FortiAuthenticator Disable RADIUS Access-Challenge?

Question

Is it possible to stop the Fortiauthenticator from sending a RADIUS Access-Challenge when a user is configured for 2FA? Reason for asking is that I want to present a web login to the internet, with FortiAuthenticator as the authentication mechanism using RADIUS. Logging in works by appending the FortiToken code to the password. But if the user does not enter a fortitoken, they are prompted for it. This isn't great from an externally facing login box, as the challenge ONLY appears if the correct username and password has been entered, so even though somebody trying to login maliciously doesn't have the fortitoken code, they now know that that user account is indeed correct and can try using that elsewhere?

xsilver_FTNT · Answer

Hello Alex,

once is the user configured with 2FA and FortiAuthenticator (FAC hereinafter) RADIUS Client config allows or even requires 2FA being used, then FAC dos Access-Challenge for token if it is not obtained as password appendix. This is current design and AFAIK cannot be changed by config.

True is that challenge is sent just after correct user/password combination. Which could reveal user existence. But to be hones, if you have stronger passwords, then what is probability that attacker will hit correct combination within first few attempts ? It seems to me as less likely to happen. Therefore I'd recommend to use user lockout and basically lock such attacked account.

Is the attacker allowed to challenge FAC from anywhere ? I'd suggest to limit possible access routes and attack vectors. Also embed some DOS/IPS prevention points/techniques to limit and stop attacker from being able to try brute-force login.

Best regards, Tomas

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded