We have successfully configured RADIUS authentication against our RADIUS server. We have also changed the "set remoteauthtimeout" in the global options to 120 seconds to wait for the RADIUS server to respond. The RADIUS server sends a message to the user's phone, prompting them to approve the connection. Even though the "remoteauthtimeout" parameter is set to 120 seconds, the Fortinet sends duplicate RADIUS requests to the authentication server every 5 seconds. This results in the end user being prompted multiple times to approve the same connection until they approve the connection. In the packet capture below you can see the requests being sent every 5 seconds. Is there a parameter that can be set that sends a single RADIUS request and simply waits until a response is received?? 6.962772 port16 out 1.1.1.1.14835 -> 2.2.2.2.1812: udp 113 11.966974 port16 out 1.1.1.1.14835 -> 2.2.2.2:1812: udp 113 16.977282 port16 out 1.1.1.1.14835 -> 2.2.2.2.1812: udp 113
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Looks a lot like the setting in the config user radius section. There is a timeout value which is default set to 5 seconds. Maybe you can try to change it:
config user radius edit <server_name>
set timeout <secs_int>
end
Enter the timeout in seconds between resending authentication requests. These requests occur during the remoteauthtimeout period set in system global
Thanks, that did the trick.
I set the timeout in the RADIUS server to 120 seconds to match the "remoteauthtimeout" and now it only sends a single RADIUS request.
Hi,
that's because "remoteauthtimeout" governs how long FGT will wait for response from RADIUS server.
It is not neither applied to waiting for user input, nor resends to server.
It's applied just onto response times from the server.
And from this point of view 120 sec is hell lot of time. I would not recommend to use that high value.
Because you might face requests quing if RADIUS get trully unresponsive, then FGT will be waiting 120 sec before realizing that server is unreachable.
Best regards,
Tomas
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Hi Tomas,
Understood. The RADIUS server is only very lightly used for VPN authentication and we have to give the users enough time to respond to the request on their phones, hence the long timeout.
point is that "remoteauthtimeout" has absolutely nothing to do with user response. It's timer for responses from RADIUS server.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1710 | |
1093 | |
752 | |
446 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.