Skip to main content
orspider
orspider
New Member
January 4, 2026
Question

SL-VPN with LDAP Groups & FortiToken

  • January 4, 2026
  • 2 replies
  • 466 views

Hi,

I followed this article:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Correctly-configuring-Two-Factor-Authentication/ta-p/191794

I created an AD group named “ssl-vpn” and assigned a user to it. When I create a group on the FortiGate and add the LDAP remote group, MFA is bypassed. The FortiGate only checks whether the user belongs to the AD group. I verified this by removing the user from the AD group after that, the user is no longer able to connect.

However, when I configure it exactly as described in the article, authentication is redirected to the FortiToken MFA. In this case, the FortiGate only checks that the user exists in AD, but it does not verify membership in the “ssl-vpn” AD group.

I tested this by removing the user from the “ssl-vpn” group in AD, and the user is still redirected to FortiToken MFA and is able to connect successfully.

What I am trying to achieve is the following flow:

First, verify that the user is a member of the “ssl-vpn” AD group.

Only if the user is a member of that group, proceed to MFA authentication.

Thanks in advance.

2 replies

filiaks1
filiaks1
Explorer III
January 4, 2026

What is you ngfw version? Maybe upgrade to resolve unsolved issues.

 

 

Have you seen https://community.fortinet.com/t5/FortiGate/Technical-Tip-Description-of-CVE-2020-12812-bypassing-two-factor/ta-p/197737

 

Have you tried ldap debug :

 

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-FortiGate-LDAP-troubleshooting-and-debug/ta-p/196280

 

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-LDAP-Troubleshooting-using-diagnose-test/ta-p/354491

 

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-FortiGate-LDAP-authentication-errors/ta-p/195337

 

 

orspider
orspiderAuthor
New Member
January 4, 2026

Hey the FW is  running 7.2.12. 

filiaks1
filiaks1
Explorer III
January 4, 2026

In FortiOS 7.2.12 Release Notes I see nothing about this but you can use a test VM NGFW 7.6.5 with the latest version and check if the issue is still there you can check the ldap debug that I mentioned and fortitoken debug (  FortiToken Basic Troubleshooting - Fortinet Community ) is still useful that I mentioned and checking the article about the issue even if it is for older versions as you use 2 local and remote groups that sounds like the article.

 

Everything I mentioned is when the Fortigate Talks with the FortiToken and there is no FortiAuthenticator that could have it's own issues or misconfigs.

 

Outside of that support could be the go to.

funkylicious
SuperUser
funkylicious
SuperUser
January 5, 2026

hi,

i think that importing the AD user locally on the FGT is the reason why it can log in w/o being part of the AD group.

the local group containing the user but doesnt specify/filter the remote LDAP server/group as per step 4 in your link so it doesnt do any checks for this.

i am unsure that you can achieve what you want importing users locally, but with FortiAuth i'm sure that this can be done.

"jack of all trades, master of none"
    Terms & ConditionsAccessibility statement