Hello,
I have configured our Fortigate to authenticate our ssl-vpn users with Azure AD. I've configured the enterprise app within Azure AD and configured the SAML user within the Fortigate.
I have no issues when I login the web-mode.
However when I try to connect with the Forticlient I receive a blank sceen after passing the authentication. After a while I receive the following error "Login page did not respond within time limit." The second time i press SAML Authentication the forticlient connects within seconds.
I reckon one of the URL's might be different for tunnel-mode / web-mode. Did anyone manage to find a solution for this issue?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You are correct. Just Azure-AD no other. Azure-ad is an Identity provider. Just make sure your fortigate has his firmware above 6.4.X.
I've written a blog post about it:
Ivo-Security - Fortigate and Azure AD: Safe remote access (ivo-security.blog)
I've also written a blog about the Azure-AD Dynamic Groups in combination with Fortigate:
Ivo-Security - Fortigate policy’s based on Azure Dynamic Groups (ivo-security.blog)
I've got the same issue and Fortinet seems to think it is Microsoft not responding. I don't think so, because the logs on microsoft's side shows where response is sent. I think Fortinet has some work to do on their end.
I also get hit/miss activity when Azure users try to authenticate after doing MFA. Of course, Fortinet points the finger at Microsoft, but Microsoft has shown proof of response. I'm thinking the Forticlient needs to be fixed.
I forgot to mention that I resolved the issue.
I changed the following setting on the Fortigate:
config system global set remoteauthtimeout 60 end
After that i could connect with the Forticlient
You can get fortigate to use AzureAD (not AzureAD Domain Services) as auth provider with just Fortigate on-premise? No FortiAuthentor or EMS or ....
?
?
Does this just come as part of setting up SD-WAN to Azure?
You are correct. Just Azure-AD no other. Azure-ad is an Identity provider. Just make sure your fortigate has his firmware above 6.4.X.
I've written a blog post about it:
Ivo-Security - Fortigate and Azure AD: Safe remote access (ivo-security.blog)
I've also written a blog about the Azure-AD Dynamic Groups in combination with Fortigate:
Ivo-Security - Fortigate policy’s based on Azure Dynamic Groups (ivo-security.blog)
WOOT!! I know what blog I will be reading (and what lab I will be setting up for testing) next week!!!
(Last time I looked at this it seemed to require LDAP which only was available through domain services or assumed a local domain controller with Azure AD connect or ADFS or something else keeping local Domain <-> AzureAD synced)
Thanks!
NeilG wrote:Let me know if you need some help!WOOT!! I know what blog I will be reading (and what lab I will be setting up for testing) next week!!!
(Last time I looked at this it seemed to require LDAP which only was available through domain services or assumed a local domain controller with Azure AD connect or ADFS or something else keeping local Domain <-> AzureAD synced)
Thanks!
Goodluck!
Hi AvK,
I have the same setup with Azure AD for SAML. Everything is working correctly with the exception of the first connection of the day where it stucks at 98%. Have you see this issue before? Fortinet Support asked me to give them some diagnostic out put but that will take awhile (first attempt this morning but forgot to toggle putty to output them all and missed the capture :))
If I left it there for about 10 minutes, then it will connect. Or if I disconnect and reconnect, then it will finish the connection.
Support think that it may cause by Azure AD cause when i shutdown my laptop, i didn't hit disconnect on the VPN and it may hold the session with Azure AD (doesn't make sense here).
let me known what you thought on this. Thanks.
cnguyen@mygenesisbank.com wrote:Hi AvK,
I have the same setup with Azure AD for SAML. Everything is working correctly with the exception of the first connection of the day where it stucks at 98%. Have you see this issue before? Fortinet Support asked me to give them some diagnostic out put but that will take awhile (first attempt this morning but forgot to toggle putty to output them all and missed the capture :))
If I left it there for about 10 minutes, then it will connect. Or if I disconnect and reconnect, then it will finish the connection.
Support think that it may cause by Azure AD cause when i shutdown my laptop, i didn't hit disconnect on the VPN and it may hold the session with Azure AD (doesn't make sense here).
let me known what you thought on this. Thanks.
It sounds familiar. I reckon you don't have the same issue on the web mode. The stuck on 98% is only happening when you use tunnel mode vpn?
Hi,
I'm trying to setup ADFS as SAML IdP to use FortiGate SSl VPN and see similar timeout problem as this thread. can anyone please help give me some comments about how to resolve it?
All the settings in my environment shall be done and I can complete the auth process on ADFS web page. But after the auth, the page stuck.
I checked the logs from CLI and see the log as below:
[237:root:b]SSL state:before SSL initialization (xxx.xxx.xxx.xxx) [237:root:b]SSL state:before SSL initialization (xxx.xxx.xxx.xxx) [237:root:b]got SNI server name: vpn.xxx.com realm (null) [237:root:b]client cert requirement: no [237:root:b]SSL state:SSLv3/TLS read client hello (xxx.xxx.xxx.xxx) [237:root:b]SSL state:SSLv3/TLS write server hello (xxx.xxx.xxx.xxx) [237:root:b]SSL state:SSLv3/TLS write change cipher spec (xxx.xxx.xxx.xxx) [237:root:b]SSL state:TLSv1.3 early data (xxx.xxx.xxx.xxx) [237:root:b]SSL state:TLSv1.3 early data:system lib(xxx.xxx.xxx.xxx) [237:root:b]SSL state:TLSv1.3 early data (xxx.xxx.xxx.xxx) [237:root:b]got SNI server name: vpn.xxx.com realm (null) [237:root:b]client cert requirement: no [237:root:b]SSL state:SSLv3/TLS read client hello (xxx.xxx.xxx.xxx) [237:root:b]SSL state:SSLv3/TLS write server hello (xxx.xxx.xxx.xxx) [237:root:b]SSL state:TLSv1.3 write encrypted extensions (xxx.xxx.xxx.xxx) [237:root:b]SSL state:SSLv3/TLS write certificate (xxx.xxx.xxx.xxx) [237:root:b]SSL state:TLSv1.3 write server certificate verify (xxx.xxx.xxx.xxx) [237:root:b]SSL state:SSLv3/TLS write finished (xxx.xxx.xxx.xxx) [237:root:b]SSL state:TLSv1.3 early data (xxx.xxx.xxx.xxx) [237:root:b]SSL state:TLSv1.3 early data:system lib(xxx.xxx.xxx.xxx) [237:root:b]SSL state:TLSv1.3 early data (xxx.xxx.xxx.xxx) [237:root:b]SSL state:SSLv3/TLS read finished (xxx.xxx.xxx.xxx) [237:root:b]SSL state:SSLv3/TLS write session ticket (xxx.xxx.xxx.xxx) [237:root:b]SSL state:SSLv3/TLS write session ticket (xxx.xxx.xxx.xxx) [237:root:b]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384 [237:root:b]req: /remote/info [237:root:b]capability flags: 0xdf [231:root:c]allocSSLConn:297 sconn 0x7f74cdfe00 (0:root) [232:root:c]allocSSLConn:297 sconn 0x7f74cdfe00 (0:root) [231:root:c]SSL state:before SSL initialization (xxx.xxx.xxx.xxx) [231:root:c]SSL state:before SSL initialization (xxx.xxx.xxx.xxx) [232:root:c][231:root:c]got SNI server name: vpn.xxx.com realm (null) SSL state:before SSL initialization (xxx.xxx.xxx.xxx) client cert requirement: no [231:root:c]SSL state:SSLv3/TLS read client hello (xxx.xxx.xxx.xxx) [232:root:c][231:root:c]SSL state:SSLv3/TLS write server hello (xxx.xxx.xxx.xxx) got SNI server name: vpn.xxx.com realm (null) [231:root:c]SSL state:SSLv3/TLS write change cipher spec (xxx.xxx.xxx.xxx) [231:root:c]SSL state:TLSv1.3 early data (xxx.xxx.xxx.xxx) [232:root:c][231:root:c]SSL state:TLSv1.3 early data:system lib(xxx.xxx.xxx.xxx) client cert requirement: no [232:root:c]SSL state:SSLv3/TLS read client hello (xxx.xxx.xxx.xxx) [232:root:c]SSL state:SSLv3/TLS write server hello (xxx.xxx.xxx.xxx) [232:root:c]SSL state:SSLv3/TLS write change cipher spec (xxx.xxx.xxx.xxx) [232:root:c]SSL state:TLSv1.3 early data (xxx.xxx.xxx.xxx) [232:root:c]SSL state:TLSv1.3 early data:system lib(xxx.xxx.xxx.xxx) [231:root:c]SSL state:TLSv1.3 early data (xxx.xxx.xxx.xxx) [231:root:c]got SNI server name: vpn.xxx.com realm (null) [231:root:c]client cert requirement: no [231:root:c]SSL state:SSLv3/TLS read client hello (xxx.xxx.xxx.xxx) [232:root:c]SSL state:TLSv1.3 early data (xxx.xxx.xxx.xxx) [232:root:c]got SNI server name: vpn.xxx.com realm (null) [232:root:c]client cert requirement: no [232:root:c]SSL state:SSLv3/TLS read client hello (xxx.xxx.xxx.xxx) [231:root:c]SSL state:SSLv3/TLS write server hello (xxx.xxx.xxx.xxx) [231:root:c]SSL state:TLSv1.3 write encrypted extensions (xxx.xxx.xxx.xxx) [232:root:c]SSL state:SSLv3/TLS write server hello (xxx.xxx.xxx.xxx) [232:root:c]SSL state:TLSv1.3 write encrypted extensions (xxx.xxx.xxx.xxx) [231:root:c]SSL state:SSLv3/TLS write certificate (xxx.xxx.xxx.xxx) [231:root:c][232:root:c]SSL state:TLSv1.3 write server certificate verify (xxx.xxx.xxx.xxx) SSL state:SSLv3/TLS write certificate (xxx.xxx.xxx.xxx) [231:root:c]SSL state:SSLv3/TLS write finished (xxx.xxx.xxx.xxx) [231:root:c]SSL state:TLSv1.3 early data (xxx.xxx.xxx.xxx) [231:root:c]SSL state:TLSv1.3 early data:system lib(xxx.xxx.xxx.xxx) [232:root:c]SSL state:TLSv1.3 write server certificate verify (xxx.xxx.xxx.xxx) [232:root:c]SSL state:SSLv3/TLS write finished (xxx.xxx.xxx.xxx) [232:root:c]SSL state:TLSv1.3 early data (xxx.xxx.xxx.xxx) [232:root:c]SSL state:TLSv1.3 early data:system lib(xxx.xxx.xxx.xxx) [231:root:c]SSL state:TLSv1.3 early data (xxx.xxx.xxx.xxx) [231:root:c]SSL state:SSLv3/TLS read finished (xxx.xxx.xxx.xxx) [231:root:c]SSL state:SSLv3/TLS write session ticket (xxx.xxx.xxx.xxx) [231:root:c]SSL state:SSLv3/TLS write session ticket (xxx.xxx.xxx.xxx) [231:root:c]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384 [231:root:c]req: /remote/saml/start?redirect=1 [231:root:c]rmt_web_auth_info_parser_common:468 no session id in auth info [231:root:c]rmt_web_get_access_cache:820 invalid cache, ret=4103 [231:root:c]fsv_rmt_saml_start_cb:227 FCT redirects to external browser. [231:root:c]sslvpn_auth_check_usrgroup:2635 forming user/group list from policy. [232:root:c]SSL state:TLSv1.3 early data (xxx.xxx.xxx.xxx) [232:root:c]SSL state:SSLv3/TLS read finished (xxx.xxx.xxx.xxx) [231:root:c]sslvpn_auth_check_usrgroup:2673 got user (1) group (1:0). [231:root:c]sslvpn_validate_user_group_list:1825 validating with SSL VPN authentication rules (1), realm ((null)). [231:root:c]sslvpn_validate_user_group_list:1906 checking rule 1 cipher. [231:root:c]SSL state:SSLv3/TLS write session ticket (xxx.xxx.xxx.xxx) [231:root:c]sslvpn_validate_user_group_list:1925 checking rule 1 source intf. [231:root:c]sslvpn_validate_user_group_list:1964 checking rule 1 vd source intf. [231:root:c]sslvpn_validate_user_group_list:2210 rule 1 done, got user (1:0) group (1:0) peer group (0). [231:root:c]sslvpn_validate_user_group_list:2538 got user (1:0), group (1:0) peer group (0). [231:root:c]sslvpn_update_user_group_list:1771 got user (1:0), group (1:0), peer group (0) after update. [232:root:c][231:root:c][fsv_found_saml_server_name_from_auth_lst:121] Found SAML server [adfs] in group [saml_sslvpn] SSL state:SSLv3/TLS write session ticket (xxx.xxx.xxx.xxx) [232:root:c]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384 [231:root:c]req: /remote/saml/login/ [237:root:b]Timeout for connection 0x7f74cdfe00.
[237:root:b]Destroy sconn 0x7f74cdfe00, connSize=0. (root) [232:root:c]Timeout for connection 0x7f74cdfe00.
[232:root:c]Destroy sconn 0x7f74cdfe00, connSize=0. (root)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.