Description
This article provides a possible solution where users are not able to login to the FortiGate through TACACS+
Scope
FortiGate.
Solution
In this example, the TACACS+ server that responds is 192.168.1.5. However, the problem here is that it responds too slowly with the round trip time at around 600 ms (more than 500 ms):
FGT # exe ping 192.168.1.5
PING 192.168.1.5 (192.168.1.5): 56 data bytes
64 bytes from 192.168.1.5: icmp_seq=0 ttl=123 time=575.2 ms
64 bytes from 192.168.1.5: icmp_seq=1 ttl=123 time=576.8 ms
64 bytes from 192.168.1.5: icmp_seq=2 ttl=123 time=581.3 ms
--- 192.168.1.5 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 575.2/577.7/581.3 ms
The connection timeout is 500 ms. If the server does not make it, it is considered unreachable.
There is a parameter that can be used to adjust this timeout. It is called 'ldapconntimeout' but it also applies to TACACS+.
The following commands can be used to increase the timeout to 2 seconds:
conf sys global
set ldapconntimeout 2000
end
Related articles:
Technical Tip : How to configure TACACS+ authentication and authorization in FortiGate
Technical Tip: Access using TACACS+ authentication with admin profile and group matching
