Skip to main content
zoriax
zoriax
New Member
April 8, 2022
Solved

FortiAuthenticator SSL VPN - LDAP - 2FA and Password Change

  • April 8, 2022
  • 6 replies
  • 7660 views

Hi !

 

I have a strange behaviour with FortiAuthenticator and SSL VPN on FortiGate

 

  • FortiAuthenticator is configured to sync ldap user account
  • FortiAuthenticator is configured to act as RADIUS with remote users
    • On RADIUS policy, I used checked "User Windows AD Domain Authentication"
  • ForiGate SSL VPN is correctly configured with RADIUS

Without 2FA enabled on FortiAuthenticator account

  • On SSL VPN web interface I can connect
  • If I reset the password on my Active Directory (force change), on SSL VPN interface I can set a new password
  • zoriax_0-1649410571368.png

 

With 2FA enabled on FortiAuthenticator account

  • On SSL VPN web interface I can connect with toke
  • If I reset the password on my Active Directory (force change), on SSL VPN interface when I enter the token I'm not redirected to change password page but I have an error
  • zoriax_1-1649410689889.png

     

On Autentication > User Account Polices I have

zoriax_2-1649410715612.png

If I disabled "Request password reset after OTP verification". The behaviour is a bit different.

  • I can change de password, then I recieved the token but after entering the token I have : 
  • zoriax_1-1649410689889.png
  • And I need to login again with my new password

 

What is the correct workflow and options to allow token and password change with LDAP ?


Many thanks

 

 

Best answer by zoriax

Ok after a few search I solved the problem.


To work with 2FA and reset, you need to enable MS-CHAP-V2 in FortiGate Radius

6 replies

zoriax
zoriaxAuthor
New Member
April 8, 2022

I tried witha local user and the behaviour is the same :( ! It seems I missed someting in configuration :)

Debbie_FTNT
Staff & Editor
Debbie_FTNT
Staff & Editor
April 8, 2022

Hey zoriax,

did you enable the setting to allow password change in FortiGate CLI?
#config user radius
#set password-renewal enable
#end

zoriax
zoriaxAuthor
New Member
April 8, 2022

Yes and as I said in my post, it works ! The only problem is when 2fa is enabled

Debbie_FTNT
Staff & Editor
Debbie_FTNT
Staff & Editor
April 8, 2022

Oh, my apologies, I overlooked that bit - please ignore the above post then.
In that case, I would dive into the RADIUS authentication debug log on FortiAuthenticator (https://<FortiAuthenticator>/debug and select 'Radius Authentication' in the drop-down) to see what it is doing, and what it is sending to FortiGate when. It could also be that FortiGate is not handling the two challenges (token code, change password) well; I believe that depends a bit on FortiGate firmware version

zoriax
zoriaxAuthor
New Member
April 8, 2022

Hi Debbie, no proble :) 

 

I run FortiOS 7.0.5 and FortiAuth 6.4.3

 

In debug, I have : 

 

2022-04-08T14:14:37.428877+02:00 AUTH radiusd[8170]: Waking up in 0.6 seconds. 2022-04-08T14:14:37.428886+02:00 AUTH radiusd[8170]: Thread 3 got semaphore 2022-04-08T14:14:37.428906+02:00 AUTH radiusd[8170]: Thread 3 handling request 10, (3 handled so far).

 

 

zoriax
zoriaxAuthor
New Member
April 8, 2022

What is amazing is that all the process works without OTP enabled (I can change my password correctly).

 

And for this test I used local user to be sure everything works on FortiAuth directly.

zoriax
zoriaxAuthor
New Member
April 8, 2022

Should it be related to Radius Vendor Attirbutes ? I check inside dictionnaries and cant find : 

 

zoriax_0-1649425060885.png

I only have : 

zoriax_1-1649425087703.png

 

 

zoriax
zoriaxAuthorAnswer
New Member
April 8, 2022

Ok after a few search I solved the problem.


To work with 2FA and reset, you need to enable MS-CHAP-V2 in FortiGate Radius

    Debbie_FTNT
    Staff & Editor
    Debbie_FTNT
    Staff & Editor
    April 11, 2022

    Hey zoriax,

    thanks for posting the solution!

    My apologies that I didn't ask about the RADIUS authentication method; when you said you'd enabled AD authentication I automatically assumed FortiGate was set to MS-CHAP-V2, sorry for the assumption.

    Great that you solved it!

    Terms & ConditionsAccessibility statement