Fortitoken doesn't work if the user has no group

Terrainfra · ‎05-21-2024

We are having an issue with the fortitoken sent by email. For example we have the user Jhon that its an user from the LDAP server, he has permissions based on group from the LDAP that those groups are linked to the User Group wich is in the firewall policy

Okey so when the user doesn't have any group in the field "User Group" the fortitoken dont work. If i add any group it does, how can i fix this?

Our idea its that we dont use the groups from the fortigate for the permissions just add them in the LDAP user

More context from CLI

pminarik · ‎05-22-2024

You've most likely run into the good old LDAP vs tokens issue and the many way in which this can be misconfigured.

If the LDAP-user isn't mentioned in any relevant groups, its definition (and thus the token assignment) will not be considered during authentication, and the authentication will pass by virtue of simply being a member of a relevant LDAP group.

The user must be added to relevant groups for the token assigment to be considered and enforced.

See e.g. https://community.fortinet.com/t5/FortiGate/Technical-Tip-Correctly-configuring-Two-Factor-Authentic...

[ corrections always welcome ]