Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JSNascimento
New Contributor

Created on ‎02-10-2025 12:14 PM Edited on ‎02-11-2025 04:48 AM

Fortigate requiring token for internet access, even for users who should only use token with VPN.

This problem began after I upgraded Fortigate from 6.4.15 to 7.0.17 without any configuration changes. Before this, the issue was not observed. It's not a problem if it asks for a username and password; the issue is that it started asking for a token, which was initially required only for VPN users.

FortiGate is requiring a token for internet access, even for users who should only need a token only for VPN. The firewall integrates with MS AD with LDAP and FSSO.

VPN users authenticate with tokens via FortiAuthentication, also integrated with MS AD and LDAP. FortiGate requires a token for internet access only if users are in local, not when are in remote access.

All firewall rules for Internet access are configured to validate FSSO users, with LDAP validation as a fallback in the same rules. See the attached screenshot. 

i02.png

jsdnascimento
jsdnascimento
432
0 Kudos
8 REPLIES 8
AEK
SuperUser
SuperUser

Created on ‎02-10-2025 02:00 PM

If you are using FSSO in firewall rules then it should not require token because it is passive authentication.

AEK
AEK
418
JSNascimento
New Contributor
In response to AEK

Created on ‎02-11-2025 04:01 AM

Thanks for reply. You are right, but let me explain better. All firewall rules for Internet access are configured to validate FSSO users, with LDAP validation as a fallback in the same rules. See the attached screenshot.

Please feel free for comment, you're welcome.

jsdnascimento
jsdnascimento
378
0 Kudos
funkylicious
SuperUser
SuperUser
In response to JSNascimento

Created on ‎02-11-2025 04:10 AM Edited on ‎02-11-2025 04:11 AM

https://community.fortinet.com/t5/Support-Forum/which-one-is-priorty-LDAP-or-FSSO/m-p/273097 

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-An-explaination-of-mixed-policies-in-Firew... 

 

"jack of all trades, master of none"
"jack of all trades, master of none"
365
0 Kudos
AEK
SuperUser
SuperUser
In response to JSNascimento

Created on ‎02-11-2025 04:15 AM

Following @funkylicious post, what happens when you remove the LDAP group from your policy? Can you do the test and advise?

AEK
AEK
359
0 Kudos
JSNascimento
New Contributor
In response to AEK

Created on ‎02-11-2025 04:40 AM Edited on ‎02-11-2025 04:48 AM

Thanks @AEK again.

I haven't tried removing the LDAP group from the policy yet. This problem began after I upgraded Fortigate from 6.4.15 to 7.0.17 without any configuration changes. Before the upgrade, the issue was not observed. I'm trying to find an explanation for the problem before making any changes. It's not a problem if it asks for a username and password; the issue is that it started asking for a token, which was initially required only for VPN users.

jsdnascimento
jsdnascimento
338
0 Kudos
AEK
SuperUser
SuperUser
In response to JSNascimento

Created on ‎02-11-2025 06:01 AM

The LDAP group configured in VPN is the same as the one configured in the firewall rule, right? I mean API-INTERNET-PERFIL-DEV_LDAP, right?

Then I'm not astonished that it asks for token if it is configured so in FortiAuthenticator. In that case I guess FOS 6.4.15 was dealing with this case (FSSO/LDAP group mix) differently than FOS 7.0.17 in terms of priority or just trying all possible authentications in parallel.

It is just an opinion (according to the behavior) but unfortunately I don't have any official document on that.

AEK
AEK
319
0 Kudos
JSNascimento
New Contributor
In response to AEK

Created on ‎02-12-2025 11:41 AM

@AEK , thank you again for your response. I have a hypothesis regarding our three authentication methods implemented:

1) FSSO for transparent authentication in AD.
2) LDAP (from the firewall to the AD server) that prompts for login and password if FSSO fails.
3) RADIUS from FortiAuthenticator (with LDAP to AD), intended solely for VPN.
Previously, the order seemed to be as listed above. However, after the firewall update, it appears the order changed to 1, 3, and 2. Do you share this impression?

I am unsure how to reconfigure the authentication priority to maintain the original sequence (1, 2, 3). I will look into this further.

If anybody knows, fill free to share.

jsdnascimento
jsdnascimento
290
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎02-12-2025 02:22 PM

Can you please run the following so I can understand more?

 

Start auth debug:

diagnose debug application fnbamd 255
diagnose debug enable

 

Run ldap auth test with the affected user:

diag test authserver ldap <AD_LDAP> <user> <password>

 

Run ldap auth test with the affected user:

diag test authserver radius <RADIUS_SERVER> <method> <user> <password>

 

Then generate the required traffic to trigger the firewall policy.

And share all the above output, each separately.

AEK
AEK
266
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.