Two factor authentication not working with Fortigate

Howtos
,
1

hi
please help me config 2fa on Fortigate

  1. set up privateidea on ubuntu 18.04. according to instructions.
  2. created realm and ldapresolver, configured fortigate version 6.4.8
  3. on fortigate created a group and set up a connection to the radius server
  4. created a token token and tied it to a test user

the problem is that on the forticlient it does not request a pin from the google authenticator and

connects to the ssl-vpn
tell me please what’s wrong, maybe something needs to be adjusted

LOG from radius
(12) Received Access-Request Id 236 from 10.10.11.4:12305 to 10.70.8.253:1812 length 120
(12) NAS-Identifier = “magnum”
(12) User-Name = “2fa_test”
(12) User-Password = “Aa123456”
(12) Framed-IP-Address = 176.64.30.212
(12) NAS-Port = 8
(12) NAS-Port-Type = Virtual
(12) Calling-Station-Id = “176.64.30.212”
(12) Acct-Session-Id = “60fee9a7”
(12) Connect-Info = “vpn-ssl”
(12) Fortinet-Vdom-Name = “root”
(12) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/privacyidea
(12) authorize {
(12) update request {
(12) EXPAND %{Packet-Src-IP-Address}
(12) → 10.10.11.4
(12) Packet-Src-IP-Address = 10.10.11.4
(12) } # update request = noop
(12) perl-privacyidea: $RAD_REQUEST{‘User-Name’} = &request:User-Name → ‘2fa_test’
(12) perl-privacyidea: $RAD_REQUEST{‘User-Password’} = &request:User-Password → ‘Aa123456’
(12) perl-privacyidea: $RAD_REQUEST{‘NAS-Port’} = &request:NAS-Port → ‘8’
(12) perl-privacyidea: $RAD_REQUEST{‘Framed-IP-Address’} = &request:Framed-IP-Address → ‘176.64.30.212’
(12) perl-privacyidea: $RAD_REQUEST{‘Calling-Station-Id’} = &request:Calling-Station-Id → ‘176.64.30.212’
(12) perl-privacyidea: $RAD_REQUEST{‘NAS-Identifier’} = &request:NAS-Identifier → ‘magnum’
(12) perl-privacyidea: $RAD_REQUEST{‘NAS-Port-Type’} = &request:NAS-Port-Type → ‘Virtual’
(12) perl-privacyidea: $RAD_REQUEST{‘Acct-Session-Id’} = &request:Acct-Session-Id → ‘60fee9a7’
(12) perl-privacyidea: $RAD_REQUEST{‘Connect-Info’} = &request:Connect-Info → ‘vpn-ssl’
(12) perl-privacyidea: $RAD_REQUEST{‘Fortinet-Vdom-Name’} = &request:Fortinet-Vdom-Name → ‘root’
(12) perl-privacyidea: $RAD_REQUEST{‘Packet-Src-IP-Address’} = &request:Packet-Src-IP-Address → ‘10.10.11.4’
(12) perl-privacyidea: &request:Fortinet-Vdom-Name = $RAD_REQUEST{‘Fortinet-Vdom-Name’} → ‘root’
(12) perl-privacyidea: &request:Connect-Info = $RAD_REQUEST{‘Connect-Info’} → ‘vpn-ssl’
(12) perl-privacyidea: &request:Acct-Session-Id = $RAD_REQUEST{‘Acct-Session-Id’} → ‘60fee9a7’
(12) perl-privacyidea: &request:User-Password = $RAD_REQUEST{‘User-Password’} → ‘Aa123456’
(12) perl-privacyidea: &request:Calling-Station-Id = $RAD_REQUEST{‘Calling-Station-Id’} → ‘176.64.30.212’
(12) perl-privacyidea: &request:NAS-Port = $RAD_REQUEST{‘NAS-Port’} → ‘8’
(12) perl-privacyidea: &request:NAS-Port-Type = $RAD_REQUEST{‘NAS-Port-Type’} → ‘Virtual’
(12) perl-privacyidea: &request:Packet-Src-IP-Address = $RAD_REQUEST{‘Packet-Src-IP-Address’} → ‘10.10.11.4’
(12) perl-privacyidea: &request:User-Name = $RAD_REQUEST{‘User-Name’} → ‘2fa_test’
(12) perl-privacyidea: &request:Framed-IP-Address = $RAD_REQUEST{‘Framed-IP-Address’} → ‘176.64.30.212’
(12) perl-privacyidea: &request:NAS-Identifier = $RAD_REQUEST{‘NAS-Identifier’} → ‘magnum’
(12) [perl-privacyidea] = ok
(12) if (ok || updated) {
(12) if (ok || updated) → TRUE
(12) if (ok || updated) {
(12) update control {
(12) Auth-Type := Perl
(12) } # update control = noop
(12) } # if (ok || updated) = noop
(12) } # authorize = ok
(12) Found Auth-Type = Perl
(12) # Executing group from file /etc/freeradius/3.0/sites-enabled/privacyidea
(12) Auth-Type Perl {
(12) perl-privacyidea: $RAD_REQUEST{‘User-Name’} = &request:User-Name → ‘2fa_test’
(12) perl-privacyidea: $RAD_REQUEST{‘User-Password’} = &request:User-Password → ‘Aa123456’
(12) perl-privacyidea: $RAD_REQUEST{‘NAS-Port’} = &request:NAS-Port → ‘8’
(12) perl-privacyidea: $RAD_REQUEST{‘Framed-IP-Address’} = &request:Framed-IP-Address → ‘176.64.30.212’
(12) perl-privacyidea: $RAD_REQUEST{‘Calling-Station-Id’} = &request:Calling-Station-Id → ‘176.64.30.212’
(12) perl-privacyidea: $RAD_REQUEST{‘NAS-Identifier’} = &request:NAS-Identifier → ‘magnum’
(12) perl-privacyidea: $RAD_REQUEST{‘NAS-Port-Type’} = &request:NAS-Port-Type → ‘Virtual’
(12) perl-privacyidea: $RAD_REQUEST{‘Acct-Session-Id’} = &request:Acct-Session-Id → ‘60fee9a7’
(12) perl-privacyidea: $RAD_REQUEST{‘Connect-Info’} = &request:Connect-Info → ‘vpn-ssl’
(12) perl-privacyidea: $RAD_REQUEST{‘Fortinet-Vdom-Name’} = &request:Fortinet-Vdom-Name → ‘root’
(12) perl-privacyidea: $RAD_REQUEST{‘Packet-Src-IP-Address’} = &request:Packet-Src-IP-Address → ‘10.10.11.4’
(12) perl-privacyidea: $RAD_CHECK{‘Auth-Type’} = &control:Auth-Type → ‘Perl’
(12) perl-privacyidea: $RAD_CONFIG{‘Auth-Type’} = &control:Auth-Type → ‘Perl’
rlm_perl: Config File /etc/privacyidea/rlm_perl.ini found!
rlm_perl: Debugging config: true
rlm_perl: Default URL https://10.70.8.253/validate/check
rlm_perl: Looking for config for auth-type Perl
rlm_perl: RAD_REQUEST: Fortinet-Vdom-Name = root
rlm_perl: RAD_REQUEST: Connect-Info = vpn-ssl
rlm_perl: RAD_REQUEST: Acct-Session-Id = 60fee9a7
rlm_perl: RAD_REQUEST: User-Password = Aa123456
rlm_perl: RAD_REQUEST: Calling-Station-Id = 176.64.30.212
rlm_perl: RAD_REQUEST: NAS-Port = 8
rlm_perl: RAD_REQUEST: NAS-Port-Type = Virtual
rlm_perl: RAD_REQUEST: Packet-Src-IP-Address = 10.10.11.4
rlm_perl: RAD_REQUEST: User-Name = 2fa_test
rlm_perl: RAD_REQUEST: Framed-IP-Address = 176.64.30.212
rlm_perl: RAD_REQUEST: NAS-Identifier = magnum
rlm_perl: Password encoding guessed: ascii
rlm_perl: Setting client IP to 10.10.11.4.
rlm_perl: Auth-Type: Perl
rlm_perl: url: https://10.70.8.253/validate/check
rlm_perl: user sent to privacyidea: 2fa_test
rlm_perl: realm sent to privacyidea: magnum_realm
rlm_perl: resolver sent to privacyidea: magnum_ldap
rlm_perl: client sent to privacyidea: 10.10.11.4
rlm_perl: state sent to privacyidea:
rlm_perl: urlparam resConf = magnum_ldap
rlm_perl: urlparam user = 2fa_test
rlm_perl: urlparam pass = Aa123456
rlm_perl: urlparam client = 10.10.11.4
rlm_perl: urlparam realm = magnum_realm
rlm_perl: Request timeout: 20
rlm_perl: Not verifying SSL certificate!
rlm_perl: elapsed time for privacyidea call: 2.151159
rlm_perl: Content {“detail”: {“client_mode”: “interactive”, “message”: “:, :, :”, “messages”: [“:”, “:”, “:”], “multi_challenge”: [{“client_mode”: “interactive”, “message”: “:”, “serial”: “OATH000087F8”, “transaction_id”: “13018195230672367535”, “type”: “hotp”}, {“client_mode”: “interactive”, “message”: “:”, “serial”: “TOTP00008694”, “transaction_id”: “13018195230672367535”, “type”: “totp”}, {“client_mode”: “interactive”, “message”: “:”, “serial”: “TOTP0001D5DA”, “transaction_id”: “13018195230672367535”, “type”: “totp”}], “serial”: “TOTP0001D5DA”, “threadid”: 140432084944640, “transaction_id”: “13018195230672367535”, “transaction_ids”: [“13018195230672367535”, “13018195230672367535”, “13018195230672367535”], “type”: “totp”, “preferred_client_mode”: “interactive”}, “id”: 2, “jsonrpc”: “2.0”, “result”: {“authentication”: “CHALLENGE”, “status”: true, “value”: false}, “time”: 1681812160.8520744, “version”: “privacyIDEA 3.8.1”, “versionnumber”: “3.8.1”, “signature”: “rsa_sha256_pss:577de0546a8efabb9e4cfb9f944df20f334227e3b9a4abcb06c1b168931d8f73576730bbdfca451563a5f3325df830cd7525c83058c8f746c44ab49714d99b42f6291aa38ecfc095d95567d6db17fb91280c330fe935dbc96c04fbe486e175343159000d658bf155f9e17190b62b21e5c4e64a820814914b31e6224d01705345511ae0948c3aec74150b2faac8de066d5a1e71b2bc857126073e85e6b6f436e9717af323e6b7ad0027c5dca3a419ac810bc845f15f6ffea1feddb4332301e3b69a33b0995612b0ae111484d9ac066fea011607d8ad8b8c04b60cbe360e62c878f3efac143367a36024dcc9d0044d413f6bb35acf4959a6bb4e422785c5c9b8dc”}
rlm_perl: privacyIDEA Result status is true!
rlm_perl: ++++ Parsing group: Attribute
rlm_perl: +++++ Found member ‘Attribute Filter-Id’
rlm_perl: ++++++ Attribute: IF ‘’->‘’ == ‘’ THEN ‘Filter-Id’
rlm_perl: ++++++ no directory
rlm_perl: +++++++ User attribute is a string:
rlm_perl: +++++++ trying to match
rlm_perl: ++++++++ Result: No match, no RADIUS attribute Filter-Id added.
rlm_perl: +++++ Found member ‘Attribute otherAttribute’
rlm_perl: ++++++ Attribute: IF ‘’->‘’ == ‘’ THEN ‘otherAttribute’
rlm_perl: ++++++ no directory
rlm_perl: +++++++ User attribute is a string:
rlm_perl: +++++++ trying to match
rlm_perl: ++++++++ Result: No match, no RADIUS attribute otherAttribute added.
rlm_perl: +++++ Found member ‘Attribute Class’
rlm_perl: ++++++ Attribute: IF ‘’->‘’ == ‘’ THEN ‘Class’
rlm_perl: ++++++ no directory
rlm_perl: +++++++ User attribute is a string:
rlm_perl: +++++++ trying to match
rlm_perl: ++++++++ Result: No match, no RADIUS attribute Class added.
rlm_perl: ++++ Parsing group: Mapping
rlm_perl: +++++ Found member ‘Mapping user’
rlm_perl: ++++++ Map: user : group → Class
rlm_perl: return RLM_MODULE_HANDLED
(12) perl-privacyidea: &request:Fortinet-Vdom-Name = $RAD_REQUEST{‘Fortinet-Vdom-Name’} → ‘root’
(12) perl-privacyidea: &request:Connect-Info = $RAD_REQUEST{‘Connect-Info’} → ‘vpn-ssl’
(12) perl-privacyidea: &request:Acct-Session-Id = $RAD_REQUEST{‘Acct-Session-Id’} → ‘60fee9a7’
(12) perl-privacyidea: &request:User-Password = $RAD_REQUEST{‘User-Password’} → ‘Aa123456’
(12) perl-privacyidea: &request:Calling-Station-Id = $RAD_REQUEST{‘Calling-Station-Id’} → ‘176.64.30.212’
(12) perl-privacyidea: &request:NAS-Port = $RAD_REQUEST{‘NAS-Port’} → ‘8’
(12) perl-privacyidea: &request:NAS-Port-Type = $RAD_REQUEST{‘NAS-Port-Type’} → ‘Virtual’
(12) perl-privacyidea: &request:Packet-Src-IP-Address = $RAD_REQUEST{‘Packet-Src-IP-Address’} → ‘10.10.11.4’
(12) perl-privacyidea: &request:User-Name = $RAD_REQUEST{‘User-Name’} → ‘2fa_test’
(12) perl-privacyidea: &request:Framed-IP-Address = $RAD_REQUEST{‘Framed-IP-Address’} → ‘176.64.30.212’
(12) perl-privacyidea: &request:NAS-Identifier = $RAD_REQUEST{‘NAS-Identifier’} → ‘magnum’
(12) perl-privacyidea: &reply:State = $RAD_REPLY{‘State’} → ‘13018195230672367535’
(12) perl-privacyidea: &reply:Reply-Message = $RAD_REPLY{‘Reply-Message’} → ‘:, :, :’
(12) perl-privacyidea: ERROR: Internal failure creating pair &reply:Class += $RAD_REPLY{‘Class’} → ‘undef’
(12) perl-privacyidea: &control:Response-Packet-Type = $RAD_CHECK{‘Response-Packet-Type’} → ‘Access-Challenge’
(12) perl-privacyidea: &control:Auth-Type = $RAD_CHECK{‘Auth-Type’} → ‘Perl’
(12) [perl-privacyidea] = handled
(12) } # Auth-Type Perl = handled
(12) Using Post-Auth-Type Challenge
(12) Post-Auth-Type sub-section not found. Ignoring.
(12) Sent Access-Challenge Id 236 from 10.70.8.253:1812 to 10.10.11.4:12305 length 0
(12) State = 0x3133303138313935323330363732333637353335
(12) Reply-Message = “:, :, :”
(12) Finished request
Waking up in 4.9 seconds.
(12) Cleaning up request packet ID 236 with timestamp +587
Ready to process requests

test
test700×107 39.9 KB

ldapresolver
ldapresolver1332×1505 84 KB

policy
policy1347×762 31.9 KB

realm+token
realm+token1377×761 49.3 KB