Technical Tip: Configuring Remote LDAP users with Two-Factor Authentication

fmerin_FTNT · ‎09-01-2015

Description

This article describes how to properly configure remote LDAP users to use two-factor authentication.

Scope

FortiGate.

Solution

When configuring remote LDAP users to use two-factor authentication (for example FortiTokens), such authentication can be bypassed by entering a username not matching the case-sensitive username configured for one of the local users.

Further discussion in this article:

This case will occur if the following are configured on the FortiGate for a desired user group:

Local users with two-factor are configured

AND

A user group associated with a remote LDAP group, with usernames matching those of the already defined local users

In this case, for all LDAP users that require two-factor authentication, corresponding local LDAP users need to be created on the FortiGate and added to a user group only containing local LDAP users.

* Only usernames matching the case specified in the local LDAP users will be prompted for two-factor authentication.

* Usernames with other cases not matching the exact case defined in the local LDAP users will be denied access

Usernames on the FortiGate are case-sensitive while usernames in Windows Active Directory are not case-sensitive.

Therefore, it is recommended to adhere to a standard/convention for remote LDAP users created on the FortiGate (i.e. all caps or all lowercase) to prevent confusion for users.

Related articles:

Restricting VPN access with two-factor and LDAP authentication
Technical Tip: Description of CVE-2020-12812 (bypassing two-factor authentication for LDAP users) an...
Technical Tip: Local user, username case sensitivity and accent sensitivity

Technical Tip: Configuring Remote LDAP users with Two-Factor Authentication

You are leaving our website