The Token field is not displayed.

The user is created using the LDAP remote server with the option username-case-sensitivity set to enable using an MFA FortiToken.

This feature ensures that only a username matching the defined name (i.e: john) should be allowed to connect with MFA.

Other attempts with usernames such as John and JOHN will not match the defined user, and will therefore be denied access.

config user local

    edit "john"

        set status enable

        set type ldap

        set two-factor fortitoken

        set fortitoken "*****"

        set email-to "******"

        set sms-server fortiguard

        set sms-phone ''

        set authtimeout 0

        set auth-concurrent-override disable

        set username-sensitivity enable

        set ldap-server "ABC-LDAP"

        set workstation ''

    next

end

In some scenarios, these settings do not seem to work and allow the user with usernames such as John or JOHN access by matching it against the LDAP server, by bypassing the MFA.

For this to work properly, the user group needs to be defined with the user definition instead of using the LDAP remote group:

If the user group is configured with a combination of the LDAP remote server and a user definition as shown below, it could bypass the username-sensitivity setting defined under the user definition.

This happens because the 'user-case-sensitivity' setting is defined under the user definition and is not a global setting on LDAP server. This means that, if the group is set up with both a user definition and the remote server, it could bypass the MFA settings configured on the user level and could match with the same user under the LDAP server directly.

Related articles:

• Technical Tip: Correctly configuring Two-Factor Authentication for LDAP users using SSL VPN
• Description of CVE-2020-12812 (bypassing ... - Fortinet Community
• A quick guide to FortiGate SSL VPN authen... - Fortinet Community