Hei,
I have got a problem with 2FA Mobile token.
We use SSL VPN and LDAP. All vpn users are assigned by 2FA with mobile token and they are able to login to the network via VPN using 2FA mobile token. But only one user is unable to use the token. When he tried his username and password , the forticleint not asks for fortitioken mobile and get directly connected into the network , which is seems same as SSO, eventhough the user is successfully assigned by a fortitoken mobile.
What might be the reason for this . How can I troubleshoot this and get it resolved.
Thanks!!
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi daj,
Q:What might be the reason for this.
A: if it's on FortiGate and users are remote type so they do actually further authenticate for example against LDAP on MSFT AD, then usual mistake & reason is in FortiGate's case sensitivity.
In details:
- if you have ldap type user name 'johndoe' with token assigned
- and such user is member of firewall group where there is user 'jonhndoe' and actual LDAP server as members
- then when user authenticate and as user name uses 'Johndoe' (UPPERCASE j), then those 'johndoe' and 'Johndoe' are completely different users for FortiGate. But as LDAP is also member, then login process fail to find local user (the one with token) and fall back to another group member, the LDAP. And as user is LDAP type it successfully authenticate through the LDAP.
SOLUTIONs for above:
a) user FortiAuthenticator as centralized authentication back-end which can deal with case sensitivnes
b) split firewall group members and do NOT mix pure LDAP with token users, or in more advanced scenario set group match on that LDAP the way that users with the token will not be considered members anymore, so mentioned 'johndoe' either authenticate with the proper casing and token or 'He shall not pass!' .. at all.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Hello,
In FortiOS 6.4.1 this is configurable per user:
config user local
edit xsilver
set username-case-insensitivity [enable|disable]
end
Further, the user that does not match his case regardless of this setting, will be denied
from logon.
It is possible that this will be later in 6.2.
Best Regards,
Alivo
livo
Hi daj,
Q:What might be the reason for this.
A: if it's on FortiGate and users are remote type so they do actually further authenticate for example against LDAP on MSFT AD, then usual mistake & reason is in FortiGate's case sensitivity.
In details:
- if you have ldap type user name 'johndoe' with token assigned
- and such user is member of firewall group where there is user 'jonhndoe' and actual LDAP server as members
- then when user authenticate and as user name uses 'Johndoe' (UPPERCASE j), then those 'johndoe' and 'Johndoe' are completely different users for FortiGate. But as LDAP is also member, then login process fail to find local user (the one with token) and fall back to another group member, the LDAP. And as user is LDAP type it successfully authenticate through the LDAP.
SOLUTIONs for above:
a) user FortiAuthenticator as centralized authentication back-end which can deal with case sensitivnes
b) split firewall group members and do NOT mix pure LDAP with token users, or in more advanced scenario set group match on that LDAP the way that users with the token will not be considered members anymore, so mentioned 'johndoe' either authenticate with the proper casing and token or 'He shall not pass!' .. at all.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Hei Tomas,
I am using the login name with proper cases. I can see in my router that Fortitoken is assigned for the user. But the issue is , when user is trying to access vpn network wih is username and password, it direclty enter to network, not asking for fortitoken which is already shown as assigned.
Also the user is not mixed with firewall group members.
Thanks
Hi,
not sure if it's question how to change this on AD, then you are on wrong forum I guess as this is Fortinet, not Microsoft. If it however is on FortiOS, then how about this?
config user radius
edit XYZ-RAD-SERVER
set username-case-sensitive ... Enable/disable case sensitive user names.
end
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
As far as I know you cannot change it. You either have to change the AD account into upper or lower case as desired or the user has to change it to how appears on the Fortigate. I cannot remember where it is on the Fortigate off hand but you can either setit to use the account logon from AD or the display name (if using the display name it is how it displays in the tree so I tend to do a rename.
Hello,
In FortiOS 6.4.1 this is configurable per user:
config user local
edit xsilver
set username-case-insensitivity [enable|disable]
end
Further, the user that does not match his case regardless of this setting, will be denied
from logon.
It is possible that this will be later in 6.2.
Best Regards,
Alivo
livo
Pavel_Livonec_FTNT wrote:Hello,
In FortiOS 6.4.1 this is configurable per user:
config user local
edit xsilver
set username-case-insensitivity [enable|disable]
end
Further, the user that does not match his case regardless of this setting, will be denied
from logon.
It is possible that this will be later in 6.2.
Best Regards,
Alivo
Pavel_Livonec_FTNT wrote:Hello,
In FortiOS 6.4.1 this is configurable per user:
config user local
edit xsilver
set username-case-insensitivity [enable|disable]
end
Further, the user that does not match his case regardless of this setting, will be denied
from logon.
It is possible that this will be later in 6.2.
Best Regards,
Alivo
Alivo_FTNT , please don't say , as You have not tested this. It does not work like that, just tested on FortiOS 6.4.1. No such commands to set
Hello wifi,
The option set username-case-sensitivity becomes available only when the user has a token assigned, else it is not applicable.
P.S. in 6.4.1 the set username-case-insensitivity was changed to username-case-sensitivity Have a nice day.
Best Regards,
Alivo
livo
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1702 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.