Skip to main content
daj
daj
New Member
November 13, 2018
Solved

Fortitoken 2FA issue

  • November 13, 2018
  • 1 reply
  • 25628 views

Hei,

 I have got a  problem with 2FA Mobile token. 

We use SSL VPN and LDAP. All vpn users  are assigned by 2FA with mobile token  and they are able to login to the network via VPN using 2FA mobile token. But only one user is unable to use the token.  When he tried his username and password , the forticleint not asks for fortitioken mobile and get directly connected into the network  , which is seems same as SSO, eventhough the user is successfully assigned by a fortitoken mobile. 

What might be the reason for this . How can I troubleshoot this and get it resolved. 

 

Thanks!!

    Best answer by xsilver_FTNT

    Hi daj,

     

    Q:What might be the reason for this.

    A: if it's on FortiGate and users are remote type so they do actually further authenticate for example against LDAP on MSFT AD, then usual mistake & reason is in FortiGate's case sensitivity.

     

    In details:

    - if you have ldap type user name 'johndoe' with token assigned

    - and such user is member of firewall group where there is user 'jonhndoe' and actual LDAP server as members

    - then when user authenticate and as user name uses 'Johndoe' (UPPERCASE j), then those 'johndoe' and 'Johndoe' are completely different users for FortiGate. But as LDAP is also member, then login process fail to find local user (the one with token) and fall back to another group member, the LDAP. And as user is LDAP type it successfully authenticate through the LDAP.

     

    SOLUTIONs for above:

     

    a) user FortiAuthenticator as centralized authentication back-end which can deal with case sensitivnes

    b) split firewall group members and do NOT mix pure LDAP with token users, or in more advanced scenario set group match on that LDAP the way that users with the token will not be considered members anymore, so mentioned 'johndoe' either authenticate with the proper casing and token or 'He shall not pass!' .. at all.

    1 reply

    xsilver_FTNT
    Staff
    xsilver_FTNTAnswer
    Staff
    November 13, 2018

    Hi daj,

     

    Q:What might be the reason for this.

    A: if it's on FortiGate and users are remote type so they do actually further authenticate for example against LDAP on MSFT AD, then usual mistake & reason is in FortiGate's case sensitivity.

     

    In details:

    - if you have ldap type user name 'johndoe' with token assigned

    - and such user is member of firewall group where there is user 'jonhndoe' and actual LDAP server as members

    - then when user authenticate and as user name uses 'Johndoe' (UPPERCASE j), then those 'johndoe' and 'Johndoe' are completely different users for FortiGate. But as LDAP is also member, then login process fail to find local user (the one with token) and fall back to another group member, the LDAP. And as user is LDAP type it successfully authenticate through the LDAP.

     

    SOLUTIONs for above:

     

    a) user FortiAuthenticator as centralized authentication back-end which can deal with case sensitivnes

    b) split firewall group members and do NOT mix pure LDAP with token users, or in more advanced scenario set group match on that LDAP the way that users with the token will not be considered members anymore, so mentioned 'johndoe' either authenticate with the proper casing and token or 'He shall not pass!' .. at all.

    daj
    dajAuthor
    New Member
    November 27, 2018

    Hei Tomas,

      I am using the login name with proper cases. I can see in my router that Fortitoken is assigned for the user. But the issue is , when user is trying to access vpn network wih is username and password, it direclty enter to network, not asking for fortitoken which is already shown as assigned. 

    Also the user is not mixed with firewall group members.

     

    Thanks

    Terms & ConditionsAccessibility statement