Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
zero_net
New Contributor

Fortigate SSLVPN "some users are not using two factor authentication"

My FG has SSLVPN service configured that gives remote users access with username/password via LDAP with Mobile FortiToken or OTP via email double authentication activated for all users.

Some users have reported to me that they can access by simply entering only username and password and is not asked to enter the token.

How can this happen if all users have enabled double authentication for access to SSLVPN?

 

Attached the error shown on FG (firmware version 7.0.17).

User configuration:

 

# show user local xyz
config user local
edit "xyz"
set type ldap
set two-factor fortitoken
set fortitoken "FTKMOB11016D9D2B"
set email-to "xyz@xyz.com"
set ldap-server "LDAP"
next
end

 

FG_warning_message.jpg

 

8 REPLIES 8
funkylicious
SuperUser
SuperUser

i would start by looking at the users that are logged but w/o MFA.

it should be shown to you which are connected only with user and password and start looking into them.

"jack of all trades, master of none"
"jack of all trades, master of none"
zero_net

I analyzed the users who reported the problem but their configuration is correct and the same as the others.
Then for 99.9% of users the access to SSLVPN is correct after entering username+password+token, while for a few random users they manage to access without token.

users.jpg

 

funkylicious

i assume that web connections are w/o MFA ?

"jack of all trades, master of none"
"jack of all trades, master of none"
zero_net

All users and all type of SSLVPN connection (tunnel or web mode) are with MFA (token or OTP email).

funkylicious

worth having a look, https://community.fortinet.com/t5/FortiGate/Technical-Tip-SSL-VPN-users-show-as-Two-factor-authentic...

as for token not being requested although the user is configured with it, i would start doing debug/checks for them and start isolating the issue. there's gotta be an explanation.

"jack of all trades, master of none"
"jack of all trades, master of none"
zero_net

Thanks for your support. Do you think I should try to update to 7.2.9 or later?
In the document of Fortinet Community you've shared,  I don't understand what it mean by "However, to address this error alert, it is recommended to provide the user credentials (username and password together) and then allow a brief interval (Seconds) as FortiGate prompts for two-factor authentication (2FA). " because the login procedure via client or web already requires the token to be entered a few seconds after entering the username and password...
Analyzing the problem is very difficult because it is a problem that occurs randomly on very few users and not always...
All users are configured with MFA but sometimes, some, and not always the same ones, log in only with username+password.

funkylicious

i would go for 7.2.11 since 7.0 version is out of support, but its not guaranteed that it would solve your situation which to be honest is a little bit strange, i havent seen so far when users with MFA enabled try to login they succed w/o entering anything.

"jack of all trades, master of none"
"jack of all trades, master of none"
zero_net

7.0 will be out of support from 30.09.2025, but I am considering upgrading to version 7.2.9 or later.

I agree with you, the situation is very strange...

 

Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors