Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vrajendran
Staff
Staff

Created on ‎05-12-2016 08:27 AM Edited on ‎02-27-2025 06:28 AM By Community Manager

Article Id 195092

Technical Tip: Username case sensitivity implementation with Firewall authentication

Description

 

This article describes case sensitive username implementation in different types of authentication methods available on the FortiGate unit.

When performing Firewall Authentication (Authentication against firewall policy or captive portal), the following authentication methods are case sensitive on FortiOS:

Local User Authentication.
Remote Radius Authentication.
The following Remote Authentication types are case insensitive:

  • Remote LDAP.
  • Remote TACACS.
  • POP3.

Case insensitive usernames can be a problem especially when auth-concurrent setting is implemented in FortiOS to limit number of logins for a user (Firewall Authentication).

Example:

The auth-concurrent setting is configured to limit 1 login for a single user.
User authentications from PC1, with username 'fortinet' and authentication is successful.
Now the same (or different user) authenticates from PC2 with username 'Fortinet' and authentication will also be successful.

 

Scope

 

FortiGate.

Solution

 

The following solutions can be implemented to avoid these issues.

  1. Implement Local users.


The local user database on the FortiGate unit is case sensitive.

If the network contains a large number of Users authentication against Firewall authentication on FortiGate unit, then 2) can be implemented.

  1. User Remote Radius authentication and enable case sensitive comparison of usernames.

config user radius
    edit <name>
        set username-case-sensitive ?
        enable Enable username case-sensitive.
        disable Disable username case-sensitive.

config user radius
    edit <name>
        set username-case-sensitive enable
    end

 

The setting 'username-case-sensitive' is disabled by default, so the username comparison will be case insensitive by default.

 

When FortiAuthenticator is used as a RADIUS Server, verify the logs as below (also, make sure to follow the RADIUS configuration set out in 'Technical Tip: Radius authentication with FortiAuthenticator'.)

 

When a user logs in using 'nse8-user1':


case2.JPG

When a user logs in using 'Nse8-User1':

 

case1.JPG

 

Related article:

Technical Tip: 'policy-auth-concurrent' system global command clarified

14734
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.