Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
hgarara
Staff
Staff

Created on ‎08-12-2024 11:31 PM Edited on ‎08-13-2024 06:18 AM By Moderator

Article Id 332443

Technical Tip: Radius user bypass 2FA when connecting to SSL VPN

Description This article describes why radius user bypasses 2FA while connecting to SSL VPN. 
Scope FortiGate.
Solution

Note:

username-case-sensitive is enabled under the Radius server configuration (i.e. config user radius).

 

config user radius 

    edit "FNF6" 

        set server "172.16.3.2 " 

        set secret ENC 4jC7L+ +2xWFoF4N+23984ysdfebnjkQ1tORYOmgoTnnuE 

        set timeout 5 

        set all-usergroup disable 

        set use-management-vdom disable 

        set nas-ip 0.0.0.0 

        set acct-interim-interval 0 

        set radius-coa disable 

        set radius-port 0 

        set h3c-compatibility disable 

        set auth-type auto 

        set source-ip '' 

        set username-case-sensitive enable 

        unset group-override-attr-type 

        set password-renewal enable 

        set password-encoding auto 

        set acct-all-servers disable 

        set switch-controller-acct-fast-framedip-detect 2 

        set interface-select-method auto 

        unset switch-controller-service-type 

        set rsso disable 

    next 

end 

 

The remote user on FortiGate is under the user definition 'jimmy1124' (radius user):

 

config user local 

    edit "jimmy1124" 

        set type radius 

        set radius-server " FNF6" 

    next 

end 

 

Scenario 1:

The remote radius user was added under the user group on FortiGate and further, this user group was being used under SSL VPN, which is incorrect. 
 

#1 success, mfa prompted , connectivity ok <- If the exact name is used.
#2 success, bypassed MFA, connectivity ok <- If the exact name is not used (e.g. JimMy1124).
 

The reason user bypasses the #2 test is that username-sensitivity is not enabled under remote user(config user local), used under SSL VPN setting as mentioned previously, case sensitivity is enabled under radius server configuration (config user radius).

As a fact, the user gets authenticated by FortiGate itself(proof: no MFA is prompted however the user is still allowed to log in). 

 

Scenario2 

The Radius server(FNF6) was added as a member under the user group on FortiGate and further this user group was being used under SSL VPN. 

 #1 success, mfa prompted , connectivity ok <- If the exact name is used.
#2 success, mfa prompted , connectivity ok <- If the exact name is not used (e.g. JimMy1124).

 

The user was prompted with 2FA, even if it did not match the exact username. The user auth request was forwarded to the radius server (if it had matched FortiGate, 2FA would not have been prompted as 2FA is not configured on FortiGate). However, some Radius servers need to be additionally configured with case sensitivity to make this config work. 
283
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.