Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
zoriax
Contributor

FortiAuthenticator SSL VPN - LDAP - 2FA and Password Change

Hi !

 

I have a strange behaviour with FortiAuthenticator and SSL VPN on FortiGate

 

  • FortiAuthenticator is configured to sync ldap user account
  • FortiAuthenticator is configured to act as RADIUS with remote users
    • On RADIUS policy, I used checked "User Windows AD Domain Authentication"
  • ForiGate SSL VPN is correctly configured with RADIUS

Without 2FA enabled on FortiAuthenticator account

  • On SSL VPN web interface I can connect
  • If I reset the password on my Active Directory (force change), on SSL VPN interface I can set a new password
  • zoriax_0-1649410571368.png

 

With 2FA enabled on FortiAuthenticator account

  • On SSL VPN web interface I can connect with toke
  • If I reset the password on my Active Directory (force change), on SSL VPN interface when I enter the token I'm not redirected to change password page but I have an error
  • zoriax_1-1649410689889.png

     

On Autentication > User Account Polices I have

zoriax_2-1649410715612.png

If I disabled "Request password reset after OTP verification". The behaviour is a bit different.

  • I can change de password, then I recieved the token but after entering the token I have : 
  • zoriax_1-1649410689889.png
  • And I need to login again with my new password

 

What is the correct workflow and options to allow token and password change with LDAP ?


Many thanks

 

 

1 Solution
zoriax
Contributor

Ok after a few search I solved the problem.


To work with 2FA and reset, you need to enable MS-CHAP-V2 in FortiGate Radius

View solution in original post

9 REPLIES 9
zoriax
Contributor

I tried witha local user and the behaviour is the same :( ! It seems I missed someting in configuration :)

Debbie_FTNT

Hey zoriax,

did you enable the setting to allow password change in FortiGate CLI?
#config user radius
#set password-renewal enable
#end

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
zoriax
Contributor

Yes and as I said in my post, it works ! The only problem is when 2fa is enabled

Debbie_FTNT

Oh, my apologies, I overlooked that bit - please ignore the above post then.
In that case, I would dive into the RADIUS authentication debug log on FortiAuthenticator (https://<FortiAuthenticator>/debug and select 'Radius Authentication' in the drop-down) to see what it is doing, and what it is sending to FortiGate when. It could also be that FortiGate is not handling the two challenges (token code, change password) well; I believe that depends a bit on FortiGate firmware version

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
zoriax
Contributor

Hi Debbie, no proble :) 

 

I run FortiOS 7.0.5 and FortiAuth 6.4.3

 

In debug, I have : 

 

 

2022-04-08T14:14:37.428877+02:00 AUTH radiusd[8170]: Waking up in 0.6 seconds.
2022-04-08T14:14:37.428886+02:00 AUTH radiusd[8170]: Thread 3 got semaphore
2022-04-08T14:14:37.428906+02:00 AUTH radiusd[8170]: Thread 3 handling request 10, (3 handled so far)
2022-04-08T14:14:37.428954+02:00 AUTH radiusd[8170]: (10) Received Access-Request Id 169 from 192.168.1.1:18010 to 192.168.1.10:1812 length 123
2022-04-08T14:14:37.428970+02:00 AUTH radiusd[8170]: (10)   NAS-Identifier = "FORTI"
2022-04-08T14:14:37.428973+02:00 AUTH radiusd[8170]: (10)   User-Name = "test"
2022-04-08T14:14:37.428976+02:00 AUTH radiusd[8170]: (10)   User-Password: ****** 
2022-04-08T14:14:37.428983+02:00 AUTH radiusd[8170]: (10)   Framed-IP-Address = 1.2.3.1
2022-04-08T14:14:37.428993+02:00 AUTH radiusd[8170]: (10)   NAS-Port = 1
2022-04-08T14:14:37.429003+02:00 AUTH radiusd[8170]: (10)   NAS-Port-Type = Virtual
2022-04-08T14:14:37.429008+02:00 AUTH radiusd[8170]: (10)   Calling-Station-Id = "1.2.3.1"
2022-04-08T14:14:37.429012+02:00 AUTH radiusd[8170]: (10)   Acct-Session-Id = "2baecc24"
2022-04-08T14:14:37.429015+02:00 AUTH radiusd[8170]: (10)   Connect-Info = "vpn-ssl"
2022-04-08T14:14:37.429018+02:00 AUTH radiusd[8170]: (10)   Fortinet-Vdom-Name = "root"
2022-04-08T14:14:37.429034+02:00 AUTH radiusd[8170]: (10) # Executing section authorize from file /usr/etc/raddb/sites-enabled/default
2022-04-08T14:14:37.429041+02:00 AUTH radiusd[8170]: (10)   authorize {
2022-04-08T14:14:37.429061+02:00 AUTH radiusd[8170]: (10)     [preprocess] = ok
2022-04-08T14:14:37.429071+02:00 AUTH radiusd[8170]: (10)     [chap] = noop
2022-04-08T14:14:37.429081+02:00 AUTH radiusd[8170]: (10)     [mschap] = noop
2022-04-08T14:14:37.429089+02:00 AUTH radiusd[8170]: (10) eap: No EAP-Message, not doing EAP
2022-04-08T14:14:37.429092+02:00 AUTH radiusd[8170]: (10)     [eap] = noop
2022-04-08T14:14:37.429099+02:00 AUTH radiusd[8170]: (10)     [expiration] = noop
2022-04-08T14:14:37.429105+02:00 AUTH radiusd[8170]: (10)     [logintime] = noop
2022-04-08T14:14:37.429116+02:00 AUTH radiusd[8170]: (10) facauth: facauth: recv Access-Request from 192.168.1.1 port 18010, id=169, length=123 
2022-04-08T14:14:37.429120+02:00 AUTH radiusd[8170]:         NAS-Identifier = "FORTI" 
2022-04-08T14:14:37.429161+02:00 AUTH radiusd[8170]:         User-Name = "test" 
2022-04-08T14:14:37.429166+02:00 AUTH radiusd[8170]:         User-Password: ****** 
2022-04-08T14:14:37.429169+02:00 AUTH radiusd[8170]:         Framed-IP-Address = 1.2.3.1 
2022-04-08T14:14:37.429172+02:00 AUTH radiusd[8170]:         NAS-Port = 1 
2022-04-08T14:14:37.429175+02:00 AUTH radiusd[8170]:         NAS-Port-Type = Virtual 
2022-04-08T14:14:37.429191+02:00 AUTH radiusd[8170]:         Calling-Station-Id = "1.2.3.1" 
2022-04-08T14:14:37.429197+02:00 AUTH radiusd[8170]:         Acct-Session-Id = "2baecc24" 
2022-04-08T14:14:37.429240+02:00 AUTH radiusd[8170]:         Connect-Info = "vpn-ssl" 
2022-04-08T14:14:37.429243+02:00 AUTH radiusd[8170]:         Fortinet-Vdom-Name = "root" 
2022-04-08T14:14:37.429249+02:00 AUTH radiusd[8170]:         Event-Timestamp = "Apr  8 2022 14:14:37 CEST" 
2022-04-08T14:14:37.429251+02:00 AUTH radiusd[8170]:         NAS-IP-Address = 192.168.1.1 
2022-04-08T14:14:37.429255+02:00 AUTH radiusd[8170]: (10) facauth: ===>NAS IP:192.168.1.1 
2022-04-08T14:14:37.429261+02:00 AUTH radiusd[8170]: (10) facauth: ===>Username:test 
2022-04-08T14:14:37.429267+02:00 AUTH radiusd[8170]: (10) facauth: ===>Timestamp:1649420077.428678, age:0ms 
2022-04-08T14:14:37.429768+02:00 AUTH radiusd[8170]: (10) facauth: Comparing client IP 192.168.1.1 with authclient FORTI (192.168.1.1, 1 IPs) 
2022-04-08T14:14:37.429771+02:00 AUTH radiusd[8170]: (10) facauth: ------> matched! 
2022-04-08T14:14:37.429774+02:00 AUTH radiusd[8170]: (10) facauth: Found authclient from preloaded authclients list for 192.168.1.1: FORTI (192.168.1.1) 
2022-04-08T14:14:37.429778+02:00 AUTH radiusd[8170]: (10) facauth: authclient_id:1 auth_type:'password' 
2022-04-08T14:14:37.430525+02:00 AUTH radiusd[8170]: (10) facauth: Found authpolicy 'AUTH_LOGIN' for client '192.168.1.1' 
2022-04-08T14:14:37.430539+02:00 AUTH radiusd[8170]: (10) facauth: Setting 'Auth-Type := FACAUTH'
2022-04-08T14:14:37.430553+02:00 AUTH radiusd[8170]: (10)     [facauth] = updated
2022-04-08T14:14:37.430563+02:00 AUTH radiusd[8170]: Not doing PAP as Auth-Type is already set.
2022-04-08T14:14:37.430566+02:00 AUTH radiusd[8170]: (10)     [pap] = noop
2022-04-08T14:14:37.430570+02:00 AUTH radiusd[8170]: (10)   } # authorize = updated
2022-04-08T14:14:37.430579+02:00 AUTH radiusd[8170]: (10) Found Auth-Type = facauth
2022-04-08T14:14:37.430584+02:00 AUTH radiusd[8170]: (10) # Executing group from file /usr/etc/raddb/sites-enabled/default
2022-04-08T14:14:37.430587+02:00 AUTH radiusd[8170]: (10)   Auth-Type FACAUTH {
2022-04-08T14:14:37.430605+02:00 AUTH radiusd[8170]: (10) facauth: Client type: external (subtype: radius) 
2022-04-08T14:14:37.430608+02:00 AUTH radiusd[8170]: (10) facauth: Input raw_username: (null) Realm: (null) username: test 
2022-04-08T14:14:37.430645+02:00 AUTH radiusd[8170]: (10) facauth: Searching default realm as well
2022-04-08T14:14:37.430653+02:00 AUTH radiusd[8170]: (10) facauth: Realm not specified, default goes to FAC local user 
2022-04-08T14:14:37.431536+02:00 AUTH radiusd[8170]: (10) facauth: Local user found: test 
2022-04-08T14:14:37.431542+02:00 AUTH radiusd[8170]: (10) facauth: User [enable fido: false, token count: 0, revoked_token_count: 0] 
2022-04-08T14:14:37.431546+02:00 AUTH radiusd[8170]: (10) facauth: Policy [fido_auth_opt: disabled, twofactor: allow both, no_fido: two factor, revoked: reject] 
2022-04-08T14:14:37.431550+02:00 AUTH radiusd[8170]: (10) facauth: Decided on [is_fido: false, two_factor: allow both, token_type: email] 
2022-04-08T14:14:37.431554+02:00 AUTH radiusd[8170]: (10) facauth: WARNING: Warning: user 'test' was partially authed before, remove it from old cache. 
2022-04-08T14:14:37.431750+02:00 AUTH radiusd[8170]: (10) facauth: check_user_lockout: fail_count=0 period=-1 reason=-1 
2022-04-08T14:14:37.431755+02:00 AUTH radiusd[8170]: (10) facauth: just continue doing authentication 
2022-04-08T14:14:37.431760+02:00 AUTH radiusd[8170]: (10) facauth: Partial auth done, challenge for token code 
2022-04-08T14:14:37.431907+02:00 AUTH radiusd[8170]: Try to load smtp server, id: 2 
2022-04-08T14:14:37.432168+02:00 AUTH radiusd[8170]: (10) facauth: Sent email token code (timeout 120) to sylvain.aubort@ciad.ch 
2022-04-08T14:14:37.432175+02:00 AUTH radiusd[8170]: Load radius challenge msg from template: Please enter your token code
2022-04-08T14:14:37.432189+02:00 AUTH radiusd[8170]: (10) facauth: Sending Access-Challenge.
2022-04-08T14:14:37.432516+02:00 AUTH radiusd[8170]: (10) facauth: check_user_lockout: fail_count=0 period=-1 reason=-1 
2022-04-08T14:14:37.432520+02:00 AUTH radiusd[8170]: (10) facauth: Auth code: 20300 
2022-04-08T14:14:37.432548+02:00 AUTH radiusd[8170]: (10) facauth: Updated auth log 'test': Local user authentication partially done, expecting email token 
2022-04-08T14:14:37.432552+02:00 AUTH radiusd[8170]: (10) facauth: facauth: print reply attributes of request id 169: 
2022-04-08T14:14:37.432557+02:00 AUTH radiusd[8170]:         Reply-Message = "-Please enter your token code" 
2022-04-08T14:14:37.432560+02:00 AUTH radiusd[8170]:         Fortinet-FAC-Challenge-Code = "001" 
2022-04-08T14:14:37.432565+02:00 AUTH radiusd[8170]:         State = 0x31 
2022-04-08T14:14:37.432568+02:00 AUTH radiusd[8170]: (10)     [facauth] = handled
2022-04-08T14:14:37.432571+02:00 AUTH radiusd[8170]: (10)   } # Auth-Type FACAUTH = handled
2022-04-08T14:14:37.432587+02:00 AUTH radiusd[8170]: (10) Using Post-Auth-Type Challenge
2022-04-08T14:14:37.433129+02:00 AUTH radiusd[8170]: (10) # Executing group from file /usr/etc/raddb/sites-enabled/default
2022-04-08T14:14:37.433143+02:00 AUTH radiusd[8170]: (10)   Challenge { ... } # empty sub-section is ignored
2022-04-08T14:14:37.433151+02:00 AUTH radiusd[8170]: (10) Sent Access-Challenge Id 169 from 192.168.1.10:1812 to 192.168.1.1:18010 length 0
2022-04-08T14:14:37.433157+02:00 AUTH radiusd[8170]: (10)   Reply-Message = "-Please enter your token code"
2022-04-08T14:14:37.433162+02:00 AUTH radiusd[8170]: (10)   Fortinet-FAC-Challenge-Code = "001"
2022-04-08T14:14:37.433165+02:00 AUTH radiusd[8170]: (10)   State = 0x31
2022-04-08T14:14:37.433203+02:00 AUTH radiusd[8170]: (10) Finished request
2022-04-08T14:14:37.433206+02:00 AUTH radiusd[8170]: Thread 3 waiting to be assigned a request
2022-04-08T14:14:38.099701+02:00 AUTH radiusd[8170]: Waking up in 29.3 seconds.
2022-04-08T14:14:49.226626+02:00 AUTH radiusd[8170]: Waking up in 0.6 seconds.
2022-04-08T14:14:49.226712+02:00 AUTH radiusd[8170]: Thread 1 got semaphore
2022-04-08T14:14:49.226727+02:00 AUTH radiusd[8170]: Thread 1 handling request 11, (3 handled so far)
2022-04-08T14:14:49.226754+02:00 AUTH radiusd[8170]: (11) Received Access-Request Id 170 from 192.168.1.1:17837 to 192.168.1.10:1812 length 126
2022-04-08T14:14:49.226760+02:00 AUTH radiusd[8170]: (11)   NAS-Identifier = "FORTI"
2022-04-08T14:14:49.226763+02:00 AUTH radiusd[8170]: (11)   State = 0x31
2022-04-08T14:14:49.226767+02:00 AUTH radiusd[8170]: (11)   User-Name = "test"
2022-04-08T14:14:49.226770+02:00 AUTH radiusd[8170]: (11)   User-Password: ****** 
2022-04-08T14:14:49.226776+02:00 AUTH radiusd[8170]: (11)   Framed-IP-Address = 1.2.3.1
2022-04-08T14:14:49.226781+02:00 AUTH radiusd[8170]: (11)   NAS-Port = 1
2022-04-08T14:14:49.226785+02:00 AUTH radiusd[8170]: (11)   NAS-Port-Type = Virtual
2022-04-08T14:14:49.226788+02:00 AUTH radiusd[8170]: (11)   Calling-Station-Id = "1.2.3.1"
2022-04-08T14:14:49.226838+02:00 AUTH radiusd[8170]: (11)   Acct-Session-Id = "2baecc24"
2022-04-08T14:14:49.226842+02:00 AUTH radiusd[8170]: (11)   Connect-Info = "vpn-ssl"
2022-04-08T14:14:49.226845+02:00 AUTH radiusd[8170]: (11)   Fortinet-Vdom-Name = "root"
2022-04-08T14:14:49.226850+02:00 AUTH radiusd[8170]: (11) session-state: No cached attributes
2022-04-08T14:14:49.226855+02:00 AUTH radiusd[8170]: (11) # Executing section authorize from file /usr/etc/raddb/sites-enabled/default
2022-04-08T14:14:49.226859+02:00 AUTH radiusd[8170]: (11)   authorize {
2022-04-08T14:14:49.226873+02:00 AUTH radiusd[8170]: (11)     [preprocess] = ok
2022-04-08T14:14:49.226878+02:00 AUTH radiusd[8170]: (11)     [chap] = noop
2022-04-08T14:14:49.226882+02:00 AUTH radiusd[8170]: (11)     [mschap] = noop
2022-04-08T14:14:49.226887+02:00 AUTH radiusd[8170]: (11) eap: No EAP-Message, not doing EAP
2022-04-08T14:14:49.226889+02:00 AUTH radiusd[8170]: (11)     [eap] = noop
2022-04-08T14:14:49.226932+02:00 AUTH radiusd[8170]: (11)     [expiration] = noop
2022-04-08T14:14:49.226936+02:00 AUTH radiusd[8170]: (11)     [logintime] = noop
2022-04-08T14:14:49.226947+02:00 AUTH radiusd[8170]: (11) facauth: facauth: recv Access-Request from 192.168.1.1 port 17837, id=170, length=126 
2022-04-08T14:14:49.226951+02:00 AUTH radiusd[8170]:         NAS-Identifier = "FORTI" 
2022-04-08T14:14:49.226953+02:00 AUTH radiusd[8170]:         State = 0x31 
2022-04-08T14:14:49.226956+02:00 AUTH radiusd[8170]:         User-Name = "test" 
2022-04-08T14:14:49.226958+02:00 AUTH radiusd[8170]:         User-Password: ****** 
2022-04-08T14:14:49.226962+02:00 AUTH radiusd[8170]:         Framed-IP-Address = 1.2.3.1 
2022-04-08T14:14:49.226964+02:00 AUTH radiusd[8170]:         NAS-Port = 1 
2022-04-08T14:14:49.226967+02:00 AUTH radiusd[8170]:         NAS-Port-Type = Virtual 
2022-04-08T14:14:49.226970+02:00 AUTH radiusd[8170]:         Calling-Station-Id = "1.2.3.1" 
2022-04-08T14:14:49.227027+02:00 AUTH radiusd[8170]:         Acct-Session-Id = "2baecc24" 
2022-04-08T14:14:49.227031+02:00 AUTH radiusd[8170]:         Connect-Info = "vpn-ssl" 
2022-04-08T14:14:49.227034+02:00 AUTH radiusd[8170]:         Fortinet-Vdom-Name = "root" 
2022-04-08T14:14:49.227037+02:00 AUTH radiusd[8170]:         Event-Timestamp = "Apr  8 2022 14:14:49 CEST" 
2022-04-08T14:14:49.227040+02:00 AUTH radiusd[8170]:         NAS-IP-Address = 192.168.1.1 
2022-04-08T14:14:49.227042+02:00 AUTH radiusd[8170]: (11) facauth: ===>NAS IP:192.168.1.1 
2022-04-08T14:14:49.227046+02:00 AUTH radiusd[8170]: (11) facauth: ===>Username:test 
2022-04-08T14:14:49.227052+02:00 AUTH radiusd[8170]: (11) facauth: ===>Timestamp:1649420089.226472, age:0ms 
2022-04-08T14:14:49.227489+02:00 AUTH radiusd[8170]: (11) facauth: Comparing client IP 192.168.1.1 with authclient FORTI (192.168.1.1, 1 IPs) 
2022-04-08T14:14:49.227492+02:00 AUTH radiusd[8170]: (11) facauth: ------> matched! 
2022-04-08T14:14:49.227496+02:00 AUTH radiusd[8170]: (11) facauth: Found authclient from preloaded authclients list for 192.168.1.1: FORTI (192.168.1.1) 
2022-04-08T14:14:49.227499+02:00 AUTH radiusd[8170]: (11) facauth: authclient_id:1 auth_type:'password' 
2022-04-08T14:14:49.228210+02:00 AUTH radiusd[8170]: (11) facauth: Found authpolicy 'SSL_VPN_LOGIN' for client '192.168.1.1' 
2022-04-08T14:14:49.228220+02:00 AUTH radiusd[8170]: (11) facauth: Setting 'Auth-Type := FACAUTH'
2022-04-08T14:14:49.228231+02:00 AUTH radiusd[8170]: (11)     [facauth] = updated
2022-04-08T14:14:49.228237+02:00 AUTH radiusd[8170]: Not doing PAP as Auth-Type is already set.
2022-04-08T14:14:49.228240+02:00 AUTH radiusd[8170]: (11)     [pap] = noop
2022-04-08T14:14:49.228243+02:00 AUTH radiusd[8170]: (11)   } # authorize = updated
2022-04-08T14:14:49.228249+02:00 AUTH radiusd[8170]: (11) Found Auth-Type = facauth
2022-04-08T14:14:49.228254+02:00 AUTH radiusd[8170]: (11) # Executing group from file /usr/etc/raddb/sites-enabled/default
2022-04-08T14:14:49.228257+02:00 AUTH radiusd[8170]: (11)   Auth-Type FACAUTH {
2022-04-08T14:14:49.228264+02:00 AUTH radiusd[8170]: (11) facauth: This is a response to Access-Challenge
2022-04-08T14:14:49.228268+02:00 AUTH radiusd[8170]: (11) facauth: Partial auth user found
2022-04-08T14:14:49.228329+02:00 AUTH radiusd[8170]: (11) facauth: Successfully found partially authenticated user instance.
2022-04-08T14:14:49.228525+02:00 AUTH radiusd[8170]: (11) facauth: check_user_lockout: fail_count=0 period=-1 reason=-1 
2022-04-08T14:14:49.228683+02:00 AUTH radiusd[8170]: (11) facauth: check_user_lockout: fail_count=0 period=-1 reason=-1 
2022-04-08T14:14:49.228687+02:00 AUTH radiusd[8170]: (11) facauth: Auth code: 20000 
2022-04-08T14:14:49.228739+02:00 AUTH radiusd[8170]: (11) facauth: Updated auth log 'test': Local user authentication with email token failed: user password change required 
2022-04-08T14:14:49.228744+02:00 AUTH radiusd[8170]: (11) facauth: facauth: print reply attributes of request id 170: 
2022-04-08T14:14:49.228748+02:00 AUTH radiusd[8170]:         Reply-Message += "user must change password" 
2022-04-08T14:14:49.228752+02:00 AUTH radiusd[8170]: (11)     [facauth] = reject
2022-04-08T14:14:49.228755+02:00 AUTH radiusd[8170]: (11)   } # Auth-Type FACAUTH = reject
2022-04-08T14:14:49.228759+02:00 AUTH radiusd[8170]: (11) Failed to authenticate the user
2022-04-08T14:14:49.228767+02:00 AUTH radiusd[8170]: (11) Using Post-Auth-Type Reject
2022-04-08T14:14:49.228771+02:00 AUTH radiusd[8170]: (11) # Executing group from file /usr/etc/raddb/sites-enabled/default
2022-04-08T14:14:49.229162+02:00 AUTH radiusd[8170]: (11)   Post-Auth-Type REJECT {
2022-04-08T14:14:49.229177+02:00 AUTH radiusd[8170]: (11) facauth: User-Name: test (from request)
2022-04-08T14:14:49.229181+02:00 AUTH radiusd[8170]: (11)     [facauth] = ok
2022-04-08T14:14:49.229184+02:00 AUTH radiusd[8170]: (11)   } # Post-Auth-Type REJECT = ok
2022-04-08T14:14:49.229190+02:00 AUTH radiusd[8170]: (11) Delaying response for 1.000000 seconds
2022-04-08T14:14:49.229197+02:00 AUTH radiusd[8170]: Thread 1 waiting to be assigned a request
2022-04-08T14:14:49.895721+02:00 AUTH radiusd[8170]: Waking up in 0.3 seconds.
2022-04-08T14:14:50.231709+02:00 AUTH radiusd[8170]: (11) Sending delayed response
2022-04-08T14:14:50.231726+02:00 AUTH radiusd[8170]: (11) Sent Access-Reject Id 170 from 192.168.1.10:1812 to 192.168.1.1:17837 length 47
2022-04-08T14:14:50.231734+02:00 AUTH radiusd[8170]: (11)   Reply-Message += "user must change password"
2022-04-08T14:14:50.231781+02:00 AUTH radiusd[8170]: Waking up in 17.2 seconds.

 

 

zoriax
Contributor

What is amazing is that all the process works without OTP enabled (I can change my password correctly).

 

And for this test I used local user to be sure everything works on FortiAuth directly.

zoriax
Contributor

Should it be related to Radius Vendor Attirbutes ? I check inside dictionnaries and cant find : 

 

zoriax_0-1649425060885.png

I only have : 

zoriax_1-1649425087703.png

 

 

zoriax
Contributor

Ok after a few search I solved the problem.


To work with 2FA and reset, you need to enable MS-CHAP-V2 in FortiGate Radius

Debbie_FTNT

Hey zoriax,

thanks for posting the solution!

My apologies that I didn't ask about the RADIUS authentication method; when you said you'd enabled AD authentication I automatically assumed FortiGate was set to MS-CHAP-V2, sorry for the assumption.

Great that you solved it!

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++