Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
feirrer
New Contributor

Created on ‎06-20-2023 08:56 AM

Forced password change for SSL-VPN RADIUS user, doesn't show token field

Hi Everyone,

 

I got a problem with forced password change for new SSL-VPN users.

When entering the username and password, the next step should add a field to add the token, but one my primary it somehow doesn't show it, even tho I receive the token via SMS. It changed out of nowhere, worked fine previously, on my backup its still working correctly.

Anyone maybe had the same issue ?

 

This is how it looks like:

d7029e6b-5b74-4430-8db3-a5f8b3ff1265.png

Wrong2.png

 

 

This is how it should look like (my backup):

Correct1.pngCorrect2.png

1215
0 Kudos
4 REPLIES 4
rbraha
Staff
Staff

Created on ‎06-21-2023 07:01 AM

Hi @feirrer 

Is there any FortiAuthenticator in place or just using FGT only ?

If using FAC , FAC needs to be joined to domain and Ldaps in place.

https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-SSL-VPN-for-users-with-password-t...

 

If using FGT only ,also Ldaps is also required.

 

If the token filed is missing ,make sure that the correct users with token assigned are part of the groups added on SSLVPN Setting and also this group needs to be present on firewall policy.

 

 

1159
0 Kudos
feirrer
New Contributor
In response to rbraha

Created on ‎06-21-2023 07:38 AM

Hi @rbraha 

 

Yes I'm using a FortiAuthenticator and I recently upgraded it to 6.4.6 firmware.

I'm using a RADIUS server, that has 2 clients 2200E and 500E.

With 500E which is on 7.X firmware works correctly, 2200E with 6.4.X firmware has a problem when the user doesnt specify the realm with username. 

 

On 500E there is only one realm, on 2200E there are 6 and on both "Use default realm when user-provide realm is different from all configured realms" is enabled.

 

Thanks for you reply.

 

1148
0 Kudos
rbraha
Staff
Staff
In response to feirrer

Created on ‎06-21-2023 07:57 AM

Hi @feirrer 

If having multiple realms on FAC ,its mandatory to specify the realm for users in a format specified on Radius policy username@realm, realm\username or realm/username

When the "Use default realm ... is enabled , FortiAuthenticator selects the default realm forauthentication when the user-specified realm is different from all
configured realm. Can you try to disable this option?

1142
0 Kudos
lmarinovic
Staff
Staff
In response to feirrer

Created on ‎06-23-2023 05:29 AM

Hello,

 

Also the when you don't specify the realm it will go to the default realm always. So in this case only one "domain" can be authenticated without realm, for rest it will be mandatory to put realm with username.

 

Best regards,

Lazar

Best regards

Lazar Marinovic
1124
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.