_ldap_by_user-
[856] fnbamd_cfg_get_ldap_list-Total LDAP servers to try: 0
[416] ldap_start-Didn't find ldap servers
[316] radius_start-eap_local=0
[896] fnbamd_cfg_get_radius_list-
[692] __fnbamd_cfg_get_radius_list_by_user-
[639] __fnbamd_cfg_add_radius_by_user-
[376] verify_local_user_match_and_update-Found a matching user in CMDB 'John Bebal'
[456] fnbamd_rad_get-vfid=5, name='radius1'
[645] __fnbamd_cfg_add_radius_by_user-Loaded RADIUS server 'radius1' for user 'John Bebal' (16777218)
[639] __fnbamd_cfg_add_radius_by_user-
[639] __fnbamd_cfg_add_radius_by_user-
[639] __fnbamd_cfg_add_radius_by_user-
[918] fnbamd_cfg_get_radius_list-Total rad servers to try: 1
[936] fnbamd_rad_get_auth_server-
[1172] fnbamd_rad_auth_ctx_init-User ha_relay? 0.
[295] fnbamd_radius_get_next_auth_prot-Next auth prot MS-CHAPv2
[1107] __auth_ctx_svr_push-Added addr 192.168.1.111:1812 from rad 'radius1'
[930] __fnbamd_rad_get_next_addr-Next available address of rad 'radius1': 192.168.1.111:1812.
[1125] __auth_ctx_start-Connection starts radius1:192.168.1.111, addr 192.168.1.111:1812 proto: UDP
[280] __rad_udp_open-Opened radius socket 12, sa_family 2
[945] __rad_conn_start-Socket 12 is created for rad 'radius1'.
[807] __rad_add_job_timer-
[439] fnbamd_cfg_get_pop3_list-
[417] __fnbamd_cfg_get_pop3_list_by_group-
[422] __fnbamd_cfg_get_pop3_list_by_group-Group 'radius1'
[422] __fnbamd_cfg_get_pop3_list_by_group-Group 'radius2'
[449] fnbamd_cfg_get_pop3_list-Total pop3 servers to try: 0
[434] start_remote_auth-Total 1 server(s) to try
[1900] handle_req-r=4
[828] __rad_rxtx-fd 12, state 1(Auth)
[830] __rad_rxtx-Stop rad conn timer.
[837] __rad_rxtx-
[605] fnbamd_rad_make_access_request-
[328] __create_access_request-Compose RADIUS request
[588] __create_access_request-Created RADIUS Access-Request. Len: 218.
[1171] fnbamd_socket_update_interface-vfid is 5, intf mode is 0, intf name is , server address is 192.168.1.111:1812, source address is null, protocol number is 17, oif id is 0
[353] __rad_udp_send-oif=0, intf_sel.mode=0, intf_sel.name=
[868] __rad_rxtx-Sent radius req to server 'radius1': fd=12, IP=192.168.1.111(192.168.1.111:1812) code=1 id=44 len=218
[877] __rad_rxtx-Start rad conn timer.
[828] __rad_rxtx-fd 12, state 1(Auth)
[830] __rad_rxtx-Stop rad conn timer.
[880] __rad_rxtx-
[431] __rad_udp_recv-Recved 317 bytes. Buf sz 8192
[1125] __rad_chk_resp_authenticator-The Message Authenticator validation is mandatory now
[1158] __rad_chk_resp_authenticator-No Message Authenticator
[1212] fnbamd_rad_validate_pkt-Invalid digest
[905] __rad_rxtx-Error validating radius rsp
[1028] __rad_error-Ret 5, st = 1.
[295] fnbamd_radius_get_next_auth_prot-Next auth prot MS-CHAPv2
[1077] __rad_error-
[306] __rad_udp_close-closed.
[964] __rad_conn_stop-Stop rad conn timer.
[1286] fnbamd_rad_process-Result from radius svr 'radius1' is 5, req 60486181335043
[1485] fnbamd_rad_process-Challenged: 0, FTK_Challenge: 0, CHG_PWD: 0, Invaid_Digest: 1, State_Len: 0
[2802] fnbamd_rad_result-Error (5) for req 60486181335043
[239] fnbamd_comm_send_result-Sending result 5 (nid 0) for req 60486181335043, len=6688
[600] destroy_auth_session-delete session 60486181335043
[1347] fnbamd_rads_destroy-
[516] fnbamd_rad_auth_ctx_free-Freeing 'radius1' ctx
[1219] fnbamd_rad_auth_ctx_uninit-
[969] __rad_stop-
[964] __rad_conn_stop-Stop rad conn timer.
[784] __rad_del_job_timer-
[364] fnbamd_rad_free-Freeing radius1, ref:2
[41] __rad_server_free-Freeing 192.168.1.111, ref:2
[519] fnbamd_rad_auth_ctx_free-
[1350] fnbamd_rads_destroy-
[1865] fnbamd_ldaps_destroy-
[1041] fnbamd_tacs_destroy-
[902] fnbamd_pop3s_destroy-
[1070] fnbamd_ext_idps_destroy-
Hello @Dhruvin_patel @maulishshah ,
i'm not usign Ldap but Radius, as @maulishshah advised, i've incremented the "set remoteauthtimeout" from 5 to 10, but i'm still given the 455 error.
once i try to connect from forticlient, i'm able to receive the DUO push notification, i accept it and immediately i'm given the connection error.
I took the debug of the connection try but i can't find anything useful.
Do you have any other ideas?
Thank you
FIREWALL (VPNSLLCONTEXT) # [1757] handle_req-Rcvd auth req 60486181335043 for John Bebal in opt=00201420 prot=9 svc=5
[333] __compose_group_list_from_req-Group 'John Bebal', type 5
[333] __compose_group_list_from_req-Group 'radius1', type 1
[333] __compose_group_list_from_req-Group 'radius2', type 1
[508] create_auth_session-Session created for req id 60486181335043
[357] auth_local-started for John Bebal
[429] auth_local-No conclusion, FNBAM_UNKNOWN
[590] fnbamd_cfg_get_tac_plus_list-
[441] __fnbamd_cfg_get_tac_plus_list_by_user-
[389] __fnbamd_cfg_add_tac_plus_by_user-
[389] __fnbamd_cfg_add_tac_plus_by_user-
[389] __fnbamd_cfg_add_tac_plus_by_user-
[389] __fnbamd_cfg_add_tac_plus_by_user-
[606] fnbamd_cfg_get_tac_plus_list-Total tac+ servers to try: 0
[840] fnbamd_cfg_get_ldap_list-
[629] __fnbamd_cfg_get_ldap_list_by_user-
[563] __fnbamd_cfg_add_ldap_by_user-
[563] __fnbamd_cfg_add_ldap_by_user-
[563] __fnbamd_cfg_add_ldap_by_user-
[563] __fnbamd_cfg_add_ldap_by_user-
[856] fnbamd_cfg_get_ldap_list-Total LDAP servers to try: 0
[416] ldap_start-Didn't find ldap servers
[316] radius_start-eap_local=0
[896] fnbamd_cfg_get_radius_list-
[692] __fnbamd_cfg_get_radius_list_by_user-
[639] __fnbamd_cfg_add_radius_by_user-
[376] verify_local_user_match_and_update-Found a matching user in CMDB 'John Bebal'
[456] fnbamd_rad_get-vfid=5, name='radius1'
[645] __fnbamd_cfg_add_radius_by_user-Loaded RADIUS server 'radius1' for user 'John Bebal' (16777218)
[639] __fnbamd_cfg_add_radius_by_user-
[639] __fnbamd_cfg_add_radius_by_user-
[639] __fnbamd_cfg_add_radius_by_user-
[918] fnbamd_cfg_get_radius_list-Total rad servers to try: 1
[936] fnbamd_rad_get_auth_server-
[1172] fnbamd_rad_auth_ctx_init-User ha_relay? 0.
[295] fnbamd_radius_get_next_auth_prot-Next auth prot MS-CHAPv2
[1107] __auth_ctx_svr_push-Added addr 192.168.1.111:1812 from rad 'radius1'
[930] __fnbamd_rad_get_next_addr-Next available address of rad 'radius1': 192.168.1.111:1812.
[1125] __auth_ctx_start-Connection starts radius1:192.168.1.111, addr 192.168.1.111:1812 proto: UDP
[280] __rad_udp_open-Opened radius socket 12, sa_family 2
[945] __rad_conn_start-Socket 12 is created for rad 'radius1'.
[807] __rad_add_job_timer-
[439] fnbamd_cfg_get_pop3_list-
[417] __fnbamd_cfg_get_pop3_list_by_group-
[422] __fnbamd_cfg_get_pop3_list_by_group-Group 'radius1'
[422] __fnbamd_cfg_get_pop3_list_by_group-Group 'radius2'
[449] fnbamd_cfg_get_pop3_list-Total pop3 servers to try: 0
[434] start_remote_auth-Total 1 server(s) to try
[1900] handle_req-r=4
[828] __rad_rxtx-fd 12, state 1(Auth)
[830] __rad_rxtx-Stop rad conn timer.
[837] __rad_rxtx-
[605] fnbamd_rad_make_access_request-
[328] __create_access_request-Compose RADIUS request
[588] __create_access_request-Created RADIUS Access-Request. Len: 218.
[1171] fnbamd_socket_update_interface-vfid is 5, intf mode is 0, intf name is , server address is 192.168.1.111:1812, source address is null, protocol number is 17, oif id is 0
[353] __rad_udp_send-oif=0, intf_sel.mode=0, intf_sel.name=
[868] __rad_rxtx-Sent radius req to server 'radius1': fd=12, IP=192.168.1.111(192.168.1.111:1812) code=1 id=44 len=218
[877] __rad_rxtx-Start rad conn timer.
[828] __rad_rxtx-fd 12, state 1(Auth)
[830] __rad_rxtx-Stop rad conn timer.
[880] __rad_rxtx-
[431] __rad_udp_recv-Recved 317 bytes. Buf sz 8192
[1125] __rad_chk_resp_authenticator-The Message Authenticator validation is mandatory now
[1158] __rad_chk_resp_authenticator-No Message Authenticator
[1212] fnbamd_rad_validate_pkt-Invalid digest
[905] __rad_rxtx-Error validating radius rsp
[1028] __rad_error-Ret 5, st = 1.
[295] fnbamd_radius_get_next_auth_prot-Next auth prot MS-CHAPv2
[1077] __rad_error-
[306] __rad_udp_close-closed.
[964] __rad_conn_stop-Stop rad conn timer.
[1286] fnbamd_rad_process-Result from radius svr 'radius1' is 5, req 60486181335043
[1485] fnbamd_rad_process-Challenged: 0, FTK_Challenge: 0, CHG_PWD: 0, Invaid_Digest: 1, State_Len: 0
[2802] fnbamd_rad_result-Error (5) for req 60486181335043
[239] fnbamd_comm_send_result-Sending result 5 (nid 0) for req 60486181335043, len=6688
[600] destroy_auth_session-delete session 60486181335043
[1347] fnbamd_rads_destroy-
[516] fnbamd_rad_auth_ctx_free-Freeing 'radius1' ctx
[1219] fnbamd_rad_auth_ctx_uninit-
[969] __rad_stop-
[964] __rad_conn_stop-Stop rad conn timer.
[784] __rad_del_job_timer-
[364] fnbamd_rad_free-Freeing radius1, ref:2
[41] __rad_server_free-Freeing 192.168.1.111, ref:2
[519] fnbamd_rad_auth_ctx_free-
[1350] fnbamd_rads_destroy-
[1865] fnbamd_ldaps_destroy-
[1041] fnbamd_tacs_destroy-
[902] fnbamd_pop3s_destroy-
[1070] fnbamd_ext_idps_destroy-
Can you please run the Following debug together
di de application sslvpn -1
di de application fnbamd -1
di de en
In addition, collect the wireshark capture for radius
di sniff packet any ' host x.x.x.x and port 1812 ' 6 0 l (x is the raidus server)
Thank you.
Hi @maulishshah ,
i founded i was hitting the radius blast bug, and solved it with the following:
Thank you for the tips
@Maerre, Can you please increase the remote auth timeout by following this document: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Explaining-global-set-remoteauthtimeout-us...
By default, remote auth timeout is set to 5 seconds, and it is possibly the reason MFA might not received within a time frame.
User | Count |
---|---|
2534 | |
1351 | |
795 | |
641 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.