You need to know that Usernames on the FortiGate are case-sensitive while usernames in Windows Active Directory are not case-sensitive.
So FortiGate will match only the exact username with case sensitivity to perform 2FA (two-factor authentication) in your case will send the message to the user.
The issue is down to FortiGate treating usernames as case-sensitive by default, whereas LDAP does not.
This means that, under specific circumstances, users can bypass a local user entry on FortiGate in place to enforce TFA, and instead authenticate against LDAP.
- local user entries on the FortiGate with a token/SMS assigned, referencing back to LDAP for credentials
- these local users also being members of LDAP groups
- at least one of the LDAP groups they are a member of added on FortiGate and is able to authenticate to SSLVPN outright
As an example.
- in LDAP there is the user "emrecicek", member of group "VPN-User"
- in affected FortiGate, there is a local user "emrecicek" with a Token/SMS assigned and added to policies/authentication rule
- in affected FortiGate, there is a group "VPN-User" pointing back to LDAP with filter "CN=VPN-User, OU=[...]"
If the user logs into VPN with "emrecicek", the token/SMS is requested.
If the user logs in with "Emrecicek", or "emreCicek", or "EmreCicek", or "EMRECicek" or anything that is NOT an exact match to "emrecicek", it will not match the local user.
-> So FortiGate will check other authentication options
-> it finds the LDAP group "VPN-User", and so sends credentials for "EmreCicek" or any of the other options to LDAP
-> LDAP is NOT case-sensitive, so it does not care about capital/non-capital letters in username, and should accept the credentials
-> user is successfully authenticated as a member of "VPN-User" group WITHOUT SMS and has access to anything that the LDAP group has
In firmware versions where this is fixed, a CLI option has been added to the 'config user local' entry, 'case-sensitivity' or 'case-insensitivity' depending on firmware version. Enabling/disabling it will enforce or not enforce case-sensitivity.
If case-sensitivity is enforced, the behavior will remain.
If case-sensitivity is not enforced, then the user can log in with any capital/non-capital letter variation of his username, but the SMS will still be required.
Please follow the article below for more information:
There are some other options to prevent this:
- keep token/SMS and non-token/SMS users in separate LDAP groups, so they cannot authenticate via LDAP group instead of the local user entry
--> only use non-token/SMS LDAP groups for VPN authentication and in policies to enforce this; a token/SMS user should not have membership in these groups and so would fail the group-matching stage in VPN authentication
- do not add any LDAP groups to VPN authentication/policies at all
--> this is only an option if all users should be required to present a token/SMS
- use FortiAuthenticator to associate LDAP users and tokens/SMS instead of FortiGate
--> in this case, FortiAuthenticator (which is case-insensitive) would handle authentication and FortiGate would have a RADIUS server entry for FortiAuthenticator along with a user group containing the RADIUS server (and possible group filtering)