- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiAuthenticator SSL VPN - LDAP - 2FA and Password Change
Hi !
I have a strange behaviour with FortiAuthenticator and SSL VPN on FortiGate
- FortiAuthenticator is configured to sync ldap user account
- FortiAuthenticator is configured to act as RADIUS with remote users
- On RADIUS policy, I used checked "User Windows AD Domain Authentication"
- ForiGate SSL VPN is correctly configured with RADIUS
Without 2FA enabled on FortiAuthenticator account
- On SSL VPN web interface I can connect
- If I reset the password on my Active Directory (force change), on SSL VPN interface I can set a new password
With 2FA enabled on FortiAuthenticator account
- On SSL VPN web interface I can connect with toke
- If I reset the password on my Active Directory (force change), on SSL VPN interface when I enter the token I'm not redirected to change password page but I have an error
On Autentication > User Account Polices I have
If I disabled "Request password reset after OTP verification". The behaviour is a bit different.
- I can change de password, then I recieved the token but after entering the token I have :
- And I need to login again with my new password
What is the correct workflow and options to allow token and password change with LDAP ?
Many thanks
Solved! Go to Solution.
- Labels:
-
FortiAuthenticator v5.5
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok after a few search I solved the problem.
To work with 2FA and reset, you need to enable MS-CHAP-V2 in FortiGate Radius
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried witha local user and the behaviour is the same :( ! It seems I missed someting in configuration :)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey zoriax,
did you enable the setting to allow password change in FortiGate CLI?
#config user radius
#set password-renewal enable
#end
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes and as I said in my post, it works ! The only problem is when 2fa is enabled
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oh, my apologies, I overlooked that bit - please ignore the above post then.
In that case, I would dive into the RADIUS authentication debug log on FortiAuthenticator (https://<FortiAuthenticator>/debug and select 'Radius Authentication' in the drop-down) to see what it is doing, and what it is sending to FortiGate when. It could also be that FortiGate is not handling the two challenges (token code, change password) well; I believe that depends a bit on FortiGate firmware version
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Debbie, no proble :)
I run FortiOS 7.0.5 and FortiAuth 6.4.3
In debug, I have :
2022-04-08T14:14:37.428877+02:00 AUTH radiusd[8170]: Waking up in 0.6 seconds.
2022-04-08T14:14:37.428886+02:00 AUTH radiusd[8170]: Thread 3 got semaphore
2022-04-08T14:14:37.428906+02:00 AUTH radiusd[8170]: Thread 3 handling request 10, (3 handled so far).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is amazing is that all the process works without OTP enabled (I can change my password correctly).
And for this test I used local user to be sure everything works on FortiAuth directly.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Should it be related to Radius Vendor Attirbutes ? I check inside dictionnaries and cant find :
I only have :
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok after a few search I solved the problem.
To work with 2FA and reset, you need to enable MS-CHAP-V2 in FortiGate Radius
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey zoriax,
thanks for posting the solution!
My apologies that I didn't ask about the RADIUS authentication method; when you said you'd enabled AD authentication I automatically assumed FortiGate was set to MS-CHAP-V2, sorry for the assumption.
Great that you solved it!
