0D54z000075tslVCAQOkta Classic EngineMulti-Factor AuthenticationAnswered2026-05-27T22:37:44.000Z2021-07-28T08:23:43.000Z2026-05-27T22:37:44.000Z

2ua3s (2ua3s) asked a question.

July 28, 2021 at 8:23 AM
Forti client - RSA new pin is wrong (-7201)

Hello all

 

I was hoping someone can help me? This Is more a FortiGate question than an OKTA question.

We are getting an RSA new pin is wrong (-7201) ERROR when a user is trying to connect to the VPN using forti client.

 

We have completed all the steps of OKTA + FortiGate Radius Integration. We have set the timeout, We have added the radius config to FortiGate. We have also tested the OKTA radius using NTRadping and OKTA is working 100%.

We Can authenticate, We get the second Factor Push notification and we can accept it and authentication is successful. On the OKTA radius logs is shows authentication was successful.

 

The problem we are facing is on the FortiGate side. On the CLI command line side we can successfully authenticate to the okta radius via the firewall but as soon as a user tries to use the forti client we get this RSA new pin is wrong (-7201) error and we are not using RSA as a factor of authentication we are using push or OTP.

For testing purposes, we also allowed anyone from anywhere that has the radius secret to authenticate but as stated OKTA Works. Fortigate seems to be the problem.

 

On the FortiGate side, we have logged an SR, We have also upgraded the firewall's firmware and now we are waiting for FortiGate support to get back to us.

 

Has anyone seen this before?

Best Regards

 

  • 5 answers
  • 9.93K views

  • 2ua3s (2ua3s)

    Hi Radu

     

    Thank you for coming back to me.

    We have managed to solve the problem.

    The problem is NOT Remote Authentication Timeout, The problem is related to step 1 of Defining the Firewall Group. In summary, Leave the Groups field blank.

     

    We specified a group and as a result, we got the misleading RSA error from forticlient.

     

    Best Regards

    Brendon

     

    Expand Post
    Selected as Best

  • Radu (Okta, Inc)

    Hello Brendon,

     

    This sounds like a clockskew issue so make sure you follow step 5 from the integration guide to increase timeout.

    https://help.okta.com/en/prod/Content/Topics/integrations/fortinet-radius-intg-gw.htm

    Also check the the local PC time is synced and accurate when testing.

    Apart from that, if Okta logs show successful authentication and there is no error from our side, then the error is thrown by the SP and you will need to investigate with them.

     

    Radu Chiriac

    Technical Support Engineer

    Okta Global Customer Care

    Expand Post

  • 2ua3s (2ua3s)

    Hi Radu

     

    Thank you for coming back to me.

    We have managed to solve the problem.

    The problem is NOT Remote Authentication Timeout, The problem is related to step 1 of Defining the Firewall Group. In summary, Leave the Groups field blank.

     

    We specified a group and as a result, we got the misleading RSA error from forticlient.

     

    Best Regards

    Brendon

     

    Expand Post
    Selected as Best

  • JaredB.31817 (Customer)

    Hi Brendon-

     

    Would you be able to provide a bit more context around defining the firewall group and Leave the Groups field blank? I am running into the same issue.

     

    Thanks!

    Expand Post

  • 2ua3s (2ua3s)

    Hi Jared

     

    I hope you are well?

    I believe the documentation states the following Group Name: Any (Note: In Fortigate firmware 5.6.5 and above, leave the Group Name blank.) this told me that FortiGate remote group usage changed.

    I also checked the fortigate documentation and it also notes the groups should be blank. https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/200757/connecting-the-fortigate-to-the-radius-server

     

    I honestly can't give you a technical answer here as I could also not find an answer, My technical brain suspects, this remote group only references local fortigate groups or used to and then just don't know how to handle the radius authentication request. I just know this was the cause of countless hours of troubleshooting.

     

    Are you also wanting to implement this in a prod environment without impacting existing users?

     

    Regards

    Brendon

     

     

    Expand Post

  • JaredB.31817 (Customer)

    Testing in dev right now, so I'm not too worried about breaking anything. Thanks for the further info. I'll take a look at the links provided and see if I can fix.

This question is closed.

Recommended content

No recommended content found...