|
SSL-VPN config:
# config vpn ssl setting
set port 10443
set source-interface "wan1"
set source-address "all"
set default-portal "no-access"
config authentication-rule
edit 1
set groups "LDAP-group" "Radius-group" <----- two group being use. One is for LDAP server and other for RADIUS MFA.
set portal "full-access"
next
end
end
When the authentication is taking place for user that is part of both these group, authentication will complete via LDAP.
FortiGate sends the authentication request to all the possible groups and against possible authentication server.
The request for authentication against Radius will be sent, but since there is MFA involved, it will take longer for Radius to authenticate. With LDAP, the request will be faster hence it will go through.
Debugs:
[569] __fnbamd_cfg_get_radius_list_by_group-Loading RADIUS server 'radius-test' for usergroup 'Radius-group' (4) <---- Radius request being sent.
[1083] __fnbamd_cfg_get_ldap_list_by_group-Loaded LDAP server 'ldap-test' for usergroup 'LDAP-Group' (2) <-----Rrequest sent to ldap server.
[1836] fnbamd_ldap_auth_ctx_push-'ldap-test' is already in the ldap list.
[1083] __fnbamd_cfg_get_ldap_list_by_group-Loaded LDAP server 'ldap-test' for usergroup 'LDAP-group' (3)
[1131] fnbamd_cfg_get_ldap_list-Total ldap servers to try: : 1
[2776] fnbamd_ldap_result-Passed group matching -<----- Matches an LDAP group.
[1060] find_matched_usr_grps-Add matched group 'LDAP-group'(2)
[217] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 321024298, len=2485
Radius request was already sent, but since MFA is configured it will take time to authenticate and hence LDAP goes on to authenticate first causing MFA to fail.
[434] radius_stop-Timer of rad 'radius-test' is deleted
|
