- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNDR
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiScan
- FortiSandbox
- FortiSIEM
- FortiSwitch
- FortiSOAR
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- Customer Service
- Community Groups
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- FortiAuthenticator SSL VPN - LDAP - 2FA and Passwo...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiAuthenticator SSL VPN - LDAP - 2FA and Password Change
Hi !
I have a strange behaviour with FortiAuthenticator and SSL VPN on FortiGate
- FortiAuthenticator is configured to sync ldap user account
- FortiAuthenticator is configured to act as RADIUS with remote users
- On RADIUS policy, I used checked "User Windows AD Domain Authentication"
- ForiGate SSL VPN is correctly configured with RADIUS
Without 2FA enabled on FortiAuthenticator account
- On SSL VPN web interface I can connect
- If I reset the password on my Active Directory (force change), on SSL VPN interface I can set a new password
With 2FA enabled on FortiAuthenticator account
- On SSL VPN web interface I can connect with toke
- If I reset the password on my Active Directory (force change), on SSL VPN interface when I enter the token I'm not redirected to change password page but I have an error
On Autentication > User Account Polices I have
If I disabled "Request password reset after OTP verification". The behaviour is a bit different.
- I can change de password, then I recieved the token but after entering the token I have :
- And I need to login again with my new password
What is the correct workflow and options to allow token and password change with LDAP ?
Many thanks
Solved! Go to Solution.
Labels:
- Labels:
-
FortiAuthenticator
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok after a few search I solved the problem.
To work with 2FA and reset, you need to enable MS-CHAP-V2 in FortiGate Radius
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried witha local user and the behaviour is the same :( ! It seems I missed someting in configuration :)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey zoriax,
did you enable the setting to allow password change in FortiGate CLI?
#config user radius
#set password-renewal enable
#end
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes and as I said in my post, it works ! The only problem is when 2fa is enabled
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oh, my apologies, I overlooked that bit - please ignore the above post then.
In that case, I would dive into the RADIUS authentication debug log on FortiAuthenticator (https://<FortiAuthenticator>/debug and select 'Radius Authentication' in the drop-down) to see what it is doing, and what it is sending to FortiGate when. It could also be that FortiGate is not handling the two challenges (token code, change password) well; I believe that depends a bit on FortiGate firmware version
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Debbie, no proble :)
I run FortiOS 7.0.5 and FortiAuth 6.4.3
In debug, I have :
2022-04-08T14:14:37.428877+02:00 AUTH radiusd[8170]: Waking up in 0.6 seconds.
2022-04-08T14:14:37.428886+02:00 AUTH radiusd[8170]: Thread 3 got semaphore
2022-04-08T14:14:37.428906+02:00 AUTH radiusd[8170]: Thread 3 handling request 10, (3 handled so far)
2022-04-08T14:14:37.428954+02:00 AUTH radiusd[8170]: (10) Received Access-Request Id 169 from 192.168.1.1:18010 to 192.168.1.10:1812 length 123
2022-04-08T14:14:37.428970+02:00 AUTH radiusd[8170]: (10) NAS-Identifier = "FORTI"
2022-04-08T14:14:37.428973+02:00 AUTH radiusd[8170]: (10) User-Name = "test"
2022-04-08T14:14:37.428976+02:00 AUTH radiusd[8170]: (10) User-Password: ******
2022-04-08T14:14:37.428983+02:00 AUTH radiusd[8170]: (10) Framed-IP-Address = 1.2.3.1
2022-04-08T14:14:37.428993+02:00 AUTH radiusd[8170]: (10) NAS-Port = 1
2022-04-08T14:14:37.429003+02:00 AUTH radiusd[8170]: (10) NAS-Port-Type = Virtual
2022-04-08T14:14:37.429008+02:00 AUTH radiusd[8170]: (10) Calling-Station-Id = "1.2.3.1"
2022-04-08T14:14:37.429012+02:00 AUTH radiusd[8170]: (10) Acct-Session-Id = "2baecc24"
2022-04-08T14:14:37.429015+02:00 AUTH radiusd[8170]: (10) Connect-Info = "vpn-ssl"
2022-04-08T14:14:37.429018+02:00 AUTH radiusd[8170]: (10) Fortinet-Vdom-Name = "root"
2022-04-08T14:14:37.429034+02:00 AUTH radiusd[8170]: (10) # Executing section authorize from file /usr/etc/raddb/sites-enabled/default
2022-04-08T14:14:37.429041+02:00 AUTH radiusd[8170]: (10) authorize {
2022-04-08T14:14:37.429061+02:00 AUTH radiusd[8170]: (10) [preprocess] = ok
2022-04-08T14:14:37.429071+02:00 AUTH radiusd[8170]: (10) [chap] = noop
2022-04-08T14:14:37.429081+02:00 AUTH radiusd[8170]: (10) [mschap] = noop
2022-04-08T14:14:37.429089+02:00 AUTH radiusd[8170]: (10) eap: No EAP-Message, not doing EAP
2022-04-08T14:14:37.429092+02:00 AUTH radiusd[8170]: (10) [eap] = noop
2022-04-08T14:14:37.429099+02:00 AUTH radiusd[8170]: (10) [expiration] = noop
2022-04-08T14:14:37.429105+02:00 AUTH radiusd[8170]: (10) [logintime] = noop
2022-04-08T14:14:37.429116+02:00 AUTH radiusd[8170]: (10) facauth: facauth: recv Access-Request from 192.168.1.1 port 18010, id=169, length=123
2022-04-08T14:14:37.429120+02:00 AUTH radiusd[8170]: NAS-Identifier = "FORTI"
2022-04-08T14:14:37.429161+02:00 AUTH radiusd[8170]: User-Name = "test"
2022-04-08T14:14:37.429166+02:00 AUTH radiusd[8170]: User-Password: ******
2022-04-08T14:14:37.429169+02:00 AUTH radiusd[8170]: Framed-IP-Address = 1.2.3.1
2022-04-08T14:14:37.429172+02:00 AUTH radiusd[8170]: NAS-Port = 1
2022-04-08T14:14:37.429175+02:00 AUTH radiusd[8170]: NAS-Port-Type = Virtual
2022-04-08T14:14:37.429191+02:00 AUTH radiusd[8170]: Calling-Station-Id = "1.2.3.1"
2022-04-08T14:14:37.429197+02:00 AUTH radiusd[8170]: Acct-Session-Id = "2baecc24"
2022-04-08T14:14:37.429240+02:00 AUTH radiusd[8170]: Connect-Info = "vpn-ssl"
2022-04-08T14:14:37.429243+02:00 AUTH radiusd[8170]: Fortinet-Vdom-Name = "root"
2022-04-08T14:14:37.429249+02:00 AUTH radiusd[8170]: Event-Timestamp = "Apr 8 2022 14:14:37 CEST"
2022-04-08T14:14:37.429251+02:00 AUTH radiusd[8170]: NAS-IP-Address = 192.168.1.1
2022-04-08T14:14:37.429255+02:00 AUTH radiusd[8170]: (10) facauth: ===>NAS IP:192.168.1.1
2022-04-08T14:14:37.429261+02:00 AUTH radiusd[8170]: (10) facauth: ===>Username:test
2022-04-08T14:14:37.429267+02:00 AUTH radiusd[8170]: (10) facauth: ===>Timestamp:1649420077.428678, age:0ms
2022-04-08T14:14:37.429768+02:00 AUTH radiusd[8170]: (10) facauth: Comparing client IP 192.168.1.1 with authclient FORTI (192.168.1.1, 1 IPs)
2022-04-08T14:14:37.429771+02:00 AUTH radiusd[8170]: (10) facauth: ------> matched!
2022-04-08T14:14:37.429774+02:00 AUTH radiusd[8170]: (10) facauth: Found authclient from preloaded authclients list for 192.168.1.1: FORTI (192.168.1.1)
2022-04-08T14:14:37.429778+02:00 AUTH radiusd[8170]: (10) facauth: authclient_id:1 auth_type:'password'
2022-04-08T14:14:37.430525+02:00 AUTH radiusd[8170]: (10) facauth: Found authpolicy 'AUTH_LOGIN' for client '192.168.1.1'
2022-04-08T14:14:37.430539+02:00 AUTH radiusd[8170]: (10) facauth: Setting 'Auth-Type := FACAUTH'
2022-04-08T14:14:37.430553+02:00 AUTH radiusd[8170]: (10) [facauth] = updated
2022-04-08T14:14:37.430563+02:00 AUTH radiusd[8170]: Not doing PAP as Auth-Type is already set.
2022-04-08T14:14:37.430566+02:00 AUTH radiusd[8170]: (10) [pap] = noop
2022-04-08T14:14:37.430570+02:00 AUTH radiusd[8170]: (10) } # authorize = updated
2022-04-08T14:14:37.430579+02:00 AUTH radiusd[8170]: (10) Found Auth-Type = facauth
2022-04-08T14:14:37.430584+02:00 AUTH radiusd[8170]: (10) # Executing group from file /usr/etc/raddb/sites-enabled/default
2022-04-08T14:14:37.430587+02:00 AUTH radiusd[8170]: (10) Auth-Type FACAUTH {
2022-04-08T14:14:37.430605+02:00 AUTH radiusd[8170]: (10) facauth: Client type: external (subtype: radius)
2022-04-08T14:14:37.430608+02:00 AUTH radiusd[8170]: (10) facauth: Input raw_username: (null) Realm: (null) username: test
2022-04-08T14:14:37.430645+02:00 AUTH radiusd[8170]: (10) facauth: Searching default realm as well
2022-04-08T14:14:37.430653+02:00 AUTH radiusd[8170]: (10) facauth: Realm not specified, default goes to FAC local user
2022-04-08T14:14:37.431536+02:00 AUTH radiusd[8170]: (10) facauth: Local user found: test
2022-04-08T14:14:37.431542+02:00 AUTH radiusd[8170]: (10) facauth: User [enable fido: false, token count: 0, revoked_token_count: 0]
2022-04-08T14:14:37.431546+02:00 AUTH radiusd[8170]: (10) facauth: Policy [fido_auth_opt: disabled, twofactor: allow both, no_fido: two factor, revoked: reject]
2022-04-08T14:14:37.431550+02:00 AUTH radiusd[8170]: (10) facauth: Decided on [is_fido: false, two_factor: allow both, token_type: email]
2022-04-08T14:14:37.431554+02:00 AUTH radiusd[8170]: (10) facauth: WARNING: Warning: user 'test' was partially authed before, remove it from old cache.
2022-04-08T14:14:37.431750+02:00 AUTH radiusd[8170]: (10) facauth: check_user_lockout: fail_count=0 period=-1 reason=-1
2022-04-08T14:14:37.431755+02:00 AUTH radiusd[8170]: (10) facauth: just continue doing authentication
2022-04-08T14:14:37.431760+02:00 AUTH radiusd[8170]: (10) facauth: Partial auth done, challenge for token code
2022-04-08T14:14:37.431907+02:00 AUTH radiusd[8170]: Try to load smtp server, id: 2
2022-04-08T14:14:37.432168+02:00 AUTH radiusd[8170]: (10) facauth: Sent email token code (timeout 120) to sylvain.aubort@ciad.ch
2022-04-08T14:14:37.432175+02:00 AUTH radiusd[8170]: Load radius challenge msg from template: Please enter your token code
2022-04-08T14:14:37.432189+02:00 AUTH radiusd[8170]: (10) facauth: Sending Access-Challenge.
2022-04-08T14:14:37.432516+02:00 AUTH radiusd[8170]: (10) facauth: check_user_lockout: fail_count=0 period=-1 reason=-1
2022-04-08T14:14:37.432520+02:00 AUTH radiusd[8170]: (10) facauth: Auth code: 20300
2022-04-08T14:14:37.432548+02:00 AUTH radiusd[8170]: (10) facauth: Updated auth log 'test': Local user authentication partially done, expecting email token
2022-04-08T14:14:37.432552+02:00 AUTH radiusd[8170]: (10) facauth: facauth: print reply attributes of request id 169:
2022-04-08T14:14:37.432557+02:00 AUTH radiusd[8170]: Reply-Message = "-Please enter your token code"
2022-04-08T14:14:37.432560+02:00 AUTH radiusd[8170]: Fortinet-FAC-Challenge-Code = "001"
2022-04-08T14:14:37.432565+02:00 AUTH radiusd[8170]: State = 0x31
2022-04-08T14:14:37.432568+02:00 AUTH radiusd[8170]: (10) [facauth] = handled
2022-04-08T14:14:37.432571+02:00 AUTH radiusd[8170]: (10) } # Auth-Type FACAUTH = handled
2022-04-08T14:14:37.432587+02:00 AUTH radiusd[8170]: (10) Using Post-Auth-Type Challenge
2022-04-08T14:14:37.433129+02:00 AUTH radiusd[8170]: (10) # Executing group from file /usr/etc/raddb/sites-enabled/default
2022-04-08T14:14:37.433143+02:00 AUTH radiusd[8170]: (10) Challenge { ... } # empty sub-section is ignored
2022-04-08T14:14:37.433151+02:00 AUTH radiusd[8170]: (10) Sent Access-Challenge Id 169 from 192.168.1.10:1812 to 192.168.1.1:18010 length 0
2022-04-08T14:14:37.433157+02:00 AUTH radiusd[8170]: (10) Reply-Message = "-Please enter your token code"
2022-04-08T14:14:37.433162+02:00 AUTH radiusd[8170]: (10) Fortinet-FAC-Challenge-Code = "001"
2022-04-08T14:14:37.433165+02:00 AUTH radiusd[8170]: (10) State = 0x31
2022-04-08T14:14:37.433203+02:00 AUTH radiusd[8170]: (10) Finished request
2022-04-08T14:14:37.433206+02:00 AUTH radiusd[8170]: Thread 3 waiting to be assigned a request
2022-04-08T14:14:38.099701+02:00 AUTH radiusd[8170]: Waking up in 29.3 seconds.
2022-04-08T14:14:49.226626+02:00 AUTH radiusd[8170]: Waking up in 0.6 seconds.
2022-04-08T14:14:49.226712+02:00 AUTH radiusd[8170]: Thread 1 got semaphore
2022-04-08T14:14:49.226727+02:00 AUTH radiusd[8170]: Thread 1 handling request 11, (3 handled so far)
2022-04-08T14:14:49.226754+02:00 AUTH radiusd[8170]: (11) Received Access-Request Id 170 from 192.168.1.1:17837 to 192.168.1.10:1812 length 126
2022-04-08T14:14:49.226760+02:00 AUTH radiusd[8170]: (11) NAS-Identifier = "FORTI"
2022-04-08T14:14:49.226763+02:00 AUTH radiusd[8170]: (11) State = 0x31
2022-04-08T14:14:49.226767+02:00 AUTH radiusd[8170]: (11) User-Name = "test"
2022-04-08T14:14:49.226770+02:00 AUTH radiusd[8170]: (11) User-Password: ******
2022-04-08T14:14:49.226776+02:00 AUTH radiusd[8170]: (11) Framed-IP-Address = 1.2.3.1
2022-04-08T14:14:49.226781+02:00 AUTH radiusd[8170]: (11) NAS-Port = 1
2022-04-08T14:14:49.226785+02:00 AUTH radiusd[8170]: (11) NAS-Port-Type = Virtual
2022-04-08T14:14:49.226788+02:00 AUTH radiusd[8170]: (11) Calling-Station-Id = "1.2.3.1"
2022-04-08T14:14:49.226838+02:00 AUTH radiusd[8170]: (11) Acct-Session-Id = "2baecc24"
2022-04-08T14:14:49.226842+02:00 AUTH radiusd[8170]: (11) Connect-Info = "vpn-ssl"
2022-04-08T14:14:49.226845+02:00 AUTH radiusd[8170]: (11) Fortinet-Vdom-Name = "root"
2022-04-08T14:14:49.226850+02:00 AUTH radiusd[8170]: (11) session-state: No cached attributes
2022-04-08T14:14:49.226855+02:00 AUTH radiusd[8170]: (11) # Executing section authorize from file /usr/etc/raddb/sites-enabled/default
2022-04-08T14:14:49.226859+02:00 AUTH radiusd[8170]: (11) authorize {
2022-04-08T14:14:49.226873+02:00 AUTH radiusd[8170]: (11) [preprocess] = ok
2022-04-08T14:14:49.226878+02:00 AUTH radiusd[8170]: (11) [chap] = noop
2022-04-08T14:14:49.226882+02:00 AUTH radiusd[8170]: (11) [mschap] = noop
2022-04-08T14:14:49.226887+02:00 AUTH radiusd[8170]: (11) eap: No EAP-Message, not doing EAP
2022-04-08T14:14:49.226889+02:00 AUTH radiusd[8170]: (11) [eap] = noop
2022-04-08T14:14:49.226932+02:00 AUTH radiusd[8170]: (11) [expiration] = noop
2022-04-08T14:14:49.226936+02:00 AUTH radiusd[8170]: (11) [logintime] = noop
2022-04-08T14:14:49.226947+02:00 AUTH radiusd[8170]: (11) facauth: facauth: recv Access-Request from 192.168.1.1 port 17837, id=170, length=126
2022-04-08T14:14:49.226951+02:00 AUTH radiusd[8170]: NAS-Identifier = "FORTI"
2022-04-08T14:14:49.226953+02:00 AUTH radiusd[8170]: State = 0x31
2022-04-08T14:14:49.226956+02:00 AUTH radiusd[8170]: User-Name = "test"
2022-04-08T14:14:49.226958+02:00 AUTH radiusd[8170]: User-Password: ******
2022-04-08T14:14:49.226962+02:00 AUTH radiusd[8170]: Framed-IP-Address = 1.2.3.1
2022-04-08T14:14:49.226964+02:00 AUTH radiusd[8170]: NAS-Port = 1
2022-04-08T14:14:49.226967+02:00 AUTH radiusd[8170]: NAS-Port-Type = Virtual
2022-04-08T14:14:49.226970+02:00 AUTH radiusd[8170]: Calling-Station-Id = "1.2.3.1"
2022-04-08T14:14:49.227027+02:00 AUTH radiusd[8170]: Acct-Session-Id = "2baecc24"
2022-04-08T14:14:49.227031+02:00 AUTH radiusd[8170]: Connect-Info = "vpn-ssl"
2022-04-08T14:14:49.227034+02:00 AUTH radiusd[8170]: Fortinet-Vdom-Name = "root"
2022-04-08T14:14:49.227037+02:00 AUTH radiusd[8170]: Event-Timestamp = "Apr 8 2022 14:14:49 CEST"
2022-04-08T14:14:49.227040+02:00 AUTH radiusd[8170]: NAS-IP-Address = 192.168.1.1
2022-04-08T14:14:49.227042+02:00 AUTH radiusd[8170]: (11) facauth: ===>NAS IP:192.168.1.1
2022-04-08T14:14:49.227046+02:00 AUTH radiusd[8170]: (11) facauth: ===>Username:test
2022-04-08T14:14:49.227052+02:00 AUTH radiusd[8170]: (11) facauth: ===>Timestamp:1649420089.226472, age:0ms
2022-04-08T14:14:49.227489+02:00 AUTH radiusd[8170]: (11) facauth: Comparing client IP 192.168.1.1 with authclient FORTI (192.168.1.1, 1 IPs)
2022-04-08T14:14:49.227492+02:00 AUTH radiusd[8170]: (11) facauth: ------> matched!
2022-04-08T14:14:49.227496+02:00 AUTH radiusd[8170]: (11) facauth: Found authclient from preloaded authclients list for 192.168.1.1: FORTI (192.168.1.1)
2022-04-08T14:14:49.227499+02:00 AUTH radiusd[8170]: (11) facauth: authclient_id:1 auth_type:'password'
2022-04-08T14:14:49.228210+02:00 AUTH radiusd[8170]: (11) facauth: Found authpolicy 'SSL_VPN_LOGIN' for client '192.168.1.1'
2022-04-08T14:14:49.228220+02:00 AUTH radiusd[8170]: (11) facauth: Setting 'Auth-Type := FACAUTH'
2022-04-08T14:14:49.228231+02:00 AUTH radiusd[8170]: (11) [facauth] = updated
2022-04-08T14:14:49.228237+02:00 AUTH radiusd[8170]: Not doing PAP as Auth-Type is already set.
2022-04-08T14:14:49.228240+02:00 AUTH radiusd[8170]: (11) [pap] = noop
2022-04-08T14:14:49.228243+02:00 AUTH radiusd[8170]: (11) } # authorize = updated
2022-04-08T14:14:49.228249+02:00 AUTH radiusd[8170]: (11) Found Auth-Type = facauth
2022-04-08T14:14:49.228254+02:00 AUTH radiusd[8170]: (11) # Executing group from file /usr/etc/raddb/sites-enabled/default
2022-04-08T14:14:49.228257+02:00 AUTH radiusd[8170]: (11) Auth-Type FACAUTH {
2022-04-08T14:14:49.228264+02:00 AUTH radiusd[8170]: (11) facauth: This is a response to Access-Challenge
2022-04-08T14:14:49.228268+02:00 AUTH radiusd[8170]: (11) facauth: Partial auth user found
2022-04-08T14:14:49.228329+02:00 AUTH radiusd[8170]: (11) facauth: Successfully found partially authenticated user instance.
2022-04-08T14:14:49.228525+02:00 AUTH radiusd[8170]: (11) facauth: check_user_lockout: fail_count=0 period=-1 reason=-1
2022-04-08T14:14:49.228683+02:00 AUTH radiusd[8170]: (11) facauth: check_user_lockout: fail_count=0 period=-1 reason=-1
2022-04-08T14:14:49.228687+02:00 AUTH radiusd[8170]: (11) facauth: Auth code: 20000
2022-04-08T14:14:49.228739+02:00 AUTH radiusd[8170]: (11) facauth: Updated auth log 'test': Local user authentication with email token failed: user password change required
2022-04-08T14:14:49.228744+02:00 AUTH radiusd[8170]: (11) facauth: facauth: print reply attributes of request id 170:
2022-04-08T14:14:49.228748+02:00 AUTH radiusd[8170]: Reply-Message += "user must change password"
2022-04-08T14:14:49.228752+02:00 AUTH radiusd[8170]: (11) [facauth] = reject
2022-04-08T14:14:49.228755+02:00 AUTH radiusd[8170]: (11) } # Auth-Type FACAUTH = reject
2022-04-08T14:14:49.228759+02:00 AUTH radiusd[8170]: (11) Failed to authenticate the user
2022-04-08T14:14:49.228767+02:00 AUTH radiusd[8170]: (11) Using Post-Auth-Type Reject
2022-04-08T14:14:49.228771+02:00 AUTH radiusd[8170]: (11) # Executing group from file /usr/etc/raddb/sites-enabled/default
2022-04-08T14:14:49.229162+02:00 AUTH radiusd[8170]: (11) Post-Auth-Type REJECT {
2022-04-08T14:14:49.229177+02:00 AUTH radiusd[8170]: (11) facauth: User-Name: test (from request)
2022-04-08T14:14:49.229181+02:00 AUTH radiusd[8170]: (11) [facauth] = ok
2022-04-08T14:14:49.229184+02:00 AUTH radiusd[8170]: (11) } # Post-Auth-Type REJECT = ok
2022-04-08T14:14:49.229190+02:00 AUTH radiusd[8170]: (11) Delaying response for 1.000000 seconds
2022-04-08T14:14:49.229197+02:00 AUTH radiusd[8170]: Thread 1 waiting to be assigned a request
2022-04-08T14:14:49.895721+02:00 AUTH radiusd[8170]: Waking up in 0.3 seconds.
2022-04-08T14:14:50.231709+02:00 AUTH radiusd[8170]: (11) Sending delayed response
2022-04-08T14:14:50.231726+02:00 AUTH radiusd[8170]: (11) Sent Access-Reject Id 170 from 192.168.1.10:1812 to 192.168.1.1:17837 length 47
2022-04-08T14:14:50.231734+02:00 AUTH radiusd[8170]: (11) Reply-Message += "user must change password"
2022-04-08T14:14:50.231781+02:00 AUTH radiusd[8170]: Waking up in 17.2 seconds.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is amazing is that all the process works without OTP enabled (I can change my password correctly).
And for this test I used local user to be sure everything works on FortiAuth directly.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Should it be related to Radius Vendor Attirbutes ? I check inside dictionnaries and cant find :
I only have :
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok after a few search I solved the problem.
To work with 2FA and reset, you need to enable MS-CHAP-V2 in FortiGate Radius
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey zoriax,
thanks for posting the solution!
My apologies that I didn't ask about the RADIUS authentication method; when you said you'd enabled AD authentication I automatically assumed FortiGate was set to MS-CHAP-V2, sorry for the assumption.
Great that you solved it!
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Related Posts
- username an password for Fortinet online... 46 Views
- Change password of fsso agent 85 Views
- Show current LDAP users and force... 210 Views
- VPN Server may be unreachable (-14)... 236 Views
- Device doing brute force SSH attacks... 91 Views
Labels
-
FortiGate
3,071 -
5.2
801 -
FortiClient
657 -
5.4
639 -
6.0
416 -
5.6
362 -
FortiManager
332 -
6.2
251 -
FortiAnalyzer
200 -
5.0
196 -
fortimail
153 -
FortiAP
150 -
fortiswitch
134 -
FortiAuthenticator
128 -
6.4
128 -
FortiClient EMS
85 -
FortiWeb
74 -
4.0MR3
64 -
FortiGateCloud
49 -
FortiGuard
47 -
FortiToken
37 -
FortiCloud Products
37 -
Customer Service
36 -
FortiSIEM
35 -
FortiNAC
29 -
Wireless Controller
29 -
FortiADC
22 -
FortiVoice
19 -
FortiSwitch v6.4
18 -
FortiSandbox
16 -
FortiProxy
15 -
FortiEDR
15 -
FortiGate v5.4
14 -
FortiConnect
14 -
FortiExtender
13 -
FortiDNS
11 -
FortiConverter
10 -
FortiWAN
9 -
4.0MR2
9 -
FortiSwitch v6.2
8 -
FortiCASB
8 -
4.0
7 -
RMA Information and Announcements
5 -
FortiGate v5.2
5 -
FortiAnalyzer v5.0
5 -
FortiManager v5.0
5 -
FortiPortal
4 -
3.6
4 -
FortiSoar
4 -
FortiRecorder
3 -
FortiDDoS
3 -
FortiCarrier
3 -
FortiDirector
3 -
FortiMonitor
3 -
FortiWeb v5.0
2 -
FortiGate v5.0
2 -
FortiScan
2 -
FortiDB
2 -
FortiInsight
2 -
4.0MR1
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiBridge
1 -
FortiCache
1 -
FortiGate v4.0 MR3
1
Top Kudoed Authors
| User | Count |
|---|---|
| 141 | |
| 70 | |
| 64 | |
| 42 | |
| 37 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2023 Fortinet, Inc. All Rights Reserved.