Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kevinQMT
New Contributor

VPN only client not working with Radius

We cannot seem to get the VPN only client working with our Radius setup on FG. Its setup this way for DUO push notices. VPN only client seems to look for an LDAP server, which is not used in our configuration. We attempted to switch the config to use LDAP instead of Radius but then DUO stops working.

This configuration works fine on the full FortiClient install but then timebombs after 30 days then only EMS connectsion are supported.

 

Has anyone else seen this?

 

[336] fnbamd_create_radius_socket-Opened radius socket 13 [336] fnbamd_create_radius_socket-Opened radius socket 14 [1391] fnbamd_radius_auth_send-Compose RADIUS request [1351] fnbamd_rad_dns_cb-x.x.x.x->x.x.x.x [1329] __fnbamd_rad_send-Sent radius req to server 'Duo RADIUS': fd=13, IP=x.x.x.x(x.x.x.x:1812) code=1 id=13 len=115 user="user" using PAP [313] radius_server_auth-Timer of rad 'Duo RADIUS' is added [743] auth_tac_plus_start-Didn't find tac_plus servers (0) [1015] __fnbamd_cfg_get_ldap_list_by_group- [1131] fnbamd_cfg_get_ldap_list-Total ldap servers to try: 0 [481] ldap_start-Didn't find ldap servers [596] create_auth_session-Total 1 server(s) to try [48] handle_rad_timeout-rad 'Duo RADIUS' x.x.x.x timed out, resend request.

6 REPLIES 6
Toshi_Esumi
Esteemed Contributor III

We have one customer using Duo. We set up a RADIUS for it and they said it's working. Only thing we had to adjust was remoteauthtimeout in global so that it won't time out before users finish the 2nd factor auth procedure on Duo side. So far the customer is not complaining after we've set it up and initially tested.

kevinQMT

the full client or the VPN only client? We have it working with the full client. I'll take a look but pretty sure we adjusted the remoteauthtimeout in global already. When using VPN only client get the MFA prompt and as soon as it is authorized we get the error. 

Toshi_Esumi
Esteemed Contributor III

We only deploy "FortiCliet VPN". None of our customers uses the EMS.

Toshi_Esumi
Esteemed Contributor III

Although FortiClient VPN is not supported by TAC, I think you can still open a ticket with them because the RADIUS you configured on the FGT is not working.

kevinQMT

I still get the same error even when re-applying the remoteauthtimeout setting to 120. What VPN client version are you using?

Unable to establish the VPN connection, The VPN server may be unreachable. (-14)

Policies are

from: sslvpn_tun_intf, to: port1, source: sslvpn-range & Duo SSL VPN-Radius, destination: internal net, servce: all

 

from: sslvpn_tun_intf, to: wan1, source: all & Duo SSL VPN-Radius, destination: all, servce: outbound, users: Duo SSL VPN-Radius

 

 

FG200E-QMTHQ # [168:root:2da]allocSSLConn:298 sconn 0x7f6340d9f200 (0:root) [168:root:2da]SSL state:before SSL initialization (pub ip) [168:root:2da]SSL state:before SSL initialization:DH lib(pub ip) [168:root:2da]SSL_accept failed, 5:(null) [168:root:2da]Destroy sconn 0x7f6340d9f200, connSize=0. (root) [168:root:2db]allocSSLConn:298 sconn 0x7f6340d9f200 (0:root) [168:root:2db]SSL state:before SSL initialization (pub ip) [168:root:2db]SSL state:before SSL initialization (pub ip) [168:root:2db]got SNI server name: access.quadmtech.com realm (null) [168:root:2db]client cert requirement: no [168:root:2db]SSL state:SSLv3/TLS read client hello (pub ip) [168:root:2db]SSL state:SSLv3/TLS write server hello (pub ip) [168:root:2db]SSL state:SSLv3/TLS write change cipher spec (pub ip) [168:root:2db]SSL state:SSLv3/TLS write finished (pub ip) [168:root:2db]SSL state:SSLv3/TLS write finished:system lib(pub ip) [168:root:2db]SSL state:SSLv3/TLS write finished (pub ip) [168:root:2db]SSL state:SSLv3/TLS read change cipher spec (pub ip) [168:root:2db]SSL state:SSLv3/TLS read finished (pub ip) [168:root:2db]SSL state:SSL negotiation finished successfully (pub ip) [168:root:2db]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 [168:root:2db]req: /remote/info [168:root:2db]capability flags: 0xdf [168:root:2db]req: /remote/login [168:root:2db]rmt_web_auth_info_parser_common:460 no session id in auth info [168:root:2db]rmt_web_get_access_cache:797 invalid cache, ret=4103 [168:root:2db]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}]) [168:root:2db]get_cust_page:125 saml_info 0 [168:root:2db]req: /remote/logincheck [168:root:2db]rmt_web_auth_info_parser_common:460 no session id in auth info [168:root:2db]rmt_web_access_check:716 access failed, uri=[/remote/logincheck],ret=4103, [168:root:2db]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}]) [168:root:2db]sslvpn_auth_check_usrgroup:2603 forming user/group list from policy. [168:root:2db]sslvpn_auth_check_usrgroup:2641 got user (0) group (1:0). [168:root:2db]sslvpn_validate_user_group_list:1786 validating with SSL VPN authentication rules (1), realm (). [168:root:2db]sslvpn_validate_user_group_list:1801 checking rule 1 cipher. [168:root:2db]sslvpn_validate_user_group_list:1809 checking rule 1 realm. [168:root:2db]sslvpn_validate_user_group_list:1820 checking rule 1 source intf. [168:root:2db]sslvpn_validate_user_group_list:1859 checking rule 1 vd source intf. [168:root:2db]sslvpn_validate_user_group_list:2178 rule 1 done, got user (0:0) group (1:0) peer group (0). [168:root:2db]sslvpn_validate_user_group_list:2506 got user (0:0), group (1:0) peer group (0). [168:root:2db]sslvpn_update_user_group_list:1734 got user (0:0), group (1:0), peer group (0) after update. [168:root:2db]two factor check for kmann: off [168:root:2db]sslvpn_authenticate_user:166 authenticate user: [user] [168:root:2db]sslvpn_authenticate_user:173 create fam state [168:root:2db][fam_auth_send_req_internal:444] Groups sent to FNBAM: [168:root:2db]group_desc[0].grpname = Duo SSL VPN-Radius [168:root:2db][fam_auth_send_req_internal:456] FNBAM opt = 0X200421 [168:root:2db]fam_auth_send_req_internal:532 fnbam_auth return: 4 [168:root:2db]fam_auth_send_req:1055 task finished with 4 [168:root:2db]fam_auth_proc_resp:1317 fnbam_auth_update_result return: 0 [168:root:2db][fam_auth_proc_resp:1412] Authenticated groups (1) by FNBAM: [168:root:2db]Received: auth_rsp_data.grp_list[0] = 2 [168:root:2db]fam_auth_proc_resp:1436 found node Duo SSL VPN-Radius:0:, valid:1 [168:root:2db]Validated: auth_rsp_data.grp_list[0] = Duo SSL VPN-Radius [168:root:2db]Auth successful for user kmann in group Duo SSL VPN-Radius [168:root:2db]fam_do_cb:665 fnbamd return auth success. [168:root:2db]SSL VPN login matched rule (1). [168:root:2db]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}]) [168:root:2db]rmt_web_session_create:835 create web session, idx[0] [168:root:2db]login_succeeded:536 redirect to hostcheck [168:root:2db]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}]) [168:root:2db]deconstruct_session_id:426 decode session id ok, user=[user],group=[Duo SSL VPN-Radius],authserver=[Duo RADIUS],portal=[QMT-full-tunnel-portal],host=[pub ip],realm=[],idx=0,auth=2,sid=1cb425e2,login=1629309182,access=1629309182,saml_logout_url=no [168:root:2db]deconstruct_session_id:426 decode session id ok, user=[user],group=[Duo SSL VPN-Radius],authserver=[Duo RADIUS],portal=[QMT-full-tunnel-portal],host=[pub ip],realm=[],idx=0,auth=2,sid=1cb425e2,login=1629309182,access=1629309182,saml_logout_url=no [168:root:2db]deconstruct_session_id:426 decode session id ok, user=[user],group=[Duo SSL VPN-Radius],authserver=[Duo RADIUS],portal=[QMT-full-tunnel-portal],host=[pub ip],realm=[],idx=0,auth=2,sid=1cb425e2,login=1629309182,access=1629309182,saml_logout_url=no [168:root:2db]req: /remote/fortisslvpn [168:root:2db]deconstruct_session_id:426 decode session id ok, user=[user],group=[Duo SSL VPN-Radius],authserver=[Duo RADIUS],portal=[QMT-full-tunnel-portal],host=[pub ip],realm=[],idx=0,auth=2,sid=1cb425e2,login=1629309182,access=1629309182,saml_logout_url=no [168:root:2db]rmt_web_access_check:716 access failed, uri=[/remote/fortisslvpn],ret=4103, [168:root:2db]req: /remote/login [168:root:2db]rmt_web_auth_info_parser_common:460 no session id in auth info [168:root:2db]rmt_web_get_access_cache:797 invalid cache, ret=4103 [168:root:2db]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}]) [168:root:2db]get_cust_page:125 saml_info 0 [168:root:2db]req: /FortiClientSslvpnClearCacheUrl/for/Wini [168:root:2db]def: (nil) /FortiClientSslvpnClearCacheUrl/for/WininetLibrary/1/2/3/4/5/6/7/8/9/0/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t [168:root:2db]Timeout for connection 0x7f6340d9f200.

[168:root:2db]Destroy sconn 0x7f6340d9f200, connSize=0. (root)

 

The timeout for connection happens right after acccepting the mfa prompt (push notice)

I found this article, but it didnt help

https://kb.fortinet.com/k....do?externalID=FD48718

 

Toshi_Esumi
Esteemed Contributor III

I don't know what version the customer installed to their devices. Maybe 7.0 or 6.4 because it wasn't so long ago. I don't know about Duo much but the customer instructed us to set our FGT to point RADIUS to their own Windows server running a RADIUS proxy. Then the server must be communicating with Duo to do the 2nd factor auth.

Labels
Top Kudoed Authors