just got confirmation of a bug (id#893190) we were hitting since upgrading to FortiOS 7.2.9:
Basically, the configured 2fa-tokentimeout was ignored and defaulted to 30 seconds. Thats not enough for most users to enter a mail delivered token.
TAC confirmed that FortiOS 7.2.10 will be dropped as soon as next week, 9th oder 10th of September.
Good to know thanks.
We are running saml to entra and I increased the timeout and its working fine. Thankfully!
I can see this timeout being a serious problem warranting a correction but I wonder if other things have caused them to release 7.2.10 so soon after 7.2.9 was released
Would it be possible to get a sanitized screenshot of the TAC confirmation? If it’s going to drop next week then I’m going to hold off on a bunch of upgrades.
I’m not running 7.2.9 on anything important yet. Looks like it’s also time to reach out to my rep.
Thank you for posting this!!!
Will it impact 2fa sms or not?
7.2.10 just got released 2 hours ago.
2FA via mail is not really 2FA if it is the same password to the mailbox as VPN account.
By chance, what version were you on prior to the upgrade / upgrade path taken? Just curious if something got borked somewhere.
Can you check my DM.
Thank you
Im using ssl-vpn with saml sso which has mfa and all is fine
Which timeout did you increase?
Can’t wait to see the build # and also the release notes.
Same - I was literally looking at moving from 7.2.8 to 7.2.9 this week. I’ll hold off for now.
And people downvoted me when I commented “hahaha” on 7.2.9 upgrade release post. No way in hell am I upgrading to 7.2.9 a week after release. and this is why.
I’m using Fortiauthenticator (radius) for 2fa - so every auth (sms, mail, fortitoken) is affected in my scenario. can’t tell whats happening when the fortigate unit sends the sms itself. From the article description it looks like it would be impacted.
On the user side you will see in Forticlient “-455 permission denied” oder in webmode HTTP Error 400.
Maybe fixed for FortiAuthenticator in 7.4.5:
983513 - The two-factor-fac-expiry command is not working as expected for remote RADIUS users with a remote token set in FortiAuthenicator.
Config system global
Set remoteauthtimeout 120
End
It’s 30 seconds by default
Doesn’t encourage you to buy more products that depend on other products of theirs i’m sure. I’m increasingly of the mind that beyond the core solutions it might be better to look elsewhere.
Ok thanks. My only customer so far to do 7.2.9 came from 7.2.8 but uses Entra, no issues with timeout changing.