Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
zoriax
Contributor

Created on ‎04-08-2022 02:41 AM Edited on ‎04-08-2022 02:42 AM

FortiAuthenticator SSL VPN - LDAP - 2FA and Password Change

Hi !

 

I have a strange behaviour with FortiAuthenticator and SSL VPN on FortiGate

 

  • FortiAuthenticator is configured to sync ldap user account
  • FortiAuthenticator is configured to act as RADIUS with remote users
    • On RADIUS policy, I used checked "User Windows AD Domain Authentication"
  • ForiGate SSL VPN is correctly configured with RADIUS

Without 2FA enabled on FortiAuthenticator account

  • On SSL VPN web interface I can connect
  • If I reset the password on my Active Directory (force change), on SSL VPN interface I can set a new password
  • zoriax_0-1649410571368.png

 

With 2FA enabled on FortiAuthenticator account

  • On SSL VPN web interface I can connect with toke
  • If I reset the password on my Active Directory (force change), on SSL VPN interface when I enter the token I'm not redirected to change password page but I have an error
  • zoriax_1-1649410689889.png

     

On Autentication > User Account Polices I have

zoriax_2-1649410715612.png

If I disabled "Request password reset after OTP verification". The behaviour is a bit different.

  • I can change de password, then I recieved the token but after entering the token I have : 
  • zoriax_1-1649410689889.png
  • And I need to login again with my new password

 

What is the correct workflow and options to allow token and password change with LDAP ?


Many thanks

 

 

Labels:
5111
0 Kudos
1 Solution
zoriax
Contributor

Created on ‎04-08-2022 08:09 AM Edited on ‎04-08-2022 08:10 AM

Ok after a few search I solved the problem.


To work with 2FA and reset, you need to enable MS-CHAP-V2 in FortiGate Radius

View solution in original post

5052
9 REPLIES 9
zoriax
Contributor

Created on ‎04-08-2022 03:05 AM

I tried witha local user and the behaviour is the same :( ! It seems I missed someting in configuration :)

5066
0 Kudos
Debbie_FTNT
Staff
Staff
In response to zoriax

Created on ‎04-08-2022 04:18 AM

Hey zoriax,

did you enable the setting to allow password change in FortiGate CLI?
#config user radius
#set password-renewal enable
#end

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
5062
0 Kudos
zoriax
Contributor

Created on ‎04-08-2022 04:27 AM

Yes and as I said in my post, it works ! The only problem is when 2fa is enabled

5060
0 Kudos
Debbie_FTNT
Staff
Staff
In response to zoriax

Created on ‎04-08-2022 04:51 AM

Oh, my apologies, I overlooked that bit - please ignore the above post then.
In that case, I would dive into the RADIUS authentication debug log on FortiAuthenticator (https://<FortiAuthenticator>/debug and select 'Radius Authentication' in the drop-down) to see what it is doing, and what it is sending to FortiGate when. It could also be that FortiGate is not handling the two challenges (token code, change password) well; I believe that depends a bit on FortiGate firmware version

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
5056
0 Kudos
zoriax
Contributor

Created on ‎04-08-2022 04:57 AM Edited on ‎04-21-2024 10:14 PM

Hi Debbie, no proble :) 

 

I run FortiOS 7.0.5 and FortiAuth 6.4.3

 

In debug, I have : 

 

2022-04-08T14:14:37.428877+02:00 AUTH radiusd[8170]: Waking up in 0.6 seconds.
2022-04-08T14:14:37.428886+02:00 AUTH radiusd[8170]: Thread 3 got semaphore
2022-04-08T14:14:37.428906+02:00 AUTH radiusd[8170]: Thread 3 handling request 10, (3 handled so far).

 

 

5049
0 Kudos
zoriax
Contributor

Created on ‎04-08-2022 05:41 AM

What is amazing is that all the process works without OTP enabled (I can change my password correctly).

 

And for this test I used local user to be sure everything works on FortiAuth directly.

5043
0 Kudos
zoriax
Contributor

Created on ‎04-08-2022 06:38 AM

Should it be related to Radius Vendor Attirbutes ? I check inside dictionnaries and cant find : 

 

zoriax_0-1649425060885.png

I only have : 

zoriax_1-1649425087703.png

 

 

5026
0 Kudos
zoriax
Contributor

Created on ‎04-08-2022 08:09 AM Edited on ‎04-08-2022 08:10 AM

Ok after a few search I solved the problem.


To work with 2FA and reset, you need to enable MS-CHAP-V2 in FortiGate Radius

5053
Debbie_FTNT
Staff
Staff
In response to zoriax

Created on ‎04-11-2022 12:43 AM

Hey zoriax,

thanks for posting the solution!

My apologies that I didn't ask about the RADIUS authentication method; when you said you'd enabled AD authentication I automatically assumed FortiGate was set to MS-CHAP-V2, sorry for the assumption.

Great that you solved it!

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
4992
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.