Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
zoriax
Contributor

Created on ‎04-08-2022 02:41 AM Edited on ‎04-08-2022 02:42 AM

FortiAuthenticator SSL VPN - LDAP - 2FA and Password Change

Hi !

 

I have a strange behaviour with FortiAuthenticator and SSL VPN on FortiGate

 

  • FortiAuthenticator is configured to sync ldap user account
  • FortiAuthenticator is configured to act as RADIUS with remote users
    • On RADIUS policy, I used checked "User Windows AD Domain Authentication"
  • ForiGate SSL VPN is correctly configured with RADIUS

Without 2FA enabled on FortiAuthenticator account

  • On SSL VPN web interface I can connect
  • If I reset the password on my Active Directory (force change), on SSL VPN interface I can set a new password
  • zoriax_0-1649410571368.png

 

With 2FA enabled on FortiAuthenticator account

  • On SSL VPN web interface I can connect with toke
  • If I reset the password on my Active Directory (force change), on SSL VPN interface when I enter the token I'm not redirected to change password page but I have an error
  • zoriax_1-1649410689889.png

     

On Autentication > User Account Polices I have

zoriax_2-1649410715612.png

If I disabled "Request password reset after OTP verification". The behaviour is a bit different.

  • I can change de password, then I recieved the token but after entering the token I have : 
  • zoriax_1-1649410689889.png
  • And I need to login again with my new password

 

What is the correct workflow and options to allow token and password change with LDAP ?


Many thanks

 

 

Labels:
2736
0 Kudos
1 Solution
zoriax
Contributor

Created on ‎04-08-2022 08:09 AM Edited on ‎04-08-2022 08:10 AM

Ok after a few search I solved the problem.


To work with 2FA and reset, you need to enable MS-CHAP-V2 in FortiGate Radius

View solution in original post

2677
9 REPLIES 9
zoriax
Contributor

Created on ‎04-08-2022 03:05 AM

I tried witha local user and the behaviour is the same :( ! It seems I missed someting in configuration :)

2691
0 Kudos
Debbie_FTNT
Staff
Staff
In response to zoriax

Created on ‎04-08-2022 04:18 AM

Hey zoriax,

did you enable the setting to allow password change in FortiGate CLI?
#config user radius
#set password-renewal enable
#end

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
2687
0 Kudos
zoriax
Contributor

Created on ‎04-08-2022 04:27 AM

Yes and as I said in my post, it works ! The only problem is when 2fa is enabled

2685
0 Kudos
Debbie_FTNT
Staff
Staff
In response to zoriax

Created on ‎04-08-2022 04:51 AM

Oh, my apologies, I overlooked that bit - please ignore the above post then.
In that case, I would dive into the RADIUS authentication debug log on FortiAuthenticator (https://<FortiAuthenticator>/debug and select 'Radius Authentication' in the drop-down) to see what it is doing, and what it is sending to FortiGate when. It could also be that FortiGate is not handling the two challenges (token code, change password) well; I believe that depends a bit on FortiGate firmware version

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
2681
0 Kudos
zoriax
Contributor

Created on ‎04-08-2022 04:57 AM Edited on ‎04-08-2022 05:17 AM

Hi Debbie, no proble :) 

 

I run FortiOS 7.0.5 and FortiAuth 6.4.3

 

In debug, I have : 

 

 

2022-04-08T14:14:37.428877+02:00 AUTH radiusd[8170]: Waking up in 0.6 seconds.
2022-04-08T14:14:37.428886+02:00 AUTH radiusd[8170]: Thread 3 got semaphore
2022-04-08T14:14:37.428906+02:00 AUTH radiusd[8170]: Thread 3 handling request 10, (3 handled so far)
2022-04-08T14:14:37.428954+02:00 AUTH radiusd[8170]: (10) Received Access-Request Id 169 from 192.168.1.1:18010 to 192.168.1.10:1812 length 123
2022-04-08T14:14:37.428970+02:00 AUTH radiusd[8170]: (10)   NAS-Identifier = "FORTI"
2022-04-08T14:14:37.428973+02:00 AUTH radiusd[8170]: (10)   User-Name = "test"
2022-04-08T14:14:37.428976+02:00 AUTH radiusd[8170]: (10)   User-Password: ****** 
2022-04-08T14:14:37.428983+02:00 AUTH radiusd[8170]: (10)   Framed-IP-Address = 1.2.3.1
2022-04-08T14:14:37.428993+02:00 AUTH radiusd[8170]: (10)   NAS-Port = 1
2022-04-08T14:14:37.429003+02:00 AUTH radiusd[8170]: (10)   NAS-Port-Type = Virtual
2022-04-08T14:14:37.429008+02:00 AUTH radiusd[8170]: (10)   Calling-Station-Id = "1.2.3.1"
2022-04-08T14:14:37.429012+02:00 AUTH radiusd[8170]: (10)   Acct-Session-Id = "2baecc24"
2022-04-08T14:14:37.429015+02:00 AUTH radiusd[8170]: (10)   Connect-Info = "vpn-ssl"
2022-04-08T14:14:37.429018+02:00 AUTH radiusd[8170]: (10)   Fortinet-Vdom-Name = "root"
2022-04-08T14:14:37.429034+02:00 AUTH radiusd[8170]: (10) # Executing section authorize from file /usr/etc/raddb/sites-enabled/default
2022-04-08T14:14:37.429041+02:00 AUTH radiusd[8170]: (10)   authorize {
2022-04-08T14:14:37.429061+02:00 AUTH radiusd[8170]: (10)     [preprocess] = ok
2022-04-08T14:14:37.429071+02:00 AUTH radiusd[8170]: (10)     [chap] = noop
2022-04-08T14:14:37.429081+02:00 AUTH radiusd[8170]: (10)     [mschap] = noop
2022-04-08T14:14:37.429089+02:00 AUTH radiusd[8170]: (10) eap: No EAP-Message, not doing EAP
2022-04-08T14:14:37.429092+02:00 AUTH radiusd[8170]: (10)     [eap] = noop
2022-04-08T14:14:37.429099+02:00 AUTH radiusd[8170]: (10)     [expiration] = noop
2022-04-08T14:14:37.429105+02:00 AUTH radiusd[8170]: (10)     [logintime] = noop
2022-04-08T14:14:37.429116+02:00 AUTH radiusd[8170]: (10) facauth: facauth: recv Access-Request from 192.168.1.1 port 18010, id=169, length=123 
2022-04-08T14:14:37.429120+02:00 AUTH radiusd[8170]:         NAS-Identifier = "FORTI" 
2022-04-08T14:14:37.429161+02:00 AUTH radiusd[8170]:         User-Name = "test" 
2022-04-08T14:14:37.429166+02:00 AUTH radiusd[8170]:         User-Password: ****** 
2022-04-08T14:14:37.429169+02:00 AUTH radiusd[8170]:         Framed-IP-Address = 1.2.3.1 
2022-04-08T14:14:37.429172+02:00 AUTH radiusd[8170]:         NAS-Port = 1 
2022-04-08T14:14:37.429175+02:00 AUTH radiusd[8170]:         NAS-Port-Type = Virtual 
2022-04-08T14:14:37.429191+02:00 AUTH radiusd[8170]:         Calling-Station-Id = "1.2.3.1" 
2022-04-08T14:14:37.429197+02:00 AUTH radiusd[8170]:         Acct-Session-Id = "2baecc24" 
2022-04-08T14:14:37.429240+02:00 AUTH radiusd[8170]:         Connect-Info = "vpn-ssl" 
2022-04-08T14:14:37.429243+02:00 AUTH radiusd[8170]:         Fortinet-Vdom-Name = "root" 
2022-04-08T14:14:37.429249+02:00 AUTH radiusd[8170]:         Event-Timestamp = "Apr  8 2022 14:14:37 CEST" 
2022-04-08T14:14:37.429251+02:00 AUTH radiusd[8170]:         NAS-IP-Address = 192.168.1.1 
2022-04-08T14:14:37.429255+02:00 AUTH radiusd[8170]: (10) facauth: ===>NAS IP:192.168.1.1 
2022-04-08T14:14:37.429261+02:00 AUTH radiusd[8170]: (10) facauth: ===>Username:test 
2022-04-08T14:14:37.429267+02:00 AUTH radiusd[8170]: (10) facauth: ===>Timestamp:1649420077.428678, age:0ms 
2022-04-08T14:14:37.429768+02:00 AUTH radiusd[8170]: (10) facauth: Comparing client IP 192.168.1.1 with authclient FORTI (192.168.1.1, 1 IPs) 
2022-04-08T14:14:37.429771+02:00 AUTH radiusd[8170]: (10) facauth: ------> matched! 
2022-04-08T14:14:37.429774+02:00 AUTH radiusd[8170]: (10) facauth: Found authclient from preloaded authclients list for 192.168.1.1: FORTI (192.168.1.1) 
2022-04-08T14:14:37.429778+02:00 AUTH radiusd[8170]: (10) facauth: authclient_id:1 auth_type:'password' 
2022-04-08T14:14:37.430525+02:00 AUTH radiusd[8170]: (10) facauth: Found authpolicy 'AUTH_LOGIN' for client '192.168.1.1' 
2022-04-08T14:14:37.430539+02:00 AUTH radiusd[8170]: (10) facauth: Setting 'Auth-Type := FACAUTH'
2022-04-08T14:14:37.430553+02:00 AUTH radiusd[8170]: (10)     [facauth] = updated
2022-04-08T14:14:37.430563+02:00 AUTH radiusd[8170]: Not doing PAP as Auth-Type is already set.
2022-04-08T14:14:37.430566+02:00 AUTH radiusd[8170]: (10)     [pap] = noop
2022-04-08T14:14:37.430570+02:00 AUTH radiusd[8170]: (10)   } # authorize = updated
2022-04-08T14:14:37.430579+02:00 AUTH radiusd[8170]: (10) Found Auth-Type = facauth
2022-04-08T14:14:37.430584+02:00 AUTH radiusd[8170]: (10) # Executing group from file /usr/etc/raddb/sites-enabled/default
2022-04-08T14:14:37.430587+02:00 AUTH radiusd[8170]: (10)   Auth-Type FACAUTH {
2022-04-08T14:14:37.430605+02:00 AUTH radiusd[8170]: (10) facauth: Client type: external (subtype: radius) 
2022-04-08T14:14:37.430608+02:00 AUTH radiusd[8170]: (10) facauth: Input raw_username: (null) Realm: (null) username: test 
2022-04-08T14:14:37.430645+02:00 AUTH radiusd[8170]: (10) facauth: Searching default realm as well
2022-04-08T14:14:37.430653+02:00 AUTH radiusd[8170]: (10) facauth: Realm not specified, default goes to FAC local user 
2022-04-08T14:14:37.431536+02:00 AUTH radiusd[8170]: (10) facauth: Local user found: test 
2022-04-08T14:14:37.431542+02:00 AUTH radiusd[8170]: (10) facauth: User [enable fido: false, token count: 0, revoked_token_count: 0] 
2022-04-08T14:14:37.431546+02:00 AUTH radiusd[8170]: (10) facauth: Policy [fido_auth_opt: disabled, twofactor: allow both, no_fido: two factor, revoked: reject] 
2022-04-08T14:14:37.431550+02:00 AUTH radiusd[8170]: (10) facauth: Decided on [is_fido: false, two_factor: allow both, token_type: email] 
2022-04-08T14:14:37.431554+02:00 AUTH radiusd[8170]: (10) facauth: WARNING: Warning: user 'test' was partially authed before, remove it from old cache. 
2022-04-08T14:14:37.431750+02:00 AUTH radiusd[8170]: (10) facauth: check_user_lockout: fail_count=0 period=-1 reason=-1 
2022-04-08T14:14:37.431755+02:00 AUTH radiusd[8170]: (10) facauth: just continue doing authentication 
2022-04-08T14:14:37.431760+02:00 AUTH radiusd[8170]: (10) facauth: Partial auth done, challenge for token code 
2022-04-08T14:14:37.431907+02:00 AUTH radiusd[8170]: Try to load smtp server, id: 2 
2022-04-08T14:14:37.432168+02:00 AUTH radiusd[8170]: (10) facauth: Sent email token code (timeout 120) to sylvain.aubort@ciad.ch 
2022-04-08T14:14:37.432175+02:00 AUTH radiusd[8170]: Load radius challenge msg from template: Please enter your token code
2022-04-08T14:14:37.432189+02:00 AUTH radiusd[8170]: (10) facauth: Sending Access-Challenge.
2022-04-08T14:14:37.432516+02:00 AUTH radiusd[8170]: (10) facauth: check_user_lockout: fail_count=0 period=-1 reason=-1 
2022-04-08T14:14:37.432520+02:00 AUTH radiusd[8170]: (10) facauth: Auth code: 20300 
2022-04-08T14:14:37.432548+02:00 AUTH radiusd[8170]: (10) facauth: Updated auth log 'test': Local user authentication partially done, expecting email token 
2022-04-08T14:14:37.432552+02:00 AUTH radiusd[8170]: (10) facauth: facauth: print reply attributes of request id 169: 
2022-04-08T14:14:37.432557+02:00 AUTH radiusd[8170]:         Reply-Message = "-Please enter your token code" 
2022-04-08T14:14:37.432560+02:00 AUTH radiusd[8170]:         Fortinet-FAC-Challenge-Code = "001" 
2022-04-08T14:14:37.432565+02:00 AUTH radiusd[8170]:         State = 0x31 
2022-04-08T14:14:37.432568+02:00 AUTH radiusd[8170]: (10)     [facauth] = handled
2022-04-08T14:14:37.432571+02:00 AUTH radiusd[8170]: (10)   } # Auth-Type FACAUTH = handled
2022-04-08T14:14:37.432587+02:00 AUTH radiusd[8170]: (10) Using Post-Auth-Type Challenge
2022-04-08T14:14:37.433129+02:00 AUTH radiusd[8170]: (10) # Executing group from file /usr/etc/raddb/sites-enabled/default
2022-04-08T14:14:37.433143+02:00 AUTH radiusd[8170]: (10)   Challenge { ... } # empty sub-section is ignored
2022-04-08T14:14:37.433151+02:00 AUTH radiusd[8170]: (10) Sent Access-Challenge Id 169 from 192.168.1.10:1812 to 192.168.1.1:18010 length 0
2022-04-08T14:14:37.433157+02:00 AUTH radiusd[8170]: (10)   Reply-Message = "-Please enter your token code"
2022-04-08T14:14:37.433162+02:00 AUTH radiusd[8170]: (10)   Fortinet-FAC-Challenge-Code = "001"
2022-04-08T14:14:37.433165+02:00 AUTH radiusd[8170]: (10)   State = 0x31
2022-04-08T14:14:37.433203+02:00 AUTH radiusd[8170]: (10) Finished request
2022-04-08T14:14:37.433206+02:00 AUTH radiusd[8170]: Thread 3 waiting to be assigned a request
2022-04-08T14:14:38.099701+02:00 AUTH radiusd[8170]: Waking up in 29.3 seconds.
2022-04-08T14:14:49.226626+02:00 AUTH radiusd[8170]: Waking up in 0.6 seconds.
2022-04-08T14:14:49.226712+02:00 AUTH radiusd[8170]: Thread 1 got semaphore
2022-04-08T14:14:49.226727+02:00 AUTH radiusd[8170]: Thread 1 handling request 11, (3 handled so far)
2022-04-08T14:14:49.226754+02:00 AUTH radiusd[8170]: (11) Received Access-Request Id 170 from 192.168.1.1:17837 to 192.168.1.10:1812 length 126
2022-04-08T14:14:49.226760+02:00 AUTH radiusd[8170]: (11)   NAS-Identifier = "FORTI"
2022-04-08T14:14:49.226763+02:00 AUTH radiusd[8170]: (11)   State = 0x31
2022-04-08T14:14:49.226767+02:00 AUTH radiusd[8170]: (11)   User-Name = "test"
2022-04-08T14:14:49.226770+02:00 AUTH radiusd[8170]: (11)   User-Password: ****** 
2022-04-08T14:14:49.226776+02:00 AUTH radiusd[8170]: (11)   Framed-IP-Address = 1.2.3.1
2022-04-08T14:14:49.226781+02:00 AUTH radiusd[8170]: (11)   NAS-Port = 1
2022-04-08T14:14:49.226785+02:00 AUTH radiusd[8170]: (11)   NAS-Port-Type = Virtual
2022-04-08T14:14:49.226788+02:00 AUTH radiusd[8170]: (11)   Calling-Station-Id = "1.2.3.1"
2022-04-08T14:14:49.226838+02:00 AUTH radiusd[8170]: (11)   Acct-Session-Id = "2baecc24"
2022-04-08T14:14:49.226842+02:00 AUTH radiusd[8170]: (11)   Connect-Info = "vpn-ssl"
2022-04-08T14:14:49.226845+02:00 AUTH radiusd[8170]: (11)   Fortinet-Vdom-Name = "root"
2022-04-08T14:14:49.226850+02:00 AUTH radiusd[8170]: (11) session-state: No cached attributes
2022-04-08T14:14:49.226855+02:00 AUTH radiusd[8170]: (11) # Executing section authorize from file /usr/etc/raddb/sites-enabled/default
2022-04-08T14:14:49.226859+02:00 AUTH radiusd[8170]: (11)   authorize {
2022-04-08T14:14:49.226873+02:00 AUTH radiusd[8170]: (11)     [preprocess] = ok
2022-04-08T14:14:49.226878+02:00 AUTH radiusd[8170]: (11)     [chap] = noop
2022-04-08T14:14:49.226882+02:00 AUTH radiusd[8170]: (11)     [mschap] = noop
2022-04-08T14:14:49.226887+02:00 AUTH radiusd[8170]: (11) eap: No EAP-Message, not doing EAP
2022-04-08T14:14:49.226889+02:00 AUTH radiusd[8170]: (11)     [eap] = noop
2022-04-08T14:14:49.226932+02:00 AUTH radiusd[8170]: (11)     [expiration] = noop
2022-04-08T14:14:49.226936+02:00 AUTH radiusd[8170]: (11)     [logintime] = noop
2022-04-08T14:14:49.226947+02:00 AUTH radiusd[8170]: (11) facauth: facauth: recv Access-Request from 192.168.1.1 port 17837, id=170, length=126 
2022-04-08T14:14:49.226951+02:00 AUTH radiusd[8170]:         NAS-Identifier = "FORTI" 
2022-04-08T14:14:49.226953+02:00 AUTH radiusd[8170]:         State = 0x31 
2022-04-08T14:14:49.226956+02:00 AUTH radiusd[8170]:         User-Name = "test" 
2022-04-08T14:14:49.226958+02:00 AUTH radiusd[8170]:         User-Password: ****** 
2022-04-08T14:14:49.226962+02:00 AUTH radiusd[8170]:         Framed-IP-Address = 1.2.3.1 
2022-04-08T14:14:49.226964+02:00 AUTH radiusd[8170]:         NAS-Port = 1 
2022-04-08T14:14:49.226967+02:00 AUTH radiusd[8170]:         NAS-Port-Type = Virtual 
2022-04-08T14:14:49.226970+02:00 AUTH radiusd[8170]:         Calling-Station-Id = "1.2.3.1" 
2022-04-08T14:14:49.227027+02:00 AUTH radiusd[8170]:         Acct-Session-Id = "2baecc24" 
2022-04-08T14:14:49.227031+02:00 AUTH radiusd[8170]:         Connect-Info = "vpn-ssl" 
2022-04-08T14:14:49.227034+02:00 AUTH radiusd[8170]:         Fortinet-Vdom-Name = "root" 
2022-04-08T14:14:49.227037+02:00 AUTH radiusd[8170]:         Event-Timestamp = "Apr  8 2022 14:14:49 CEST" 
2022-04-08T14:14:49.227040+02:00 AUTH radiusd[8170]:         NAS-IP-Address = 192.168.1.1 
2022-04-08T14:14:49.227042+02:00 AUTH radiusd[8170]: (11) facauth: ===>NAS IP:192.168.1.1 
2022-04-08T14:14:49.227046+02:00 AUTH radiusd[8170]: (11) facauth: ===>Username:test 
2022-04-08T14:14:49.227052+02:00 AUTH radiusd[8170]: (11) facauth: ===>Timestamp:1649420089.226472, age:0ms 
2022-04-08T14:14:49.227489+02:00 AUTH radiusd[8170]: (11) facauth: Comparing client IP 192.168.1.1 with authclient FORTI (192.168.1.1, 1 IPs) 
2022-04-08T14:14:49.227492+02:00 AUTH radiusd[8170]: (11) facauth: ------> matched! 
2022-04-08T14:14:49.227496+02:00 AUTH radiusd[8170]: (11) facauth: Found authclient from preloaded authclients list for 192.168.1.1: FORTI (192.168.1.1) 
2022-04-08T14:14:49.227499+02:00 AUTH radiusd[8170]: (11) facauth: authclient_id:1 auth_type:'password' 
2022-04-08T14:14:49.228210+02:00 AUTH radiusd[8170]: (11) facauth: Found authpolicy 'SSL_VPN_LOGIN' for client '192.168.1.1' 
2022-04-08T14:14:49.228220+02:00 AUTH radiusd[8170]: (11) facauth: Setting 'Auth-Type := FACAUTH'
2022-04-08T14:14:49.228231+02:00 AUTH radiusd[8170]: (11)     [facauth] = updated
2022-04-08T14:14:49.228237+02:00 AUTH radiusd[8170]: Not doing PAP as Auth-Type is already set.
2022-04-08T14:14:49.228240+02:00 AUTH radiusd[8170]: (11)     [pap] = noop
2022-04-08T14:14:49.228243+02:00 AUTH radiusd[8170]: (11)   } # authorize = updated
2022-04-08T14:14:49.228249+02:00 AUTH radiusd[8170]: (11) Found Auth-Type = facauth
2022-04-08T14:14:49.228254+02:00 AUTH radiusd[8170]: (11) # Executing group from file /usr/etc/raddb/sites-enabled/default
2022-04-08T14:14:49.228257+02:00 AUTH radiusd[8170]: (11)   Auth-Type FACAUTH {
2022-04-08T14:14:49.228264+02:00 AUTH radiusd[8170]: (11) facauth: This is a response to Access-Challenge
2022-04-08T14:14:49.228268+02:00 AUTH radiusd[8170]: (11) facauth: Partial auth user found
2022-04-08T14:14:49.228329+02:00 AUTH radiusd[8170]: (11) facauth: Successfully found partially authenticated user instance.
2022-04-08T14:14:49.228525+02:00 AUTH radiusd[8170]: (11) facauth: check_user_lockout: fail_count=0 period=-1 reason=-1 
2022-04-08T14:14:49.228683+02:00 AUTH radiusd[8170]: (11) facauth: check_user_lockout: fail_count=0 period=-1 reason=-1 
2022-04-08T14:14:49.228687+02:00 AUTH radiusd[8170]: (11) facauth: Auth code: 20000 
2022-04-08T14:14:49.228739+02:00 AUTH radiusd[8170]: (11) facauth: Updated auth log 'test': Local user authentication with email token failed: user password change required 
2022-04-08T14:14:49.228744+02:00 AUTH radiusd[8170]: (11) facauth: facauth: print reply attributes of request id 170: 
2022-04-08T14:14:49.228748+02:00 AUTH radiusd[8170]:         Reply-Message += "user must change password" 
2022-04-08T14:14:49.228752+02:00 AUTH radiusd[8170]: (11)     [facauth] = reject
2022-04-08T14:14:49.228755+02:00 AUTH radiusd[8170]: (11)   } # Auth-Type FACAUTH = reject
2022-04-08T14:14:49.228759+02:00 AUTH radiusd[8170]: (11) Failed to authenticate the user
2022-04-08T14:14:49.228767+02:00 AUTH radiusd[8170]: (11) Using Post-Auth-Type Reject
2022-04-08T14:14:49.228771+02:00 AUTH radiusd[8170]: (11) # Executing group from file /usr/etc/raddb/sites-enabled/default
2022-04-08T14:14:49.229162+02:00 AUTH radiusd[8170]: (11)   Post-Auth-Type REJECT {
2022-04-08T14:14:49.229177+02:00 AUTH radiusd[8170]: (11) facauth: User-Name: test (from request)
2022-04-08T14:14:49.229181+02:00 AUTH radiusd[8170]: (11)     [facauth] = ok
2022-04-08T14:14:49.229184+02:00 AUTH radiusd[8170]: (11)   } # Post-Auth-Type REJECT = ok
2022-04-08T14:14:49.229190+02:00 AUTH radiusd[8170]: (11) Delaying response for 1.000000 seconds
2022-04-08T14:14:49.229197+02:00 AUTH radiusd[8170]: Thread 1 waiting to be assigned a request
2022-04-08T14:14:49.895721+02:00 AUTH radiusd[8170]: Waking up in 0.3 seconds.
2022-04-08T14:14:50.231709+02:00 AUTH radiusd[8170]: (11) Sending delayed response
2022-04-08T14:14:50.231726+02:00 AUTH radiusd[8170]: (11) Sent Access-Reject Id 170 from 192.168.1.10:1812 to 192.168.1.1:17837 length 47
2022-04-08T14:14:50.231734+02:00 AUTH radiusd[8170]: (11)   Reply-Message += "user must change password"
2022-04-08T14:14:50.231781+02:00 AUTH radiusd[8170]: Waking up in 17.2 seconds.

 

 

2674
0 Kudos
zoriax
Contributor

Created on ‎04-08-2022 05:41 AM

What is amazing is that all the process works without OTP enabled (I can change my password correctly).

 

And for this test I used local user to be sure everything works on FortiAuth directly.

2668
0 Kudos
zoriax
Contributor

Created on ‎04-08-2022 06:38 AM

Should it be related to Radius Vendor Attirbutes ? I check inside dictionnaries and cant find : 

 

zoriax_0-1649425060885.png

I only have : 

zoriax_1-1649425087703.png

 

 

2651
0 Kudos
zoriax
Contributor

Created on ‎04-08-2022 08:09 AM Edited on ‎04-08-2022 08:10 AM

Ok after a few search I solved the problem.


To work with 2FA and reset, you need to enable MS-CHAP-V2 in FortiGate Radius

2678
Debbie_FTNT
Staff
Staff
In response to zoriax

Created on ‎04-11-2022 12:43 AM

Hey zoriax,

thanks for posting the solution!

My apologies that I didn't ask about the RADIUS authentication method; when you said you'd enabled AD authentication I automatically assumed FortiGate was set to MS-CHAP-V2, sorry for the assumption.

Great that you solved it!

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
2617
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.