Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Terrainfra
New Contributor II

Created on ‎05-21-2024 08:08 AM

Fortitoken doesn't work if the user has no group

We are having an issue with the fortitoken sent by email. For example we have the user Jhon that its an user from the LDAP server, he has permissions based on group from the LDAP that those groups are linked to the User Group wich is in the firewall policy

 

Okey so when the user doesn't have any group in the field "User Group" the fortitoken dont work. If i add any group it does, how can i fix this?

Our idea its that we dont use the groups from the fortigate for the permissions just add them in the LDAP user

 

 

forti.png

 

More context from CLI

 

 Captura de pantalla 2024-05-21 120528.png

Labels:
1458
0 Kudos
10 REPLIES 10
pminarik
Staff
Staff

Created on ‎05-22-2024 03:04 AM

You've most likely run into the good old LDAP vs tokens issue and the many way in which this can be misconfigured.

 

If the LDAP-user isn't mentioned in any relevant groups, its definition (and thus the token assignment) will not be considered during authentication, and the authentication will pass by virtue of simply being a member of a relevant LDAP group.

 

The user must be added to relevant groups for the token assigment to be considered and enforced.

 

See e.g. https://community.fortinet.com/t5/FortiGate/Technical-Tip-Correctly-configuring-Two-Factor-Authentic...

[ corrections always welcome ]
209
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.