New Member

Solved

Fortigate requiring token for internet access, even for users who should only use token with VPN.

Forum|Forum|1 year ago
February 10, 2025
2 replies
1659 views

This problem began after I upgraded Fortigate from 6.4.15 to 7.0.17 without any configuration changes. Before this, the issue was not observed. It's not a problem if it asks for a username and password; the issue is that it started asking for a token, which was initially required only for VPN users.

FortiGate is requiring a token for internet access, even for users who should only need a token only for VPN. The firewall integrates with MS AD with LDAP and FSSO.

VPN users authenticate with tokens via FortiAuthentication, also integrated with MS AD and LDAP. FortiGate requires a token for internet access only if users are in local, not when are in remote access.

All firewall rules for Internet access are configured to validate FSSO users, with LDAP validation as a fallback in the same rules. See the attached screenshot.

Best answer by AEK

Can you please run the following so I can understand more?

Start auth debug:

diagnose debug application fnbamd 255
diagnose debug enable

Run ldap auth test with the affected user:

diag test authserver ldap <AD_LDAP> <user> <password>

Run ldap auth test with the affected user:

diag test authserver radius <RADIUS_SERVER> <method> <user> <password>

Then generate the required traffic to trigger the firewall policy.

And share all the above output, each separately.

AEK

SuperUser

If you are using FSSO in firewall rules then it should not require token because it is passive authentication.

AEK

JSNascimentoAuthor

New Member

Thanks for reply. You are right, but let me explain better. All firewall rules for Internet access are configured to validate FSSO users, with LDAP validation as a fallback in the same rules. See the attached screenshot.

Please feel free for comment, you're welcome.

funkylicious

SuperUser

https://community.fortinet.com/t5/Support-Forum/which-one-is-priorty-LDAP-or-FSSO/m-p/273097

https://community.fortinet.com/t5/FortiGate/Technical-Tip-An-explaination-of-mixed-policies-in-Firewall/ta-p/244896

"jack of all trades, master of none"

AEKAnswer

SuperUser

Can you please run the following so I can understand more?

Start auth debug:

diagnose debug application fnbamd 255
diagnose debug enable

Run ldap auth test with the affected user:

diag test authserver ldap <AD_LDAP> <user> <password>

Run ldap auth test with the affected user:

diag test authserver radius <RADIUS_SERVER> <method> <user> <password>

Then generate the required traffic to trigger the firewall policy.

And share all the above output, each separately.

AEK

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded