Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
vvserpent
New Contributor II

Fortitoken problem

Dear Sir,

 

I have Fortigate running 6.4.10 software and using SSLVPN with Fortitoken as 2FA. I using the Radius as authentication server. 

 

The 2FA is working until the user input the login name with domain name as suffix. 

eg:  USER@Domain.com

 

If the username with domain name suffix, the user can still login the VPN , the system skipped to prompt the  user to input the token.

 

It seems that, on this Fortigate, the login name with domain name suffix is difference account without 2FA token associated.

 

How can I fix this ?

 

3 REPLIES 3
kiri
Staff
Staff

Hi vvserpent,

It's a bit unclear from your description what should/shouldn't happen.
If the issue is with 2fa being skipped, that's most likely because the user is matching another auth server/group that doesn't ask for 2fa.
For instance, you defined the user on the Fortigate as ldap and configured 2fa here.
At the same time you have a radius server that is proxying auth to the same ldap server.
If you have 2 groups, ldap and radius that this user can potentially match and login to SSLVPN, then 2fa it's a hit-and-miss.
If radius is quicker than ldap to respond to the auth request, auth will go thru without a token.
Run this debug when you're auth, it should show what group/server you're auth thru:

diag debug app fnbamd -1
diag debug enable

 

stop it with "di de di"

vvserpent
New Contributor II

Sorry for late reply,

The Radius server accept both user-name and user-name with domain-name suffix.

 

workaround - I have setup new policy on the Radius server to reject the login with domain name appended. 

 

Hmm. . . The Fortitoken installed on the Fortigate and associated to the Fortigate local user account.  It look likes  Fortigate treat  username and username@domain as  two difference user . The username@domain have not created on the Fortigate and hence the VPN login bypass the 2FA . 

 

Is it possible to configure the Fortigate / FortiClient to remove the domain-name suffix automatically ? 

 

kiri
Staff
Staff

Hi,

 

Seems to be possible for ldap users.

Is this what you're after?

 

config user ldap
edit <name>
set account-key-processing [same|strip]

https://docs.fortinet.com/document/fortigate/6.4.3/cli-reference/497620/user-ldap

 

- Have you found a solution? Then give your helper a "Like" and mark the solution.

Labels
Top Kudoed Authors