Hi,
1.I have configured 2FA on radius clients, everything is working until login is the same as domain login, if I type login using CAPITAL letters and correct password, then I simply can bypass 2FA and I'm logged in without a token.
2.When I remove Groups from radius user configured on Fortigate then I can login without prompt for 2FA (2fa is configured for that user), If I configure back Groups to this user then 2FA is working, why?
I'm curious how others have dealt with the confusion between users with different authentication methods for different purposes. What I did was prefixed all the Radius user names - e.g., if domain login is 'jdoe' then where 2FA is needed (such as SSL VPN) the user's name is 'rsa.jdoe'. Haven't come across any gotchas with this approach yet but we've only been using it for a few months.
...Fred
If you included the RADIUS server into the group, then if someone tries to log in with a username which is NOT configured locally would be sent to the RADIUS server for authentication. Then it's up to the RADIUS server if it's "pass" or "deny". Check your server is username is case sensitive.
If you want to limit the users to only with a token, you need to remove the RADIUS server from the group. Then only those users configured locally with "set type radius" would be accepted.
I don't understand this, so what is purpose of "Remote Groups" in User Group configuration, if I can create user that belongs to Remote Radius User that belongs to my Remote Radius server.
My radius is windows NPS so it is not case sensitive.
This is for LDAP auth. But nothing is different with RADIUS.
https://kb.fortinet.com/kb/documentLink.do?externalID=FD37033
User | Count |
---|---|
2677 | |
1412 | |
810 | |
703 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.