Description
This article describes possible issues with SSL VPN and two-factor authentication expiry timers.
Related link:
SSL VPN authentication
Scope
FortiGate.
Solution
When SSL VPN is configured with two-factor authentications (email, SMS, FortiToken), under some circumstances a longer Token expiry can be required than the default 60 seconds.
Expiry timers can be configured as follows.
config system global
set two-factor-ftk-expiry <in s>
set two-factor-ftm-expiry <in s>
set two-factor-sms-expiry <in s>
set two-factor-fac-expiry <in s>
set two-factor-email-expiry <in s>
end
However, while these timers apply to the Tokens themselves (and the token codes will stay valid for as long as configured), SSL VPN does not necessarily accept it for the entire duration the tokens are valid.
To ensure SSL VPN accepts the Token, another timer needs to be configured:
config system global
set remoteauthtimeout <1-300s>
end
The maximum configurable timeout for this is five minutes.
SSL VPN waits a maximum of five minutes for a valid Token code to be provided before closing down the connection, even if the Token code is valid for longer.
Notes:
- The 'remoteauthtimeout' setting does not only show how long SSL VPN waits for the Token to be provided but also for other remote authentication, like authentication against LDAP, RADIUS, etc. That means an increased timer can lead to the FortiGate. The server is not reachable if the increased timer takes too long to lead the FortiGate.
- For v7.4.1+, If 2FA token expiry time > remote_auth_timeout * 10 + 30 sec, use 2FA token expiry time as the timeout for a user to enter the token.
- If 2FA token expiry time > remote_auth_timeout * 2 > 30 sec, use 2FA token expiry time as the timeout for FortiGate to verify the token entered by the user.
Related Article:
Troubleshooting Tip: SSL VPN and two-factor expiry timers
