Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
g3rman
New Contributor

Repeated RADIUS Requests

We have successfully configured RADIUS authentication against our RADIUS server. We have also changed the "set remoteauthtimeout" in the global options to 120 seconds to wait for the RADIUS server to respond. The RADIUS server sends a message to the user's phone, prompting them to approve the connection. Even though the "remoteauthtimeout" parameter is set to 120 seconds, the Fortinet sends duplicate RADIUS requests to the authentication server every 5 seconds. This results in the end user being prompted multiple times to approve the same connection until they approve the connection. In the packet capture below you can see the requests being sent every 5 seconds. Is there a parameter that can be set that sends a single RADIUS request and simply waits until a response is received?? 6.962772 port16 out 1.1.1.1.14835 -> 2.2.2.2.1812: udp 113 11.966974 port16 out 1.1.1.1.14835 -> 2.2.2.2:1812: udp 113 16.977282 port16 out 1.1.1.1.14835 -> 2.2.2.2.1812: udp 113

A Real World Fortinet Guide Configuration Examples & Frequently Asked Questions http://firewallguru.blogspot.com
A Real World Fortinet Guide Configuration Examples & Frequently Asked Questions http://firewallguru.blogspot.com
5 REPLIES 5
oheigl
Contributor II

Looks a lot like the setting in the config user radius section. There is a timeout value which is default set to 5 seconds. Maybe you can try to change it:

config user radius edit <server_name>

set timeout <secs_int>

end

Enter the timeout in seconds between resending authentication requests. These requests occur during the remoteauthtimeout period set in system global

g3rman
New Contributor

Thanks, that did the trick.

I set the timeout in the RADIUS server to 120 seconds to match the "remoteauthtimeout" and now it only sends a single RADIUS request.

A Real World Fortinet Guide Configuration Examples & Frequently Asked Questions http://firewallguru.blogspot.com
A Real World Fortinet Guide Configuration Examples & Frequently Asked Questions http://firewallguru.blogspot.com
xsilver_FTNT

Hi,

 that's because "remoteauthtimeout" governs how long FGT will wait for response from RADIUS server.

It is not neither applied to waiting for user input, nor resends to server.

It's applied just onto response times from the server.

And from this point of view 120 sec is hell lot of time. I would not recommend to use that high value.

Because you might face requests quing if RADIUS get trully unresponsive, then FGT will be waiting 120 sec before realizing that server is unreachable.

Best regards,

Tomas

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

g3rman

Hi Tomas,

 

Understood. The RADIUS server is only very lightly used for VPN authentication and we have to give the users enough time to respond to the request on their phones, hence the long timeout.

A Real World Fortinet Guide Configuration Examples & Frequently Asked Questions http://firewallguru.blogspot.com
A Real World Fortinet Guide Configuration Examples & Frequently Asked Questions http://firewallguru.blogspot.com
xsilver_FTNT

point is that "remoteauthtimeout" has absolutely nothing to do with user response. It's timer for responses from RADIUS server.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Labels
Top Kudoed Authors