Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
yangw
Staff
Staff

Created on ‎05-19-2023 03:18 AM

Article Id 257210

Troubleshooting Tip: FortiToken two-factor authentication fails upon removing the local from a remote authentication user group

Description This article describes how to troubleshoot an issue with two-factor authentication by using debug commands.
Scope FortiOS 7.0
Solution 

Consider an example where the local user name 'ddd' with the remote authentication type was added to the remote authentication group.

 

local user ddd1.PNG

 

The SSL VPN portal will produce a token authentication challenge upon attempting to log in:

token_pop_up.PNG

 

After disabling the user group reference...

 

local user ddd1.PNG

 

... The SSLVPN portal can be accessed directly with credentials without token authentication:

 

login_without_token.PNG

 

The debug commands below can provide more details regarding the authentication.

 

diagnose debug application fnbamd -1

diagnose debug enable

 

Below is an example debug output for the user name reference remote authentication group 'Guest-group'.

 

[1906] handle_req-Rcvd auth req 1516264661 for ddd in opt=00200400 prot=11
[466] __compose_group_list_from_req-Group 'Guest-group', type 1 <<<<<< The SSLVPN policy rule only apply the user group for authentication
[616] fnbamd_pop3_start-ddd
[378] radius_start-Didn't find radius servers (0)
[755] auth_tac_plus_start-Didn't find tac_plus servers (0)
[1007] __fnbamd_cfg_get_ldap_list_by_group-
[2183] __match_and_update_auth_user-Found a matching user in CMDB 'ddd'  <<<<< found the local user name 'ddd' which has been configured in the user object.

....

[2042] handle_req-Rcvd ftm2_auth_withid req 1516264661
[2051] handle_req-Push msg was already sent  <<<<<< sent token authentication challenge due to the user name has been assigned Fortitoken and two-factor authentication

 

Below is an example debug output for the user name removed from the remote authentication group 'Guest-group'.

 

[1906] handle_req-Rcvd auth req 1516264659 for ddd in opt=00200400 prot=11
[466] __compose_group_list_from_req-Group 'Guest-group', type 1   <<<<<< The SSLVPN policy rule only apply the user group for authentication
[616] fnbamd_pop3_start-ddd
[378] radius_start-Didn't find radius servers (0)
[755] auth_tac_plus_start-Didn't find tac_plus servers (0)
[1007] __fnbamd_cfg_get_ldap_list_by_group-
[1065] __fnbamd_cfg_get_ldap_list_by_group-Loaded LDAP server '218.5' for usergroup 'Guest-group' (1) <<<<<  only get remote authentication via the user group, no local user name found for two-factor authentication.

 

Since the two-factor authentication is configured on the local user name 'ddd', it must be added to the user group for the SSL VPN policy rule below. An alternative option is to add the 'ddd' user name to the policy rule for the source user name.

 

sslvpn policy.PNG
2908
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.