Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
random_guy
New Contributor III

Duo on admin login

I'm setting up Duo MFA for admin logins. It does the LDAP query, sends me the push buuuut then just proceeds with the login. Doesn't matter if I ignore the prompt or hit accept/decline it just sent me right in. Would this be a Duo or Forti issue?

 

Device: 60e

Firmware: 6.4.3

 

config user radius edit "Duo" set server "192.168.0.111" set secret ENC <secret>

set auth-type pap set source-ip "192.168.222.1" set password-renewal disable next end

 

config user group

edit "Firewall - Admins" set member "LDAP" "Duo" config match edit 1 set server-name "LDAP" set group-name "CN=Fortigate - Admins,OU= etc....."  next end

3 REPLIES 3
random_guy
New Contributor III

And resolved by removing the below from the user group...

 

set group-name "CN=Fortigate - Admins,OU= etc....." 

 

 

ede_pfau
Esteemed Contributor III

so effectively you authenticate against the whole LDAP tree instead of just a subtree. I wonder if you already specified a restricted subtree in the definition of your "LDAP" server object. If the server def and the group def here do not overlap you will never get an authentication.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
random_guy
New Contributor III

Yes, in LDAP it is restricted to the group and in Duo Auth Proxy it is restricted