Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
daj
New Contributor

Fortitoken 2FA issue

Hei,

 I have got a  problem with 2FA Mobile token. 

We use SSL VPN and LDAP. All vpn users  are assigned by 2FA with mobile token  and they are able to login to the network via VPN using 2FA mobile token. But only one user is unable to use the token.  When he tried his username and password , the forticleint not asks for fortitioken mobile and get directly connected into the network  , which is seems same as SSO, eventhough the user is successfully assigned by a fortitoken mobile. 

What might be the reason for this . How can I troubleshoot this and get it resolved. 

 

Thanks!!

2 Solutions
xsilver_FTNT
Staff
Staff

Hi daj,

 

Q:What might be the reason for this.

A: if it's on FortiGate and users are remote type so they do actually further authenticate for example against LDAP on MSFT AD, then usual mistake & reason is in FortiGate's case sensitivity.

 

In details:

- if you have ldap type user name 'johndoe' with token assigned

- and such user is member of firewall group where there is user 'jonhndoe' and actual LDAP server as members

- then when user authenticate and as user name uses 'Johndoe' (UPPERCASE j), then those 'johndoe' and 'Johndoe' are completely different users for FortiGate. But as LDAP is also member, then login process fail to find local user (the one with token) and fall back to another group member, the LDAP. And as user is LDAP type it successfully authenticate through the LDAP.

 

SOLUTIONs for above:

 

a) user FortiAuthenticator as centralized authentication back-end which can deal with case sensitivnes

b) split firewall group members and do NOT mix pure LDAP with token users, or in more advanced scenario set group match on that LDAP the way that users with the token will not be considered members anymore, so mentioned 'johndoe' either authenticate with the proper casing and token or 'He shall not pass!' .. at all.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

View solution in original post

Alivo__FTNT

Hello,

 

In FortiOS 6.4.1 this is configurable per user:

 

config user local

edit xsilver

set username-case-insensitivity [enable|disable]

end

 

Further, the user that does not match his case regardless of this setting, will be denied

from logon.

It is possible that this will be later in 6.2.

Best Regards,

Alivo

livo

View solution in original post

9 REPLIES 9
xsilver_FTNT
Staff
Staff

Hi daj,

 

Q:What might be the reason for this.

A: if it's on FortiGate and users are remote type so they do actually further authenticate for example against LDAP on MSFT AD, then usual mistake & reason is in FortiGate's case sensitivity.

 

In details:

- if you have ldap type user name 'johndoe' with token assigned

- and such user is member of firewall group where there is user 'jonhndoe' and actual LDAP server as members

- then when user authenticate and as user name uses 'Johndoe' (UPPERCASE j), then those 'johndoe' and 'Johndoe' are completely different users for FortiGate. But as LDAP is also member, then login process fail to find local user (the one with token) and fall back to another group member, the LDAP. And as user is LDAP type it successfully authenticate through the LDAP.

 

SOLUTIONs for above:

 

a) user FortiAuthenticator as centralized authentication back-end which can deal with case sensitivnes

b) split firewall group members and do NOT mix pure LDAP with token users, or in more advanced scenario set group match on that LDAP the way that users with the token will not be considered members anymore, so mentioned 'johndoe' either authenticate with the proper casing and token or 'He shall not pass!' .. at all.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

daj

Hei Tomas,

  I am using the login name with proper cases. I can see in my router that Fortitoken is assigned for the user. But the issue is , when user is trying to access vpn network wih is username and password, it direclty enter to network, not asking for fortitoken which is already shown as assigned. 

Also the user is not mixed with firewall group members.

 

Thanks

Muralidharan

In Windows AD, ID is not case sensitive. How do we change the authencation with casing?
xsilver_FTNT

Hi,

not sure if it's question how to change this on AD, then you are on wrong forum I guess as this is Fortinet, not Microsoft. If it however is on FortiOS, then how about this?

config user radius

  edit XYZ-RAD-SERVER

     set username-case-sensitive ... Enable/disable case sensitive user names.

end

 

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

PeterK

As far as I know you cannot change it.  You either have to change the AD account into upper or lower case as desired or the user has to change it to how appears on the Fortigate.  I cannot remember where it is on the Fortigate off hand but you can either setit to use the account logon from AD or the display name (if using the display name it is how it displays in the tree so I tend to do a rename.

Alivo__FTNT

Hello,

 

In FortiOS 6.4.1 this is configurable per user:

 

config user local

edit xsilver

set username-case-insensitivity [enable|disable]

end

 

Further, the user that does not match his case regardless of this setting, will be denied

from logon.

It is possible that this will be later in 6.2.

Best Regards,

Alivo

livo

wifi

Alivo_FTNT , please don't say , as You have not tested this. 

It does not work like that, just tested on FortiOS 6.4.1.

No such commands to set

wifi

Pavel_Livonec_FTNT wrote:

Hello,

 

In FortiOS 6.4.1 this is configurable per user:

 

config user local

edit xsilver

set username-case-insensitivity [enable|disable]

end

 

Further, the user that does not match his case regardless of this setting, will be denied

from logon.

It is possible that this will be later in 6.2.

Best Regards,

Alivo

Pavel_Livonec_FTNT wrote:

Hello,

 

In FortiOS 6.4.1 this is configurable per user:

 

config user local

edit xsilver

set username-case-insensitivity [enable|disable]

end

 

Further, the user that does not match his case regardless of this setting, will be denied

from logon.

It is possible that this will be later in 6.2.

Best Regards,

Alivo

 

Alivo_FTNT , please don't say , as You have not tested this.  It does not work like that, just tested on FortiOS 6.4.1. No such commands to set

Alivo__FTNT

Hello wifi,

The option  set username-case-sensitivity becomes available only when the user has a token assigned, else it is not applicable.

P.S. in 6.4.1 the set username-case-insensitivity was changed to username-case-sensitivity Have a nice day.

Best Regards,

Alivo

livo

Labels
Top Kudoed Authors