We are looking to setup 2 factor auth for our SSL VPN access. I have a user who I setup in the user definition (Fortigate 310B). Set the 2 factor check. This is a mobile token code.
Everything looks normal but when they log in via the client, they are not presented with the field to enter in their 2 factor code.
Not sure how to troubleshoot or field this issue.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
if the user is locally defined, but remote type - residing on LDAP for example, then pay attention to username, match against local users is on FGT case sensitive.
This is usually caused by misconfiguration where firewall group used in authentication (SSL VPN in here) contain both, local user AND LDAP server as well.
Initial idea to have a backup is fine.
And local account even takes precedence over the remote ones (LDAP server), but if user logs in as Tomas, but local user with the token is named tomas, then local user do not match. And so next in row in the group is LDAP, which is tried. And if the user does exist there it will match and authenticate just fine with password and without token.
This most often happen with LDAP which is not case sensitive, so user Tomas and tomas are the same account on LDAP, while they are different on FGT.
Solution:
---
SPLIT !
Define users with tokens on FGT directly in one group.
Set LDAP server into second group. That rest of the users without tokens will be authenticated directly against LDAP. To prevent users With tokens to fall to that LDAP server group via SSL VPN config, make the group on LDAP and those users without token put to it and then use group match rule in the group definition for that second LDAP server group. So users with token will not match. Same can be set for token based users.
Kind regards,
Tomas
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.