By default, the RADIUS servers on FortiGate are configured with a short timeout (5 seconds), which is not long enough when using FTM push. The timeout must be long enough to allow for:
- Sending the notification.
- The end-user to pick up their mobile device and navigate to the FTM app.
- The end-user to decide whether to approve or deny the request.
The FortiGate also has a short global authentication timeout (5 seconds). When larger than the RADIUS server timeout, it allows for one or more retries before the FortiGate gives up. This timeout must be at least as long as the RADIUS server timeout.
Both settings can only be configured using the CLI.
config user radius
edit <RADIUS server name>
set timeout <value, e.g. 30>
config system global
set remoteauthtimeout <value, e.g. 60>
For FortiGate SSL-VPN configurations using 2FA, depending on the version of FOS, the push notification is either automatically triggered after first factor is validated, or when the end user submits the string
push in the VPN client.
For instructions on enabling FortiToken Mobile push notifications on FortiAuthenticator, see: Optional: Enabling FortiToken Mobile push notifications.