Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pdhillon
Staff
Staff

Created on ‎10-05-2022 09:03 PM Edited on ‎10-05-2022 09:04 PM By Community Manager

Article Id 225662

Technical Tip: LDAP server in group

Description

 

This article describes the behavior when an LDAP server is added as a member of a group,

how an LDAP user can bypass MFA how an unauthorized user can log in from the LDAP server when the LDAP group is misconfigured, and the behavior of FortiGate using case scenarios when an LDAP server is added as a member of the group.

 

Solution


In the below scenario, local LDAP user fortinet1 has been created and added to the SSL-VPN group.


Scenario 1:


Restrict this group so that only user fortinet1 can log in.


Local LDAP User on FortiGate:


Fortigate # show user local fortinet1
# config user local
    edit "fortinet1"
        set type ldap
        set two-factor fortitoken
        set fortitoken "FTKMOB115AA0DA0B"
        set email-to "fortinet1@test.com"
        set ldap-server "Server"
    next
end

 

Picture2.png

 


SSL-VPN Group on FortiGate:


Fortigate# show user group SSL\ VPN
# config user group
    edit "SSL VPN"
        set member "fortinet1" "Server" <----- Server is the name of the LDAP server configured on FortiGate.
    next
end

 

Picture3.png


Authentication Rule for SSL-VPN:


# config authentication-rule
    edit 1
        set groups "SSL VPN"
        set portal "full-access"
    next
end
end

 


LDAP Server:

 

Picture4.png

 

However, even the other users from the same LDAP server will be able to log in.
When the server LDAP is added, the server is configured as a member of the group.

FortiGate will allow other user users from LDAP server.
In the below output, it is possible see that user fortinet2 is able to connect.


# get vpn ssl monitor
SSL-VPN sessions:
Index User Group Source IP Duration I/O Bytes Tunnel/Dest IP
0 fortinet2 SSL VPN 10.10.20.2 22 11834/0 10.212.134.200


To resolve this issue, the LDAP server needs to be removed and then only fortinet1 will be able to login


set member "fortinet1" "Server" <-----

 

Picture5.png

 


Scenario 2:

How a Local LDAP user can bypass MFA when the LDAP server is configured as a member of a group.

User fortinet1 is configured with MFA. Whenever a user tries to connect, the User is expected to provide the Fortitoken code on every login activity.

 

Picture6.png

 


On the SSL-VPN group, the LDAP server is configured as a member of the group.

 

Picture7.png

 


When the user will try to connect with the username fortinet1 which is matching with the local user created on FortiGate, the user will get a prompt for the code.

 

Picture8.png


When the user will try to username ‘Fortinet1’ which does not match with the local user created on the FortiGate.

Users will bypass MFA and will be able to log in.

 

Picture9.png

 

Note FortiGate username is Case Sensitive.

In this case, when FortiGate receives an authentication request from the client for user ‘Fortinet1 ’which does not match exactly with the same local user configured on Firewall.

The firewall will send a request to the LDAP server as configured LDAP server as a member of the group.

The LDAP server is not case sensitive, and it will accept requests and users will bypass MFA.


To resolve this, it is necessary to remove ‘Server’ from the Remote Group, and then user fortinet1 will not bypass authentication.

1276
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.