Skip to main content
bartman10
bartman10
New Member
November 17, 2014
Question

IT'S BACK!!!!! FortiToken 2 factor auth LDAP fail (-445)

  • November 17, 2014
  • 6 replies
  • 16280 views

I've had 3 tickets open about this... this problem was introduced in 5.2. Using FortiToken with LDAP authentication results in Error (-455). 

 

The first ticket took the usual week of "upload your config, run all this debug crap, run more debug stuff, let me log in and run the same debug stuff, let me send this to level 2, let level 2 run debug stuff, make some stuff up...".. Then they come back with "it's a known issue and will be fixed in 5.2.1".. I ask.. ok.. is there a patch.. "no go away, we're busy"... 

 

So I wait the till 5.2.1 comes out.. I think it was over 2 months after I first reported this issue.. So I install 5.2.1.. same issue -445... We do the same week long game of logs and stuff... This time they say "oh you have a different issue" It will be fixed sometime... but this time they say there is a hotfix... 

 

They give me the hotfix warning me that it's not fully tested (like the through testing the do on the regular release HAHA).. This beast calls itself "5.2.0 Build619" The tech says it's really 5.2.1 619 and to trust him.. He sounds nice so I trust him.. 

I install this special build.... will it finally fix my 2 factor authentication issue, will it make the FortiGate and FortiToken to lie down in green pastures and lead me beside quiet waters?! Yes.. yes.. it does seem as so!

So it works now...

 

But then... just last week... I saw the beast, the king of the earth, and their armies... ... ok enough of that.. well any way.. Last week it just started happening again.. for no reason.. nothing changed... all users are now reporting -445 when using FT... 

Logging in with LDAP user with no 2 fact works, using a local user works, a local user with 2 fact works... but LDAP with 2 fact does not... 

Why has he forsaken me!

Support seems puzzled... it's been about a week so I can't wait to see what they have to say.

    6 replies

    Dipen
    Dipen
    New Member
    November 18, 2014

    FortiSupport sometimes sucks. So you want to use LDAP user with FortiToken. This is working fine for me in FortiOS 5.0.

    Was it working for you in FortiOS 5.0 ?

    Downside is that you have to create each and every LDAP User manually under local Users..For password associate to an LDAP Server and then associate the FortiToken.

     

    One question...During Authentication are you receiving the FortiToken Prompt or password entry itself fails?

    bartman10
    bartman10Author
    New Member
    November 18, 2014

    It did work fine in 5.0. 5.2 started it all.

     

    I agree with you on the downside... but I don't see any way around it.. you are using a remote authentication (LDAP) that you need to associate with a local resource (FortiToken).. I believe RADIUS would have the exact same setup. One thing that does drive me nuts is when you go to create the local user you can't input the users email and then assign the token because the system has not actually saved the email yet. So you have to input the email, hit save, get kicked back to users screen, select the user again, then associate the token.

     

    I do get asked for the Token. The after entering the token it errors. If you look at the debug logs it clearly shows LDAP OK, Token OK, then drop for no reason.. Support just says "hmm.. that's odd" 

    bartman10
    bartman10Author
    New Member
    November 22, 2014

    I was about at the end of my rope with some of the ongoing issues when I posted... but the facts are all correct. I've had 3 tickets open after installing 5.2 broke the way I had FortiTokens configured and working in 5.0.7. Each ticket ended with "this is a known issue and will be fixed in the next 5.2.X release".. well I kept installing that next release and the issue was never resolved.    I only just yesterday received a post from a L3 about the FortiToken issue. His post was a bit cryptic and didn't simply come out and say "I see your problem and it's because you should do X,Y,Z" but I was able to read the tea leaves and figure out what he was pointing to.  Basically all this time I had one User Group with both the LDAP servers and the local users (who use LDAP password) with Tokens assigned. The fix was to break them up into two separate user groups. In the SSL VPN firewall rule put the FT User Group first. As soon as I did this FT started working properly again.    The really frustrating thing is no one at support had any idea how this should be configured and how this should be configured is not documented anywhere. The fact that on the User Groups page you can add local users with LDAP groups configured only seems to allude to the fact this is ok and should work. 

    If I'm wrong please point it out in the documentation. 

    Dipen
    Dipen
    New Member
    November 23, 2014

    Congrats to you then....I also face similar issues when you combine Local Users & LDAP Remote Users in a same group. It prompts for Fortitoken for Non-2FA Users as well. Will try for your solution..Hope it works !

     

    Regards

    mwkirk
    mwkirk
    New Member
    March 2, 2015

    I am having a similar issue I think using LDAP and then SMS for the second factor.  I am able to get prompt for the OTP and it will not let me login.  I tried putting the users in an TwoFactor local group and adding that into the Policies but still seems like it won't connect.  I can remove the two factor from the local users that are mapped via LDAP and then the login is fine.  About to open a ticket with support as well but if there is any additional information to be provided I would appreciate it.  I am currently running 5.2.2 on a 200D.

     

    Thanks

    Mike

    bartman10
    bartman10Author
    New Member
    March 3, 2015

    Are you splitting the authorization groups between FortiToken users and non-FT users? When you try and put them all in the group is when the problems start.

    mwkirk
    mwkirk
    New Member
    March 3, 2015

    bartman10 wrote:

    Are you splitting the authorization groups between FortiToken users and non-FT users? When you try and put them all in the group is when the problems start.

    Yeah...which it looks like it it is working now  but I don't know why as I didn't really make any changes and did have the groups split.

    bartman10
    bartman10Author
    New Member
    March 3, 2015

    Glad you got it working.. After splitting the groups I have not had an issue.. But Fortinet support doesn't even know how this should be configured or how it should work.. I spent a long time working with support to get to where I am now... 

    They really, really need to document this one way or the other.. Ether you can put both local user accounts(using LDAP auth) and LDAP accounts in the same group or you can't. If you can't they need to gray out the option to do so as soon as  you select one or the other.

    The fact they have no documentation to say if this is allowed, no one at support knows untill you get to level 3, and the fact the GUI allows you to mix them.. is well.. just a mess.. and this is my main grip with FortiNet as a company.. 

    Great product for the price.. sloppy QA, sloppy documentation, sloppy consistency between product versions and OS versions.

     

    Heck.. here's a great example of sloppy consistency between product versions.. on some of my FG's the CLI prompt is #, on others it's $... try writing a freeking backup script that has to look for # or $ before it knows to issue commands!!! 

    You don't find that on other gear... and this is just one example.

     

    If you need more examples I have plenty...

     

    For extra credit.. try creating a site to site vpn between a 300C and say a 94D... at the CLI, you can ping the internal interface of the other... on the other you can't... Tell me which one can.. and why it does not work on the other for bonus points.

     

    FG support are eligible to play because at least 4 of them have argued with me this should "never work" even after I literally showed them... Again.. took level 3 support to referee the fight... I won.

    mwkirk
    mwkirk
    New Member
    March 3, 2015

    Yeah...well support got back with me this morning.  I told them I had it working but let them go through it anyway.  The way they describe this should work is that if you should be able to mix the groups so you would have something like two-factor users setup as local users then you attach a group that has users that do not require two-factor or something like that.  I blindly let the tech go through and we changed it and it did break it.  Once separated out all was good to go.

     

    All in all I really like the products...I have been able to do some really cool things with them over the 3 years or so I have been working with them.  I do have an issue with the consistency of the interface in that things move around or disappear altogether from version to version.

     

    I may be missing something as well but seems I have to enable SMS two-factor via CLI  and once it is enabled then it shows up in the GUI which I can disable it from there but then if I want to re-enable I have to go back to the CLI.  Again, there may be some option to "display SMS two-factor options" or something like that somewhere.

     

    MK

     

    bartman10 wrote:

    Glad you got it working.. After splitting the groups I have not had an issue.. But Fortinet support doesn't even know how this should be configured or how it should work.. I spent a long time working with support to get to where I am now... 

    They really, really need to document this one way or the other.. Ether you can put both local user accounts(using LDAP auth) and LDAP accounts in the same group or you can't. If you can't they need to gray out the option to do so as soon as  you select one or the other.

    The fact they have no documentation to say if this is allowed, no one at support knows untill you get to level 3, and the fact the GUI allows you to mix them.. is well.. just a mess.. and this is my main grip with FortiNet as a company.. 

    Great product for the price.. sloppy QA, sloppy documentation, sloppy consistency between product versions and OS versions.

     

    Heck.. here's a great example of sloppy consistency between product versions.. on some of my FG's the CLI prompt is #, on others it's $... try writing a freeking backup script that has to look for # or $ before it knows to issue commands!!! 

    You don't find that on other gear... and this is just one example.

     

    If you need more examples I have plenty...

     

    For extra credit.. try creating a site to site vpn between a 300C and say a 94D... at the CLI, you can ping the internal interface of the other... on the other you can't... Tell me which one can.. and why it does not work on the other for bonus points.

     

    FG support are eligible to play because at least 4 of them have argued with me this should "never work" even after I literally showed them... Again.. took level 3 support to referee the fight... I won.

    Terms & ConditionsAccessibility statement