Hot!Forticlient with Microsoft Authenticator

Author
PBANZ
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/11/30 18:48:08
  • Status: offline
2020/11/30 18:55:24 (permalink)
0

Forticlient with Microsoft Authenticator

I tested the fullversion of forticlient connect before login with microsoft authenticator as the second factor auth.
I found the that in this scenario in all versions of client from 6.0.x up that the auth just times out. i had another rule that allowed the user with out 2fa and if i did a deny on the prompt it doesn't deny the user, the login times out and moves to the next rule. 
this is only with connect before login.
 
has anyone else encountered this, anyone found a way to solve it.
note: we are Not running EMS so can't log with TAC.
 
#1

4 Replies Related Threads

    isamt
    Bronze Member
    • Total Posts : 48
    • Scores: 2
    • Reward points: 0
    • Joined: 2017/12/29 01:52:35
    • Status: offline
    Re: Forticlient with Microsoft Authenticator 2020/12/04 04:17:01 (permalink)
    0
    I have setup and tested using the nps-extension with the following documentation:
     
    https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-vpn#install-and-configure-the-nps-extension
     
    Works fine for me
     
    Not sure if you have setup in the same way.
    #2
    PBANZ
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/11/30 18:48:08
    • Status: offline
    Re: Forticlient with Microsoft Authenticator 2020/12/06 12:54:21 (permalink)
    0
    yes setup the same, are you using a code number from the app or responding to the approve prompt. customer is using the approve/deny prompt in authenticator. the specific scenario  with connect before login and the authenticator prompt is failing. 
    #3
    isamt
    Bronze Member
    • Total Posts : 48
    • Scores: 2
    • Reward points: 0
    • Joined: 2017/12/29 01:52:35
    • Status: offline
    Re: Forticlient with Microsoft Authenticator 2020/12/07 09:12:28 (permalink)
    0
    Yes, we are using the approve/deny prompt method.
     
    If your Fortigate is not in the same site as the on-prem NPS server, then you will need to increase the default time-out for the RADIUS authentication.
     
    On the Fortigate enter commands:
     
    config user radius
    edit "radius_server_name"
    set timeout 30
     
    default time-out is 5 secs. I found 30 worked for me.
    latency between Fortigate and NPS server is 18ms
     
    You can test the authentication directly from the Fortigate:
     
    diagnose test authserver radius radius_server_name pap userid user_password
     
     
    #4
    Admin_FTNT
    Administrator
    • Total Posts : 101
    • Scores: 6
    • Reward points: 0
    • Joined: 2003/11/28 00:00:00
    • Status: offline
    Re: Forticlient with Microsoft Authenticator 2020/12/08 00:22:40 (permalink)
    0
    From PBANZ:
     
    Timers were adjusted, and auth works fine once a user is logged into the laptop. It only if they connect the vpn before they login that the issue occurs.
    Only discovered as there was a test rule after that allowed the user with out MFA and the user was in both security groups.
    They would deny the connection for testing and still be permitted.
    #5
    Jump to:
    © 2021 APG vNext Commercial Version 5.5