Hi !
I have a strange behaviour with FortiAuthenticator and SSL VPN on FortiGate
Without 2FA enabled on FortiAuthenticator account
With 2FA enabled on FortiAuthenticator account
On Autentication > User Account Polices I have
If I disabled "Request password reset after OTP verification". The behaviour is a bit different.
What is the correct workflow and options to allow token and password change with LDAP ?
Many thanks
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Ok after a few search I solved the problem.
To work with 2FA and reset, you need to enable MS-CHAP-V2 in FortiGate Radius
I tried witha local user and the behaviour is the same :( ! It seems I missed someting in configuration :)
Hey zoriax,
did you enable the setting to allow password change in FortiGate CLI?
#config user radius
#set password-renewal enable
#end
Yes and as I said in my post, it works ! The only problem is when 2fa is enabled
Oh, my apologies, I overlooked that bit - please ignore the above post then.
In that case, I would dive into the RADIUS authentication debug log on FortiAuthenticator (https://<FortiAuthenticator>/debug and select 'Radius Authentication' in the drop-down) to see what it is doing, and what it is sending to FortiGate when. It could also be that FortiGate is not handling the two challenges (token code, change password) well; I believe that depends a bit on FortiGate firmware version
Hi Debbie, no proble :)
I run FortiOS 7.0.5 and FortiAuth 6.4.3
In debug, I have :
2022-04-08T14:14:37.428877+02:00 AUTH radiusd[8170]: Waking up in 0.6 seconds.
2022-04-08T14:14:37.428886+02:00 AUTH radiusd[8170]: Thread 3 got semaphore
2022-04-08T14:14:37.428906+02:00 AUTH radiusd[8170]: Thread 3 handling request 10, (3 handled so far).
What is amazing is that all the process works without OTP enabled (I can change my password correctly).
And for this test I used local user to be sure everything works on FortiAuth directly.
Should it be related to Radius Vendor Attirbutes ? I check inside dictionnaries and cant find :
I only have :
Ok after a few search I solved the problem.
To work with 2FA and reset, you need to enable MS-CHAP-V2 in FortiGate Radius
Hey zoriax,
thanks for posting the solution!
My apologies that I didn't ask about the RADIUS authentication method; when you said you'd enabled AD authentication I automatically assumed FortiGate was set to MS-CHAP-V2, sorry for the assumption.
Great that you solved it!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1702 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.