FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.

This article describesthat Radius MFA may not work for the user that is part of another LDAP group on FortiGate.


The authentication will work, however, not via Radius but with LDAP


SSL-VPN config:


# config vpn ssl setting
    set port 10443
    set source-interface "wan1"
    set source-address "all"
    set default-portal "no-access"
    config authentication-rule
        edit 1
            set groups "LDAP-group" "Radius-group"                 <----- two group being use. One is for LDAP server and other for RADIUS MFA.
            set portal "full-access"


When the authentication is taking place for user that is part of both these group, authentication will complete via LDAP.


FortiGate sends the authentication request to all the possible groups and against possible authentication server. 


The request for authentication against Radius will be sent, but since there is MFA involved, it will take longer for Radius to authenticate. With LDAP, the request will be faster hence it will go through. 




[569] __fnbamd_cfg_get_radius_list_by_group-Loading RADIUS server 'radius-test' for usergroup 'Radius-group' (4)            <---- Radius request being sent.

[1083] __fnbamd_cfg_get_ldap_list_by_group-Loaded LDAP server 'ldap-test' for usergroup 'LDAP-Group' (2)                    <-----Rrequest sent to ldap server.
[1836] fnbamd_ldap_auth_ctx_push-'ldap-test' is already in the ldap list.
[1083] __fnbamd_cfg_get_ldap_list_by_group-Loaded LDAP server 'ldap-test' for usergroup 'LDAP-group' (3)
[1131] fnbamd_cfg_get_ldap_list-Total ldap servers to try: : 1


[2776] fnbamd_ldap_result-Passed group matching      -<----- Matches an LDAP group.
[1060] find_matched_usr_grps-Add matched group 'LDAP-group'(2)
[217] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 321024298, len=2485


Radius request was already sent, but since MFA is configured it will take time to authenticate and hence LDAP goes on to authenticate first causing MFA to fail. 


[434] radius_stop-Timer of rad 'radius-test' is deleted


It is important to avoid using users that part of groups on two different authentication servers. 


In this case, since RADIUS MFA was required, the user trying to authenticate should not be a part of LDAP-group also configured under authentication rules.