Helpful ReplyHot!saml Azure AD - ssl-vpn - forticlient time out

Author
IvK
New Member
  • Total Posts : 14
  • Scores: 2
  • Reward points: 0
  • Joined: 2017/11/02 11:47:42
  • Status: offline
2020/12/01 05:51:21 (permalink)
0

saml Azure AD - ssl-vpn - forticlient time out

Hello,
 
I have configured our Fortigate to authenticate our ssl-vpn users with Azure AD. I've configured the enterprise app within Azure AD and configured the SAML user within the Fortigate.
 
I have no issues when I login the web-mode.
 
However when I try to connect with the Forticlient I receive a blank sceen after passing the authentication. After a while I receive the following error "Login page did not respond within time limit." The second time i press SAML Authentication the forticlient connects within seconds.
 
I reckon one of the URL's might be different for tunnel-mode / web-mode. Did anyone manage to find a solution for this issue?

Attached Image(s)

#1
useradmn
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/12/16 19:46:25
  • Status: offline
Re: saml Azure AD - ssl-vpn - forticlient time out 2020/12/16 19:54:06 (permalink)
0
I've got the same issue and Fortinet seems to think it is Microsoft not responding. I don't think so, because the logs on microsoft's side shows where response is sent. I think Fortinet has some work to do on their end. 
 
I also get hit/miss activity when Azure users try to authenticate after doing MFA. Of course, Fortinet points the finger at Microsoft, but Microsoft has shown proof of response. I'm thinking the Forticlient needs to be fixed. 
#2
IvK
New Member
  • Total Posts : 14
  • Scores: 2
  • Reward points: 0
  • Joined: 2017/11/02 11:47:42
  • Status: offline
Re: saml Azure AD - ssl-vpn - forticlient time out 2020/12/17 00:54:01 (permalink)
0
I forgot to mention that I resolved the issue.
 
I changed the following setting on the Fortigate:
 
config system global
set remoteauthtimeout 60
end
 
After that i could connect with the Forticlient
#3
NeilG
Silver Member
  • Total Posts : 99
  • Scores: 4
  • Reward points: 0
  • Joined: 2014/03/04 11:00:39
  • Status: offline
Re: saml Azure AD - ssl-vpn - forticlient time out 2021/01/22 15:12:01 (permalink)
0
You can get fortigate to use AzureAD  (not AzureAD Domain Services) as auth provider with just Fortigate on-premise? No FortiAuthentor or EMS or .... 
?
?
 
Does this just come as part of setting up SD-WAN to Azure?
#4
IvK
New Member
  • Total Posts : 14
  • Scores: 2
  • Reward points: 0
  • Joined: 2017/11/02 11:47:42
  • Status: offline
Re: saml Azure AD - ssl-vpn - forticlient time out 2021/01/22 16:45:28 (permalink) ☄ Helpfulby NeilG 2021/03/11 17:58:19
5 (1)
You are correct. Just Azure-AD no other. Azure-ad is an Identity provider. Just make sure your fortigate has his firmware above 6.4.X.
 
I've written a blog post about it:
 
Ivo-Security - Fortigate and Azure AD: Safe remote access (ivo-security.blog)
 
I've also written a blog about the Azure-AD Dynamic Groups in combination with Fortigate:
 
Ivo-Security - Fortigate policy’s based on Azure Dynamic Groups (ivo-security.blog)
#5
NeilG
Silver Member
  • Total Posts : 99
  • Scores: 4
  • Reward points: 0
  • Joined: 2014/03/04 11:00:39
  • Status: offline
Re: saml Azure AD - ssl-vpn - forticlient time out 2021/01/22 17:40:52 (permalink)
0
WOOT!! I know what blog I will be reading (and what lab I will be setting up for testing) next week!!!
 
(Last time I looked at this it seemed to require LDAP which only was available through domain services or assumed a local domain controller with Azure AD connect or ADFS or something else keeping local Domain <-> AzureAD synced)
 
Thanks!
 
#6
IvK
New Member
  • Total Posts : 14
  • Scores: 2
  • Reward points: 0
  • Joined: 2017/11/02 11:47:42
  • Status: offline
Re: saml Azure AD - ssl-vpn - forticlient time out 2021/01/24 11:05:04 (permalink)
0
NeilG
WOOT!! I know what blog I will be reading (and what lab I will be setting up for testing) next week!!!
 
(Last time I looked at this it seemed to require LDAP which only was available through domain services or assumed a local domain controller with Azure AD connect or ADFS or something else keeping local Domain <-> AzureAD synced)
 
Thanks!
 


Let me know if you need some help!
 
Goodluck!
#7
CGNA
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/05/27 09:07:42
  • Status: offline
Re: saml Azure AD - ssl-vpn - forticlient time out 2021/05/27 09:32:37 (permalink)
0
Hi AvK,
 
I have the same setup with Azure AD for SAML.  Everything is working correctly with the exception of the first connection of the day where it stucks at 98%.  Have you see this issue before?  Fortinet Support asked me to give them some diagnostic out put but that will take awhile (first attempt this morning but forgot to toggle putty to output them all and missed the capture :))
 
If I left it there for about 10 minutes, then it will connect.  Or if I disconnect and reconnect, then it will finish the connection.
 
Support think that it may cause by Azure AD cause when i shutdown my laptop, i didn't hit disconnect on the VPN and it may hold the session with Azure AD (doesn't make sense here).  
 
let me known what you thought on this.   Thanks.
 
#8
IvK
New Member
  • Total Posts : 14
  • Scores: 2
  • Reward points: 0
  • Joined: 2017/11/02 11:47:42
  • Status: offline
Re: saml Azure AD - ssl-vpn - forticlient time out 2021/05/30 09:51:50 (permalink)
0
cnguyen@mygenesisbank.com
Hi AvK,
 
I have the same setup with Azure AD for SAML.  Everything is working correctly with the exception of the first connection of the day where it stucks at 98%.  Have you see this issue before?  Fortinet Support asked me to give them some diagnostic out put but that will take awhile (first attempt this morning but forgot to toggle putty to output them all and missed the capture :))
 
If I left it there for about 10 minutes, then it will connect.  Or if I disconnect and reconnect, then it will finish the connection.
 
Support think that it may cause by Azure AD cause when i shutdown my laptop, i didn't hit disconnect on the VPN and it may hold the session with Azure AD (doesn't make sense here).  
 
let me known what you thought on this.   Thanks.
 




It sounds familiar. I reckon you don't have the same issue on the web mode. The stuck on 98% is only happening when you use tunnel mode vpn?
#9
lawrence110
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/09/29 00:09:04
  • Status: offline
Re: saml Azure AD - ssl-vpn - forticlient time out 2021/09/29 00:18:04 (permalink)
0
Hi, 
   I'm trying to setup ADFS as SAML IdP to use FortiGate SSl VPN and see similar timeout problem as this thread. 
can anyone please help give me some comments about how to resolve it?
 
All the settings in my environment shall be done and I can complete the auth process on ADFS web page. But after the auth, the page stuck. 
I checked the logs from CLI and see the log as below:
 

[237:root:b]SSL state:before SSL initialization (xxx.xxx.xxx.xxx)
[237:root:b]SSL state:before SSL initialization (xxx.xxx.xxx.xxx)
[237:root:b]got SNI server name: vpn.xxx.com realm (null)
[237:root:b]client cert requirement: no
[237:root:b]SSL state:SSLv3/TLS read client hello (xxx.xxx.xxx.xxx)
[237:root:b]SSL state:SSLv3/TLS write server hello (xxx.xxx.xxx.xxx)
[237:root:b]SSL state:SSLv3/TLS write change cipher spec (xxx.xxx.xxx.xxx)
[237:root:b]SSL state:TLSv1.3 early data (xxx.xxx.xxx.xxx)
[237:root:b]SSL state:TLSv1.3 early data:system lib(xxx.xxx.xxx.xxx)
[237:root:b]SSL state:TLSv1.3 early data (xxx.xxx.xxx.xxx)
[237:root:b]got SNI server name: vpn.xxx.com realm (null)
[237:root:b]client cert requirement: no
[237:root:b]SSL state:SSLv3/TLS read client hello (xxx.xxx.xxx.xxx)
[237:root:b]SSL state:SSLv3/TLS write server hello (xxx.xxx.xxx.xxx)
[237:root:b]SSL state:TLSv1.3 write encrypted extensions (xxx.xxx.xxx.xxx)
[237:root:b]SSL state:SSLv3/TLS write certificate (xxx.xxx.xxx.xxx)
[237:root:b]SSL state:TLSv1.3 write server certificate verify (xxx.xxx.xxx.xxx)
[237:root:b]SSL state:SSLv3/TLS write finished (xxx.xxx.xxx.xxx)
[237:root:b]SSL state:TLSv1.3 early data (xxx.xxx.xxx.xxx)
[237:root:b]SSL state:TLSv1.3 early data:system lib(xxx.xxx.xxx.xxx)
[237:root:b]SSL state:TLSv1.3 early data (xxx.xxx.xxx.xxx)
[237:root:b]SSL state:SSLv3/TLS read finished (xxx.xxx.xxx.xxx)
[237:root:b]SSL state:SSLv3/TLS write session ticket (xxx.xxx.xxx.xxx)
[237:root:b]SSL state:SSLv3/TLS write session ticket (xxx.xxx.xxx.xxx)
[237:root:b]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384
[237:root:b]req: /remote/info
[237:root:b]capability flags: 0xdf
[231:root:c]allocSSLConn:297 sconn 0x7f74cdfe00 (0:root)
[232:root:c]allocSSLConn:297 sconn 0x7f74cdfe00 (0:root)
[231:root:c]SSL state:before SSL initialization (xxx.xxx.xxx.xxx)
[231:root:c]SSL state:before SSL initialization (xxx.xxx.xxx.xxx)
[232:root:c][231:root:c]got SNI server name: vpn.xxx.com realm (null)
SSL state:before SSL initialization (xxx.xxx.xxx.xxx)
client cert requirement: no
[231:root:c]SSL state:SSLv3/TLS read client hello (xxx.xxx.xxx.xxx)
[232:root:c][231:root:c]SSL state:SSLv3/TLS write server hello (xxx.xxx.xxx.xxx)
got SNI server name: vpn.xxx.com realm (null)
[231:root:c]SSL state:SSLv3/TLS write change cipher spec (xxx.xxx.xxx.xxx)
[231:root:c]SSL state:TLSv1.3 early data (xxx.xxx.xxx.xxx)
[232:root:c][231:root:c]SSL state:TLSv1.3 early data:system lib(xxx.xxx.xxx.xxx)
client cert requirement: no
[232:root:c]SSL state:SSLv3/TLS read client hello (xxx.xxx.xxx.xxx)
[232:root:c]SSL state:SSLv3/TLS write server hello (xxx.xxx.xxx.xxx)
[232:root:c]SSL state:SSLv3/TLS write change cipher spec (xxx.xxx.xxx.xxx)
[232:root:c]SSL state:TLSv1.3 early data (xxx.xxx.xxx.xxx)
[232:root:c]SSL state:TLSv1.3 early data:system lib(xxx.xxx.xxx.xxx)
[231:root:c]SSL state:TLSv1.3 early data (xxx.xxx.xxx.xxx)
[231:root:c]got SNI server name: vpn.xxx.com realm (null)
[231:root:c]client cert requirement: no
[231:root:c]SSL state:SSLv3/TLS read client hello (xxx.xxx.xxx.xxx)
[232:root:c]SSL state:TLSv1.3 early data (xxx.xxx.xxx.xxx)
[232:root:c]got SNI server name: vpn.xxx.com realm (null)
[232:root:c]client cert requirement: no
[232:root:c]SSL state:SSLv3/TLS read client hello (xxx.xxx.xxx.xxx)
[231:root:c]SSL state:SSLv3/TLS write server hello (xxx.xxx.xxx.xxx)
[231:root:c]SSL state:TLSv1.3 write encrypted extensions (xxx.xxx.xxx.xxx)
[232:root:c]SSL state:SSLv3/TLS write server hello (xxx.xxx.xxx.xxx)
[232:root:c]SSL state:TLSv1.3 write encrypted extensions (xxx.xxx.xxx.xxx)
[231:root:c]SSL state:SSLv3/TLS write certificate (xxx.xxx.xxx.xxx)
[231:root:c][232:root:c]SSL state:TLSv1.3 write server certificate verify (xxx.xxx.xxx.xxx)
SSL state:SSLv3/TLS write certificate (xxx.xxx.xxx.xxx)
[231:root:c]SSL state:SSLv3/TLS write finished (xxx.xxx.xxx.xxx)
[231:root:c]SSL state:TLSv1.3 early data (xxx.xxx.xxx.xxx)
[231:root:c]SSL state:TLSv1.3 early data:system lib(xxx.xxx.xxx.xxx)
[232:root:c]SSL state:TLSv1.3 write server certificate verify (xxx.xxx.xxx.xxx)
[232:root:c]SSL state:SSLv3/TLS write finished (xxx.xxx.xxx.xxx)
[232:root:c]SSL state:TLSv1.3 early data (xxx.xxx.xxx.xxx)
[232:root:c]SSL state:TLSv1.3 early data:system lib(xxx.xxx.xxx.xxx)
[231:root:c]SSL state:TLSv1.3 early data (xxx.xxx.xxx.xxx)
[231:root:c]SSL state:SSLv3/TLS read finished (xxx.xxx.xxx.xxx)
[231:root:c]SSL state:SSLv3/TLS write session ticket (xxx.xxx.xxx.xxx)
[231:root:c]SSL state:SSLv3/TLS write session ticket (xxx.xxx.xxx.xxx)
[231:root:c]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384
[231:root:c]req: /remote/saml/start?redirect=1
[231:root:c]rmt_web_auth_info_parser_common:468 no session id in auth info
[231:root:c]rmt_web_get_access_cache:820 invalid cache, ret=4103
[231:root:c]fsv_rmt_saml_start_cb:227 FCT redirects to external browser.
[231:root:c]sslvpn_auth_check_usrgroup:2635 forming user/group list from policy.
[232:root:c]SSL state:TLSv1.3 early data (xxx.xxx.xxx.xxx)
[232:root:c]SSL state:SSLv3/TLS read finished (xxx.xxx.xxx.xxx)
[231:root:c]sslvpn_auth_check_usrgroup:2673 got user (1) group (1:0).
[231:root:c]sslvpn_validate_user_group_list:1825 validating with SSL VPN authentication rules (1), realm ((null)).
[231:root:c]sslvpn_validate_user_group_list:1906 checking rule 1 cipher.
[231:root:c]SSL state:SSLv3/TLS write session ticket (xxx.xxx.xxx.xxx)
[231:root:c]sslvpn_validate_user_group_list:1925 checking rule 1 source intf.
[231:root:c]sslvpn_validate_user_group_list:1964 checking rule 1 vd source intf.
[231:root:c]sslvpn_validate_user_group_list:2210 rule 1 done, got user (1:0) group (1:0) peer group (0).
[231:root:c]sslvpn_validate_user_group_list:2538 got user (1:0), group (1:0) peer group (0).
[231:root:c]sslvpn_update_user_group_list:1771 got user (1:0), group (1:0), peer group (0) after update.
[232:root:c][231:root:c][fsv_found_saml_server_name_from_auth_lst:121] Found SAML server [adfs] in group [saml_sslvpn]
SSL state:SSLv3/TLS write session ticket (xxx.xxx.xxx.xxx)
[232:root:c]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384
[231:root:c]req: /remote/saml/login/
[237:root:b]Timeout for connection 0x7f74cdfe00.
[237:root:b]Destroy sconn 0x7f74cdfe00, connSize=0. (root)
[232:root:c]Timeout for connection 0x7f74cdfe00.
[232:root:c]Destroy sconn 0x7f74cdfe00, connSize=0. (root)
#10
IvK
New Member
  • Total Posts : 14
  • Scores: 2
  • Reward points: 0
  • Joined: 2017/11/02 11:47:42
  • Status: offline
Re: saml Azure AD - ssl-vpn - forticlient time out 2021/10/02 17:20:40 (permalink)
0
Hi,
 
change the radius time out: https://kb.fortinet.com/kb/documentLink.do?externalID=FD48279
I wouldn't put to much effort in adfs configuration. Or do you have an completly on-prem environment?
 
I see a lot of organizations struggling with adfs in combination with azure ad. If possible try to get rid of the adfs servers. Atleast that is the advice Microsoft is giving
#11
lawrence110
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/09/29 00:09:04
  • Status: offline
Re: saml Azure AD - ssl-vpn - forticlient time out 2021/10/04 18:22:45 (permalink)
0
Thanks for the information. 
I also want to simply use Azure AD but ADFS with on-premise AD is forced by company regulation. I need to make ADFS working with FortiClient. 
I checked more detail of FortiClient log and found the error is
__samld_sp_login_resp [914]: Invalid assertion
 
I checked the content of SAML xml and don't know what error is. 
<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_8faeb136-9501-4759-95e2-40b55faa629a" IssueInstant="2021-10-05T01:15:00.256Z" Version="2.0"><Issuer> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#_8faeb136-9501-4759-95e2-40b55faa629a"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>1NabFEF7RWRhF8p5omnDVyfXJg4=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>uz0KRWwr23D3SikurnzGHojM/pBL9064OI9RWY+ENKklr2s68AdSKOxtRO2WV9UgJ5jJaVWrZBEzf43Fe6N7vQc9FTu9jsUk21Oj5dF69iQ7zrlKysHUU6nLXwzLjp3+TDNIUUknkIRrGrZIU9UkiM71Em2GCISCZzTUOYRTe5ObGNsTuHxrA2jfg52Ui1QPCbkowq+g4az6PRiGSGkw9GTEysvFhcdmf6PVzQ1LZeDV1muCdZ8N5hhUBj+A+l/8Bx1RvXdMkBT5d+2CRX8Z2zH5s3Jf9Ts2H1hyF+u6gT3JJELPCQbpV6PQ5l2ouM2rliOiyElyfqeBxNpkrS6Xgg==</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIC3k3*kk3nz9c3llkas73kKOA*3k8SK8fZOT6tvDANBgkqhkiG9w0BAQsFADAqMSgwJgYDVQQDEx9BREZTIFNpZ25pbmcgLSBtZmEuZ28tdHJ1c3QuY29tMB4XDTIxMDgxNjE2MDUwNVoXDTIyMDgxNjE2MDUwNVowKjEoMCYGA1UEAxMfQURGUyBTaWduaW5nIC0gbWZhLmdvLXRydXN0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN+SYAxb0da2O33YFByhEZ+LsqFEL7t/YhC+taSwWEpiKVWSa7aVUKXdRwxWNjLuJwL4moASaR/tknyByJnxDGn8YJhrSRHGls/7SDWmUsnQt6rlpI6oIWrCkijHtWxJ2+q5qPFBIl+etkmDU6q0pd715fZ/yhK4vzlvaHeF2pIhrsZmBkPIB8xodsPshrpbV0VXnkqiRt8Ny8lSTXjSI1kegcontosooyo1uzzFCqlsxd3aU7zkmD4Hztg1tv3KR8Y6dFlgggsMj1bQlLz6KzRwqaAYE2ZHG7tFtrmjKNLzCVx+Q1GssOjb9QhrZ3mDHOFVzy2MJaqTn/Z0f/XZsFw1hj8CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEADnrMCS5taj8IJfkvF3gzwdYZtfudd3EAv8MESo6pGPa/sRcn548l4WfsSh4P20bEOW6S1lO5gHfb4SXGjs5wYqRF9a/blfBc8fCVgOePNJefvJRGDpm/Eq6ezr0Jevozs+C2pLiObGxRYVx1oEfr1uEFLuO941Kf1f6KD1/eQnlANtTyQRamp7PvmvJPD47/29gUFk3*kk3nz9c3llkas73kKOA*3k8SK8jFMRyoqhuYZuqxrmmCYG6pCLmebQOCPedPmaFV1CR2QzKD3STTMk3*kk3nz9c3llkas73kKOA*3k8SK8K4h39UJShKsZcamlnL7QZornEDyZrj2h1exQ==</ds:X509Certificate></ds:X509Data></KeyInfo></ds:Signature><Subject><NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">contoso/user.name</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="_C1A6A8F6DF62C06D9A79BA0354272FE1" NotOnOrAfter="2021-10-05T01:20:00.256Z" Recipient="https://vpn.contoso.com:10443/remote/saml/login&#10;"/></SubjectConfirmation></Subject><Conditions NotBefore="2021-10-05T01:15:00.256Z" NotOnOrAfter="2021-10-05T02:15:00.256Z"><AudienceRestriction><Audience> AuthnInstant="2021-10-05T01:12:13.351Z" SessionIndex="_8faeb136-9501-4759-95e2-40b55faa629a"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion>


post edited by lawrence110 - 2021/10/04 23:08:16
#12
IvK
New Member
  • Total Posts : 14
  • Scores: 2
  • Reward points: 0
  • Joined: 2017/11/02 11:47:42
  • Status: offline
Re: saml Azure AD - ssl-vpn - forticlient time out 2021/10/06 01:50:46 (permalink)
0
I think assume the company regulation dictates a form of safe authentication with SSO capabilities.
 
Maybe in the time it was written ADFS was the best option. But time changes so if you can indicate that you can full fill the same functional requirements with less overhead/maintenance/sopf/cost by using Azure AD the regulation can be changed.
Allthough it may seem a technical a problem it's more an IT strategy choise.
 
I don't have the time to look into the error right now. Although it might work I think Fortinet will advice you to use a FortiAuthenticator with EMS.
#13
lawrence110
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/09/29 00:09:04
  • Status: offline
Re: saml Azure AD - ssl-vpn - forticlient time out 2021/10/06 18:41:21 (permalink)
0
Hi AvK,
   Thanks for your comments. You're right. The company's regulation will be the bottleneck for long-term maintenance of ADFS. Move to Azure AD is our plan, but it takes time. I still need to make current ADFS working with FortiGate VPN. I've also contact FortiGate technical support to help. Hope it can solve my problem. 
#14
Jump to:
© 2021 APG vNext Commercial Version 5.5