Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- SSL VPN - Duo Authentication
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SSL VPN - Duo Authentication
Hey,
Looking incorporate are existing Duo 2FA setup into our FortiGate VPN, I've followed through the guide but falling at the last hurdle.
I've gotten as far as adding the Duo Proxy host as a radius server in Forti and if I do "Test Credentials" here it all works as expected, I get a prompt on my phone and a success message when I accept it.
I've then tried to apply this to the VPN by creating a new user group linked to the radius server and changing the group in the SSL VPN Settings > Authentication / Portal Mapping section to be the new group.
Unfortunately when I then try to connect to the VPN it never prompts for verification, just fails to authenticate.
I have also ran the following at the CLI to increase the timeout but it didn't help.
config system global
set remoteauthtimeout 60
end
I'm sure I've missed something super simple, but can't see what at the moment.
11 REPLIES 11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Might be worth checking out the following KB from Duo, i know we ran into similar issues after updating FortiOS but i don't recall exactly where the connection was failing for us.
https://help.duo.com/s/article/9012?language=en_US
Side note, we previously used Duo for Radius auth to our sslvpn and switched over to Duo SSO for the vpn as it provides a much better user experience IMO - just food for thought
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what FortiOS are you running on the FGT ?
also, did you ran any kind of debug for radius to see where the issue might be ?
"jack of all trades, master of none"
"jack of all trades, master of none"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Currently running v7.2.10 build1706.
Yes have done some diagnostics, just to confirm when using the diagnostics command or using the "Test Credentials" button on the RADIUS server configuration screen, it all works find, the prompt is sent to my phone and it's approved.
It just doesn't work when trying to use in against the VPN logon.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
https://www.reddit.com/r/fortinet/comments/1foj7e4/7210_breaks_duo_radius_proxy/
"jack of all trades, master of none"
"jack of all trades, master of none"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Dave,
a few things you could check:
- FortiGate may require the Message-Authenticator attribute from your Duo RADIUS server (the GUI test can be unreliable in verifying the connection).
- you can disable the Message-Authenticator requirement via CLI:
config user radius
edit <>
set require-message-authenticator disable
end
- if you work with user groups, ensure that Duo RADIUS sends the correct RADIUS attributes so FortiGate can match the expected user groups: Technical Tip: How FortiGate determines group memberships from RADIUS responses
Hope this helps!
Cheers,
Debbie
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I've made some progress on this.
I've added the new users group to all the firewall rules surrounding the VPN and now I do get the prompt on my phone.
However, I get this prompt whether I have the group in the SSL-VPN setting page set to the old none RADIUS group or the new RADIUS enabled user group, for the former the VPN connects regardless of what I do with the prompt (Approve / Deny or Ignore) and for the latter it still fails to authenticate.
"Sorry, could not start connection "myvpn".
Error: Revoked by Android: REBOOT!"
Similarly on Windows, I get the prompt on my phone but the client immediately shows that the connection went down again.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have a look at this document as it may help you find the authentication issue:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SSL-VPN-Troubleshooting/ta-p/189542
The FNBAMD should tell you where you are failing in the debug.
Hope this helps.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, I've turned that on and it does provide some interesting although confusing information, it's hard to tell where one "request" ends and another begins but the main thing that jumps out at me is these lines:
deconstruct_session_id:492 decode session id ok, user=[MY_USER_NAME], group=[VPN Users],authserver=[WINDOWS_DC_HOST],portal=[web-access],host[1MY_LAN_IP]
It still seems to be submitting the request via the old (Non Duo) user group, the new group and the one I had set in the SSL-VPN Settings > Authentication Mapping section is "VPN Users Duo" , that group also uses different RADIUS server, not WINDOWS_DC_HOST.
Am I just being really stupid and I've missed some where that I need to change the user group that is being used for authentication?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Dave,
one thing to be aware of:
-> FortiGate only relies on the SSLVPN group settings to select the appropriate portal, nothing else (unless you configure sslvpn realms)
-> It relies solely on the groups set in policies to determine what groups to check the user against
-> in that case, first server to respond with successful auth wins, and that's the server (and group) FortiGate goes with
-> it will apply the default VPN portal ('all other users/groups') if there is no defined portal mapping for the specific server/group
--> that may be why it says 'web_access':
deconstruct_session_id:492 decode session id ok, user=[MY_USER_NAME], [...],portal=[web-access],[...]
-> if you're trying to connect from a FortiClient, it may fail here because FortiGate offers web_mode instead of tunnel_mode.
Perhaps give SSLVPN realms a try:
- enable them under System > Feature Select
- configure a realm with a simple string like 'duo' as name
- in the SSLVPN group/portal mapping, edit the mapping for your desired group, and add the realm 'duo'
- in your FortiClient (or browser), access: https://<vpn-ip/FQDN>:<port>/duo
-> see if that works
Cheers,
Debbie
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Labels
-
FortiGate
10,530 -
FortiClient
2,141 -
FortiManager
886 -
5.2
687 -
FortiAnalyzer
675 -
5.4
638 -
FortiSwitch
581 -
FortiAP
558 -
FortiClient EMS
553 -
6.0
416 -
IPsec
414 -
SSL-VPN
373 -
FortiMail
371 -
5.6
362 -
FortiNAC
278 -
FortiWeb
252 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
191 -
FortiAuthenticator
169 -
FortiGuard
159 -
5.0
152 -
Firewall policy
142 -
6.4
128 -
FortiGate-VM
127 -
FortiCloud Products
116 -
FortiSIEM
112 -
FortiGateCloud
112 -
FortiToken
111 -
Wireless Controller
95 -
Customer Service
88 -
High Availability
83 -
FortiProxy
77 -
ZTNA
75 -
Routing
74 -
SAML
71 -
DNS
71 -
VLAN
70 -
Fortivoice
69 -
FortiEDR
68 -
FortiADC
67 -
BGP
67 -
Authentication
66 -
Certificate
64 -
RADIUS
59 -
LDAP
58 -
SSO
54 -
fortilink
54 -
FortiSandbox
53 -
NAT
52 -
FortiExtender
51 -
4.0MR3
49 -
VDOM
44 -
Application control
44 -
FortiDNS
43 -
Interface
43 -
Logging
40 -
Virtual IP
39 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
35 -
SSL SSH inspection
35 -
Web profile
35 -
FortiConnect
34 -
Automation
32 -
FortiWAN
31 -
FortiConverter
30 -
FortiGate v5.2
27 -
Traffic shaping
26 -
SNMP
25 -
SSID
25 -
Static route
25 -
API
24 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
FortiGate Cloud
23 -
System settings
22 -
OSPF
20 -
WAN optimization
20 -
FortiMonitor
19 -
Security profile
19 -
Web application firewall profile
18 -
IP address management - IPAM
18 -
FortiSoar
17 -
Web rating
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
FortiAP profile
16 -
Explicit proxy
15 -
Admin
15 -
Proxy policy
15 -
FortiCASB
14 -
IPS signature
14 -
Intrusion prevention
14 -
FortiManager v4.0
13 -
DNS filter
13 -
FortiManager v5.0
12 -
NAC policy
12 -
Users
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
Port policy
12 -
FortiRecorder
11 -
FortiDeceptor
10 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
FortiBridge
10 -
Trunk
10 -
Traffic shaping profile
10 -
Authentication rule and scheme
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
Application signature
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiCarrier
5 -
FortiNDR
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiInsight
2 -
FortiAI
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
lacework
2 -
FortiEdge Cloud
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2559 | |
| 1357 | |
| 795 | |
| 650 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.