This article describes the behavior when an LDAP server is added as a member of a group,
how an LDAP user can bypass MFA how an unauthorized user can log in from the LDAP server when the LDAP group is misconfigured, and the behavior of FortiGate using case scenarios when an LDAP server is added as a member of the group.
In the below scenario, local LDAP user fortinet1 has been created and added to the SSL-VPN group.
Restrict this group so that only user fortinet1 can log in.
Local LDAP User on FortiGate:
Fortigate # show user local fortinet1
# config user local
set type ldap
set two-factor fortitoken
set fortitoken "FTKMOB115AA0DA0B"
set email-to "email@example.com"
set ldap-server "Server"
SSL-VPN Group on FortiGate:
Fortigate# show user group SSL\ VPN
# config user group
edit "SSL VPN"
set member "fortinet1" "Server" <----- Server is the name of the LDAP server configured on FortiGate.
Authentication Rule for SSL-VPN:
# config authentication-rule
set groups "SSL VPN"
set portal "full-access"
However, even the other users from the same LDAP server will be able to log in.
When the server LDAP is added, the server is configured as a member of the group.
FortiGate will allow other user users from LDAP server.
In the below output, it is possible see that user fortinet2 is able to connect.
# get vpn ssl monitor
Index User Group Source IP Duration I/O Bytes Tunnel/Dest IP
0 fortinet2 SSL VPN 10.10.20.2 22 11834/0 10.212.134.200
To resolve this issue, the LDAP server needs to be removed and then only fortinet1 will be able to login
set member "fortinet1" "Server" <-----
How a Local LDAP user can bypass MFA when the LDAP server is configured as a member of a group.
User fortinet1 is configured with MFA. Whenever a user tries to connect, the User is expected to provide the Fortitoken code on every login activity.
On the SSL-VPN group, the LDAP server is configured as a member of the group.
When the user will try to connect with the username fortinet1 which is matching with the local user created on FortiGate, the user will get a prompt for the code.
When the user will try to username ‘Fortinet1’ which does not match with the local user created on the FortiGate.
Users will bypass MFA and will be able to log in.
Note FortiGate username is Case Sensitive.
In this case, when FortiGate receives an authentication request from the client for user ‘Fortinet1 ’which does not match exactly with the same local user configured on Firewall.
The firewall will send a request to the LDAP server as configured LDAP server as a member of the group.
The LDAP server is not case sensitive, and it will accept requests and users will bypass MFA.
To resolve this, it is necessary to remove ‘Server’ from the Remote Group, and then user fortinet1 will not bypass authentication.