Technical Tip: SSL VPN two factor authentication (2FA) is bypassed when user enters username that is not an exact case match

This article describes how to resolve the issue when FortiToken 2FA is bypassed if a user enters a username that is not an exact case match of account credentials configured in Active Directory.

Scenario:

In this example, the SSL VPN user 'pearlangelica' authenticates to an LDAP server and FortiToken 2FA is enabled on the user.

The exact username configured in AD is 'pearlangelica'.

When user 'pearlangelica' with FortiToken 2FA enabled enters his username that is not an exact case match 'PeArlAngElica', 2FA is bypassed.

Instead of the FortiToken code prompting after successful password input, the user will be directly connected to the VPN.

2FA can be bypassed for locally defined remote users by entering the user name with mixed cases. This is because the remote LDAP server has different matching rules compared to FortiGate.

This issue is related to case sensitivity on the username. For example, a local user is defined as 'pearlangelica', the user types 'PearlAngelica' or 'PeArlAngElica' as username (FortiOS requires an exact match for local users), the local username are bypassed and credentials are forwarded to the LDAP server which is case insensitive, then the user will authenticate just fine bypassing 2FA configured on the local LDAP user in FortiGate.

To resolve the issue, disable username-sensitivity on the user settings. By default, username-sensitivity is enabled.

Note:

The setting 'username-sensitivity' is only available on CLI and when the user has 2-factor authentication enabled.

If the user type is local, enabling or disabling the username-sensitivity is not feasible.

To disable username-sensitivity:

config user local

    edit "pearlangelica"

        set type ldap

        set two-factor fortitoken

        set fortitoken "FTKMOB16B40CE9D8"

        set email-to "<email address>"

        set username-sensitivity disable

        set ldap-server "LDAP-Server-1"

    next

end

config user local
    edit "pearlangelica"
        set username-sensitivity ?
        enable <----- Do not ignore cases and accents. The username at the prompt must be an exact match.
        disable  <----- Ignore case and accents. The username at the prompt is not required to match the case or accents.
    next
end

Once username-sensitivity is disabled on the user, it will allow the user to connect to the VPN with the prompt to enter the FortiToken code regardless of whether the user enters the exact match or inexact character match of his username.

This setting will also work on Radius with 2-factor authentication enabled.

The expected results after disabling username-sensitivity are the following:

Scenario 1:

The user enters his username which is not an exact match.

With username-sensitivity disabled, it will be asked to enter the FortiToken code after successful password input:

Once the password and the FortiToken code match, it will allow the user to connect to the VPN.

Scenario 2:

The user enters the exact match of his username.

The same with Scenario 1, with username-sensitivity disabled, the user is prompted to enter the FortiToken code after successful password input:

Once the password and the FortiToken code match, it will allow the user to connect to the VPN.

Related articles: