Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
tbarua
Staff
Staff

Created on ‎06-13-2025 03:03 AM Edited on ‎08-27-2025 10:59 PM By Moderator

Article Id 394707

Troubleshooting Tip: SSL VPN two-factor authentication (2FA) is bypassed due to missing reference

Description

 

This article describes how to resolve the issue when FortiToken two-factor authentication is bypassed if an LDAP user is not referenced correctly.

 

Scope

 

FortiGate, SSL VPN.

 

Solution

 

Users with two-factor authentication can be bypassed for several reasons. To avoid bypassing two-factor authentication, CVE-2020-12812 (Technical Tip: Description of CVE-2020-12812 (bypassing two-factor authentication for LDAP users) an... should be taken into consideration while configuring two-factor authentication for a user. 

 

Two-factor authentication may still be bypassed if the user is not referenced correctly either in the policy or in the user group. 

 

In this example, the SSL VPN user 'fortinet' authenticates to an LDAP server, and FortiToken two-factor authentication is enabled on the user. In theory, the user should get a prompt for a two-factor authentication code in the VPN authentication process. 

KB.user.png

 

Via CLI:

 

config user local
    edit fortinet
        set type ldap
        set ldap-server LDAP
        set two-factor fortitoken
        set fortitoken FTKxxxxxxxxxxxxxxxxxx
        set uusername-sensitivity enable/disable

 

But when the user 'fortinet' with FortiToken enabled enters the username, the two-factor authentication is bypassed.

 

kb1.png

Instead of prompting for a token code, the user is directly connected to the SSL VPN by just entering the correct password.

 

kb2.png

Debug logs show that two-factor authentication is not required: 

 

2025-06-03 01:46:54 [627] fnbam_user_auth_group_match-req id: 13632413200388, server: LDAP, local auth: 0, dn match: 1
2025-06-03 01:46:54 [581] __group_match-Check if LDAP is a group member
2025-06-03 01:46:54 [587] __group_match-Group 'LDAP group' passed group matching
2025-06-03 01:46:54 [590] __group_match-Add matched group 'LDAP group'(4)
2025-06-03 01:46:54 [2561] fnbamd_ldap_result-Passed group matching

 

2025-06-03 01:46:54 [909] update_auth_token_session-config does not require 2fa
2025-06-03 01:46:54 [239] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 13632413200388, len=2739
2025-06-03 01:46:54 [3174:root:48]fam_auth_proc_resp:1365 fnbam_auth_update_result return: 0 (success)
2025-06-03 01:46:54 [3174:root:48][fam_auth_proc_resp:1505] Authenticated groups (1) by FNBAM with auth_type (16):

 

The two-factor authentication is bypassed because of the value '0' of references to that specific user.

 

kb4.png

To ensure that the two-factor authentication takes place in the process, the user must be added to the LDAP user group, which is referenced in the VPN policy as a group source group, or the user must be referenced in the policy. 

 

  • Option 1:

By adding the user group under User Definition -> Fortinet (user name) -> User group -> Toggle up and select the required group. 

 

KB.add.png  

  • Option 2:

By referencing the user in the VPN policy:

 

policy1.png

Note: Option 2 may not be scalable in a large network environment since every user needs to be added to the policy separately. 

After implementing one of those mentioned options, the token field is prompted as expected: 

 

KB_token.png

 

It can be seen in the debug logs as well that it shows 'Token is needed': 

 

2025-06-03 01:47:58 [2561] fnbamd_ldap_result-Passed group matching
2025-06-03 01:47:58 [913] update_auth_token_session-Token is needed
2025-06-03 01:47:58 [775] auth_token_push-
2025-06-03 01:47:58 [239] fnbamd_comm_send_result-Sending result 7 (nid 0) for req 13632413200389, len=2739
2025-06-03 01:47:58 [3174:root:63]fam_auth_proc_resp:1365 fnbam_auth_update_result return: 7 (token code required)

 

After inserting the token, the user is authenticated successfully with a token code: 

 

2025-06-03 01:48:08 [3174:root:65]fam_auth_proc_resp:1365 fnbam_auth_update_result return: 0 (success)
2025-06-03 01:48:08 [3174:root:65][fam_auth_proc_resp:1505] Authenticated groups (1) by FNBAM with auth_type (16):
2025-06-03 01:48:08 [3174:root:65]Received: auth_rsp_data.grp_list[0] = 4
2025-06-03 01:48:08 [3174:root:65]fam_auth_proc_resp:1530 found node LDAP group:0:, valid:1, auth:0
2025-06-03 01:48:08 [3174:root:65]Validated: auth_rsp_data.grp_list[0] = LDAP group
2025-06-03 01:48:08 [3174:root:65]Auth successful for user fortinet in group LDAP group

 

The following commands are being used for the debug logs:

 

diagnose debug console timestamp enable
diagnose debug app sslvpn -1
diagnose debug app fnbamd -1
diagnose debug en

 

Related articles:

Technical Note: Configuring Remote LDAP users with Two-Factor Authentication
Technical Tip: SSL VPN two factor authentication (2FA) is bypassed when user enters username that is...

Technical Tip: Local user, username case sensitivity and accent sensitivity

Labels:
482
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.