Description
This article describes how to correctly configure Two Factor-Authentication on a FortiGate firewall for LDAP users.
Scope
FortiGate with LDAP.
Solution
Two-Factor-Authentication works when specifying an LDAP user name, but when specifying a group name, permission is denied and the Token code is not received.
Verification of Configuration:
- Integrate the firewall with the LDAP server and verify the connectivity:
-
Create a remote group with a remote server and group name.
-
Create an LDAP user with Two-Factor Authentication enabled with any of the available methods, such as SMS, email, and FortiToken.
To enable 2FA on the CLI:
edit "fortinet"
set status enable
set type ldap
set two-factor <fortitoken / fortitoken-cloud / email / SMS >
set email-to ''
set sms-server fortiguard
set sms-phone ''
set authtimeout 0
set auth-concurrent-override disable
set ldap-server "LDAP"
set workstation ''
next
end - Create a local group for the LDAP users.
-
Include the local group in the SSL VPN settings and firewall policy.
Make sure not to refer to the remote group. Create a local firewall group for LDAP users with Two-Factor Authentication enabled.Try to connect to an SSL VPN from FortiClient. It will ask for the token code:
-
Users who do not have the FortiToken configured will simply be able to log in as shown below:
Troubleshooting:
If this has been configured properly and users are still not getting prompted for 2FA, check if there are any RADIUS groups configured.
If 'Include in every user group' is enabled on that RADIUS group, this will also affect the LDAP groups and prevent 2FA from working.
Use the following commands to debug:
diag debug reset
diag debug application fnbamd -1 <- To verify the authentication process.
diag vpn ssl debug-filter src-addr4 x.x.x.x (Substitute the client's public IP).
diag debug application alertmail -1 <- To verify Token delivery.
diagnose fortitoken debug enable -1 <- To verify Fortitoken issues.
diag debug appl sslvpn -1
diag debug enable
diag debug disable <- Once the issue has been identified, disable the debug.
Note: sometimes users will not be prompted for a token because of case sensitivity under user settings. To change the settings, use the following command:
config user local
edit "<name>"
set type password
set username-case-sensitivity disable/enable
end
Related articles: