Technical Tip: FortiProxy and case-sensitivity
Description
This article explains how FortiProxy handles authentication and policy matching when case-sensitivity is disabled.
Scope
FortiProxy.
Solution
FortiProxy provides a global case-sensitivity setting (which FortiGate currently does not):
config system global
set username-case-sensitivity <enable|disable>
end
This is enabled by default. Disabling it does make FortiProxy case-insensitive, but the implementation can make FortiProxy behave in surprising ways.
In particular, case-sensitivity applies in two different ways:
- Authentication.
If case-sensitivity is disabled, then users are still able to authenticate even if they do not match the user entry on FortiProxy exactly.
As an example, if FortiProxy has a local user 'testUser' configured, then 'Testuser', 'TESTuSer', and 'testuser' are all perfectly valid to authenticate with.
However, the local user table itself is still case-sensitive.
This means FortiProxy can have a users 'testuser', 'testUser' and 'TESTUSER' all at the same time. If case-sensitivity is disabled, then FortiProxy will (try to) match all authentication attempts to an all lower-case entry, if it exists.
It is recommended to avoid having multiple users with the same letters and different capitalization.
- Policy Matching.
User objects can be set as the source in a policy in FortiProxy.
If case-sensitivity is disabled, any traffic by the authenticated user will only match policies using an all lower-case version of the username.
For example: a local user 'testUser' exists, and authenticates successfully. If case-sensitivity is disabled, policies with the user 'testUser' will not be matched. Only policies with an object specifically named 'testuser' will be matched.
If case-sensitivity is disabled, it is strongly recommended to have all local user entries in all lowercase.