Description
This article describes possible issues with SSL VPN and two-factor authentication expiry timers.
Related link:
SSL VPN authentication
Scope
FortiGate.
Solution
When SSL VPN is configured with two-factor authentications (email, SMS, FortiToken), under some circumstances a longer Token expiry can be required than the default 60 seconds.
Expiry timers can be configured as follows.
config system global
set two-factor-ftk-expiry <in s>
set two-factor-ftm-expiry <in s>
set two-factor-sms-expiry <in s>
set two-factor-fac-expiry <in s>
set two-factor-email-expiry <in s>
end
However, while these timers apply to the Tokens themselves (and the token codes will stay valid for as long as configured), SSL VPN does not necessarily accept it for the entire duration the tokens are valid.
To ensure SSL VPN accepts the Token, another timer needs to be configured:
config system global
set remoteauthtimeout <1-300s>
end
The maximum configurable timeout for this is five minutes.
SSL VPN waits a maximum of five minutes for a valid Token code to be provided before closing down the connection, even if the Token code is valid for longer.
Notes:
Related Article:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.