My FG has SSLVPN service configured that gives remote users access with username/password via LDAP with Mobile FortiToken or OTP via email double authentication activated for all users.
Some users have reported to me that they can access by simply entering only username and password and is not asked to enter the token.
How can this happen if all users have enabled double authentication for access to SSLVPN?
Attached the error shown on FG (firmware version 7.0.17).
User configuration:
# show user local xyz
config user local
edit "xyz"
set type ldap
set two-factor fortitoken
set fortitoken "FTKMOB11016D9D2B"
set email-to "xyz@xyz.com"
set ldap-server "LDAP"
next
end
i would start by looking at the users that are logged but w/o MFA.
it should be shown to you which are connected only with user and password and start looking into them.
I analyzed the users who reported the problem but their configuration is correct and the same as the others.
Then for 99.9% of users the access to SSLVPN is correct after entering username+password+token, while for a few random users they manage to access without token.
i assume that web connections are w/o MFA ?
All users and all type of SSLVPN connection (tunnel or web mode) are with MFA (token or OTP email).
worth having a look, https://community.fortinet.com/t5/FortiGate/Technical-Tip-SSL-VPN-users-show-as-Two-factor-authentic...
as for token not being requested although the user is configured with it, i would start doing debug/checks for them and start isolating the issue. there's gotta be an explanation.
Created on ‎05-16-2025 06:07 AM Edited on ‎05-16-2025 06:09 AM
Thanks for your support. Do you think I should try to update to 7.2.9 or later?
In the document of Fortinet Community you've shared, I don't understand what it mean by "However, to address this error alert, it is recommended to provide the user credentials (username and password together) and then allow a brief interval (Seconds) as FortiGate prompts for two-factor authentication (2FA). " because the login procedure via client or web already requires the token to be entered a few seconds after entering the username and password...
Analyzing the problem is very difficult because it is a problem that occurs randomly on very few users and not always...
All users are configured with MFA but sometimes, some, and not always the same ones, log in only with username+password.
i would go for 7.2.11 since 7.0 version is out of support, but its not guaranteed that it would solve your situation which to be honest is a little bit strange, i havent seen so far when users with MFA enabled try to login they succed w/o entering anything.
7.0 will be out of support from 30.09.2025, but I am considering upgrading to version 7.2.9 or later.
I agree with you, the situation is very strange...
User | Count |
---|---|
2625 | |
1395 | |
810 | |
672 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.