DescriptionUsers randomly fail to connect to SSLVPN with 2FA/MFA using RADIUS authentication service.'Login failed' is visible in the event logs with messages similar to 'sslvpn_login_unknown_user'or 'Timeout for connection …' while performing debug on FortiGate with these commands:
# diag debug reset
# diag debug console timestamp enable
# diag debug app sslvpn -1
# diag debug app fnbamd -1
# diag debug enable
This issue is occured in case of increased amount of authentication requests from the SSLVPN service towards RADIUS authentication server which can cause a delay in response from the RADIUS server.
This articles describes how to avoid this issue.
SolutionDefault value of authentication timeouts is set to 5 seconds on most of the FortiGates.
Authentication timeouts can be increased to allow FortiGate to wait a longer for RADIUS server to reply on authentication requests.
Modify settings following these commands:
# config system global
set remoteauthtimeout 30
end
# config user radius
edit <RADIUS Server>
set timeout 30
end
The best timeout setting for your environment is visible in the debug with timestamps; see how long the RADIUS server is taking to send a response for the query is possible.
Related links:
https://docs.fortinet.com/document/fortigate/6.2.1/cli-reference/1620/system-global
https://docs.fortinet.com/document/fortigate/6.2.1/cli-reference/403620/user-radius
https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/551553/ssl-vpn-with-radius-and-fortitoke...
https://docs.fortinet.com/document/fortigate/6.2.0/azure-cookbook/517582/configuring-forticlient-vpn...
Related Articles
Technical Tip: Explanation of auth-timeout types for Firewall authentication users
