Tuesday, 10 June 2014

FortiWeb RADIUS authentication login failing

I'm currently rebuilding my FortiWeb VM in the lab and started the configuration from scratch.

One of the config steps I have for all my devices is to use RADIUS for the user authentication. For some reason though when I test the RADIUS server it keeps on giving me a timeout error.


Looking at my FortiAuthenticator I can see the request has come through and been authenticated correctly.


So what's going on here?

A quick packet sniffer shows me that the Authenticator has sent back a successful RADIUS auth packet back to the FortiWeb (line 5).


The problem lies with the time between the authentication request packet, and the authentication accept reply.

Line 1 shows us the first authentication request going from the FortiWeb to the FortiAuthenticator, the matching authentication accept packet is then received on line 5.

Notice how line 5 has the time of 3.02 seconds? It's taken my FortiAuthenticator 3 seconds to respond to this packet (it's running on a VM hosted on an Commodore 64...).

Now the default authentication time-out of the FortiWeb is set at 2 seconds. You can see this by using the following commands:

config system global
get



All we have to do now is increase the time-out option to something that my Cretaceous period rig can handle. I've decided to go with 5 seconds which can be configured with the following (remember it's in milliseconds):

config system global
set auth-timeout 5000
end

I test again on the RADIUS server check and it's now working!

1 comment:

GB said...

Thank you! This has solved my issue. I had the FortiWeb all configured for RADIUS authentication but could not authenticate with a RADIUS user untill I changed the auth-timeout to 5000. Nice work!