I'm currently rebuilding my FortiWeb VM in the lab and started the configuration from scratch.
One of the config steps I have for all my devices is to use RADIUS for the user authentication. For some reason though when I test the RADIUS server it keeps on giving me a timeout error.
Looking at my FortiAuthenticator I can see the request has come through and been authenticated correctly.
A quick packet sniffer shows me that the Authenticator has sent back a successful RADIUS auth packet back to the FortiWeb (line 5).
The problem lies with the time between the authentication request packet, and the authentication accept reply.
Line 1 shows us the first authentication request going from the FortiWeb to the FortiAuthenticator, the matching authentication accept packet is then received on line 5.
Notice how line 5 has the time of 3.02 seconds? It's taken my FortiAuthenticator 3 seconds to respond to this packet (it's running on a VM hosted on an Commodore 64...).
Now the default authentication time-out of the FortiWeb is set at 2 seconds. You can see this by using the following commands:
config system global
get
All we have to do now is increase the time-out option to something that my Cretaceous period rig can handle. I've decided to go with 5 seconds which can be configured with the following (remember it's in milliseconds):
config system global
set auth-timeout 5000
end
I test again on the RADIUS server check and it's now working!
One of the config steps I have for all my devices is to use RADIUS for the user authentication. For some reason though when I test the RADIUS server it keeps on giving me a timeout error.
Looking at my FortiAuthenticator I can see the request has come through and been authenticated correctly.
So what's going on here?
A quick packet sniffer shows me that the Authenticator has sent back a successful RADIUS auth packet back to the FortiWeb (line 5).
The problem lies with the time between the authentication request packet, and the authentication accept reply.
Line 1 shows us the first authentication request going from the FortiWeb to the FortiAuthenticator, the matching authentication accept packet is then received on line 5.
Notice how line 5 has the time of 3.02 seconds? It's taken my FortiAuthenticator 3 seconds to respond to this packet (it's running on a VM hosted on an Commodore 64...).
Now the default authentication time-out of the FortiWeb is set at 2 seconds. You can see this by using the following commands:
config system global
get
config system global
set auth-timeout 5000
end
I test again on the RADIUS server check and it's now working!
1 comment:
Thank you! This has solved my issue. I had the FortiWeb all configured for RADIUS authentication but could not authenticate with a RADIUS user untill I changed the auth-timeout to 5000. Nice work!
Post a Comment