This article describes how to resolve the issue when FortiToken 2FA is bypassed if a user enters a username that is not an exact case match of account credentials configured in Active Directory.
|FortiGate SSL VPN via LDAP and RADIUS authentication with 2 factor authentication enabled.
In this example, the SSL VPN user 'pearlangelica' authenticates to an LDAP server and FortiToken 2FA is enabled on the user.
The exact username configured in AD is 'pearlangelica'.
When user 'pearlangelica' with FortiToken 2FA enabled enters his username that is not an exact case match 'PeArlAngElica', 2FA is bypassed.
Instead of the FortiToken code prompting after successful password input, the user will be directly connected to VPN.
2FA can be bypassed for locally defined remote users by entering the user name with mixed cases. This is because the remote LDAP server has different matching rules compared to FortiGate.
To resolve the issue, disable username-sensitivity on the user settings. By default, username-sensitivity is enabled.
Note that this setting is only available on CLI and when the user has 2-factor authentication enabled.
To disable username-sensitivity:
config user local
set type ldap
set two-factor fortitoken
set fortitoken "FTKMOB16B40CE9D8"
set email-to "<email address>"
set username-sensitivity disable
set ldap-server "LDAP-Server-1"
config user local
Once username-sensitivity is disabled on the user, it will allow the user to connect to the VPN with the prompt to enter the FortiToken code regardless of if the user enters the exact match or inexact character match of his username.
This setting will also work on Radius with 2-factor authentication enabled.
The expected results after disabling username-sensitivity are the following:
The user enters his username which is not an exact match.
With username-sensitivity disabled, it will be asked to enter the FortiToken code after successful password input:
Once the password and the FortiToken code match, it will allow the user to connect to the VPN.
The user enters the exact match of his username.
The same with Scenario 1, with username-sensitivity disabled, the user is prompted to enter the FortiToken code after successful password input:
Once the password and the FortiToken code match, it will allow the user to connect to VPN.