Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: IT'S BACK!!!!! FortiToken 2 factor auth LDAP f...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IT'S BACK!!!!! FortiToken 2 factor auth LDAP fail (-445)
I've had 3 tickets open about this... this problem was introduced in 5.2. Using FortiToken with LDAP authentication results in Error (-455).
The first ticket took the usual week of "upload your config, run all this debug crap, run more debug stuff, let me log in and run the same debug stuff, let me send this to level 2, let level 2 run debug stuff, make some stuff up...".. Then they come back with "it's a known issue and will be fixed in 5.2.1".. I ask.. ok.. is there a patch.. "no go away, we're busy"...
So I wait the till 5.2.1 comes out.. I think it was over 2 months after I first reported this issue.. So I install 5.2.1.. same issue -445... We do the same week long game of logs and stuff... This time they say "oh you have a different issue" It will be fixed sometime... but this time they say there is a hotfix...
They give me the hotfix warning me that it's not fully tested (like the through testing the do on the regular release HAHA).. This beast calls itself "5.2.0 Build619" The tech says it's really 5.2.1 619 and to trust him.. He sounds nice so I trust him..
I install this special build.... will it finally fix my 2 factor authentication issue, will it make the FortiGate and FortiToken to lie down in green pastures and lead me beside quiet waters?! Yes.. yes.. it does seem as so!
So it works now...
But then... just last week... I saw the beast, the king of the earth, and their armies... ... ok enough of that.. well any way.. Last week it just started happening again.. for no reason.. nothing changed... all users are now reporting -445 when using FT...
Logging in with LDAP user with no 2 fact works, using a local user works, a local user with 2 fact works... but LDAP with 2 fact does not...
Why has he forsaken me!
Support seems puzzled... it's been about a week so I can't wait to see what they have to say.
300E x3, 200D, 140D, 94D, 90D x2, 80D, 40C, handful of 60E's.. starting to loose track.
Over 100 WiFi AP's and growing.
FAZ-200D
FAC-VM 2 node cluster
Friends don't let friends FWF!
300E x3, 200D, 140D, 94D, 90D x2, 80D, 40C, handful of 60E's.. starting
to loose track.
Over 100 WiFi AP's and growing.
FAZ-200D
FAC-VM 2 node cluster
Friends don't let friends FWF!
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiSupport sometimes sucks. So you want to use LDAP user with FortiToken. This is working fine for me in FortiOS 5.0.
Was it working for you in FortiOS 5.0 ?
Downside is that you have to create each and every LDAP User manually under local Users..For password associate to an LDAP Server and then associate the FortiToken.
One question...During Authentication are you receiving the FortiToken Prompt or password entry itself fails?
Ahead of the Threat. FCNSA v5 / FCNSP v5
Fortigate 1000C / 1000D / 1500D
Ahead of the Threat. FCNSA v5 / FCNSP v5
Fortigate 1000C / 1000D / 1500D
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It did work fine in 5.0. 5.2 started it all.
I agree with you on the downside... but I don't see any way around it.. you are using a remote authentication (LDAP) that you need to associate with a local resource (FortiToken).. I believe RADIUS would have the exact same setup. One thing that does drive me nuts is when you go to create the local user you can't input the users email and then assign the token because the system has not actually saved the email yet. So you have to input the email, hit save, get kicked back to users screen, select the user again, then associate the token.
I do get asked for the Token. The after entering the token it errors. If you look at the debug logs it clearly shows LDAP OK, Token OK, then drop for no reason.. Support just says "hmm.. that's odd"
300E x3, 200D, 140D, 94D, 90D x2, 80D, 40C, handful of 60E's.. starting to loose track.
Over 100 WiFi AP's and growing.
FAZ-200D
FAC-VM 2 node cluster
Friends don't let friends FWF!
300E x3, 200D, 140D, 94D, 90D x2, 80D, 40C, handful of 60E's.. starting
to loose track.
Over 100 WiFi AP's and growing.
FAZ-200D
FAC-VM 2 node cluster
Friends don't let friends FWF!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was about at the end of my rope with some of the ongoing issues when I posted... but the facts are all correct. I've had 3 tickets open after installing 5.2 broke the way I had FortiTokens configured and working in 5.0.7. Each ticket ended with "this is a known issue and will be fixed in the next 5.2.X release".. well I kept installing that next release and the issue was never resolved. I only just yesterday received a post from a L3 about the FortiToken issue. His post was a bit cryptic and didn't simply come out and say "I see your problem and it's because you should do X,Y,Z" but I was able to read the tea leaves and figure out what he was pointing to. Basically all this time I had one User Group with both the LDAP servers and the local users (who use LDAP password) with Tokens assigned. The fix was to break them up into two separate user groups. In the SSL VPN firewall rule put the FT User Group first. As soon as I did this FT started working properly again. The really frustrating thing is no one at support had any idea how this should be configured and how this should be configured is not documented anywhere. The fact that on the User Groups page you can add local users with LDAP groups configured only seems to allude to the fact this is ok and should work.
If I'm wrong please point it out in the documentation.
300E x3, 200D, 140D, 94D, 90D x2, 80D, 40C, handful of 60E's.. starting to loose track.
Over 100 WiFi AP's and growing.
FAZ-200D
FAC-VM 2 node cluster
Friends don't let friends FWF!
300E x3, 200D, 140D, 94D, 90D x2, 80D, 40C, handful of 60E's.. starting
to loose track.
Over 100 WiFi AP's and growing.
FAZ-200D
FAC-VM 2 node cluster
Friends don't let friends FWF!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Congrats to you then....I also face similar issues when you combine Local Users & LDAP Remote Users in a same group. It prompts for Fortitoken for Non-2FA Users as well. Will try for your solution..Hope it works !
Regards
Ahead of the Threat. FCNSA v5 / FCNSP v5
Fortigate 1000C / 1000D / 1500D
Ahead of the Threat. FCNSA v5 / FCNSP v5
Fortigate 1000C / 1000D / 1500D
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am having a similar issue I think using LDAP and then SMS for the second factor. I am able to get prompt for the OTP and it will not let me login. I tried putting the users in an TwoFactor local group and adding that into the Policies but still seems like it won't connect. I can remove the two factor from the local users that are mapped via LDAP and then the login is fine. About to open a ticket with support as well but if there is any additional information to be provided I would appreciate it. I am currently running 5.2.2 on a 200D.
Thanks
Mike
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you splitting the authorization groups between FortiToken users and non-FT users? When you try and put them all in the group is when the problems start.
300E x3, 200D, 140D, 94D, 90D x2, 80D, 40C, handful of 60E's.. starting to loose track.
Over 100 WiFi AP's and growing.
FAZ-200D
FAC-VM 2 node cluster
Friends don't let friends FWF!
300E x3, 200D, 140D, 94D, 90D x2, 80D, 40C, handful of 60E's.. starting
to loose track.
Over 100 WiFi AP's and growing.
FAZ-200D
FAC-VM 2 node cluster
Friends don't let friends FWF!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bartman10 wrote:Yeah...which it looks like it it is working now but I don't know why as I didn't really make any changes and did have the groups split.Are you splitting the authorization groups between FortiToken users and non-FT users? When you try and put them all in the group is when the problems start.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Glad you got it working.. After splitting the groups I have not had an issue.. But Fortinet support doesn't even know how this should be configured or how it should work.. I spent a long time working with support to get to where I am now...
They really, really need to document this one way or the other.. Ether you can put both local user accounts(using LDAP auth) and LDAP accounts in the same group or you can't. If you can't they need to gray out the option to do so as soon as you select one or the other.
The fact they have no documentation to say if this is allowed, no one at support knows untill you get to level 3, and the fact the GUI allows you to mix them.. is well.. just a mess.. and this is my main grip with FortiNet as a company..
Great product for the price.. sloppy QA, sloppy documentation, sloppy consistency between product versions and OS versions.
Heck.. here's a great example of sloppy consistency between product versions.. on some of my FG's the CLI prompt is #, on others it's $... try writing a freeking backup script that has to look for # or $ before it knows to issue commands!!!
You don't find that on other gear... and this is just one example.
If you need more examples I have plenty...
For extra credit.. try creating a site to site vpn between a 300C and say a 94D... at the CLI, you can ping the internal interface of the other... on the other you can't... Tell me which one can.. and why it does not work on the other for bonus points.
FG support are eligible to play because at least 4 of them have argued with me this should "never work" even after I literally showed them... Again.. took level 3 support to referee the fight... I won.
300E x3, 200D, 140D, 94D, 90D x2, 80D, 40C, handful of 60E's.. starting to loose track.
Over 100 WiFi AP's and growing.
FAZ-200D
FAC-VM 2 node cluster
Friends don't let friends FWF!
300E x3, 200D, 140D, 94D, 90D x2, 80D, 40C, handful of 60E's.. starting
to loose track.
Over 100 WiFi AP's and growing.
FAZ-200D
FAC-VM 2 node cluster
Friends don't let friends FWF!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah...well support got back with me this morning. I told them I had it working but let them go through it anyway. The way they describe this should work is that if you should be able to mix the groups so you would have something like two-factor users setup as local users then you attach a group that has users that do not require two-factor or something like that. I blindly let the tech go through and we changed it and it did break it. Once separated out all was good to go.
All in all I really like the products...I have been able to do some really cool things with them over the 3 years or so I have been working with them. I do have an issue with the consistency of the interface in that things move around or disappear altogether from version to version.
I may be missing something as well but seems I have to enable SMS two-factor via CLI and once it is enabled then it shows up in the GUI which I can disable it from there but then if I want to re-enable I have to go back to the CLI. Again, there may be some option to "display SMS two-factor options" or something like that somewhere.
MK
bartman10 wrote:Glad you got it working.. After splitting the groups I have not had an issue.. But Fortinet support doesn't even know how this should be configured or how it should work.. I spent a long time working with support to get to where I am now...
They really, really need to document this one way or the other.. Ether you can put both local user accounts(using LDAP auth) and LDAP accounts in the same group or you can't. If you can't they need to gray out the option to do so as soon as you select one or the other.
The fact they have no documentation to say if this is allowed, no one at support knows untill you get to level 3, and the fact the GUI allows you to mix them.. is well.. just a mess.. and this is my main grip with FortiNet as a company..
Great product for the price.. sloppy QA, sloppy documentation, sloppy consistency between product versions and OS versions.
Heck.. here's a great example of sloppy consistency between product versions.. on some of my FG's the CLI prompt is #, on others it's $... try writing a freeking backup script that has to look for # or $ before it knows to issue commands!!!
You don't find that on other gear... and this is just one example.
If you need more examples I have plenty...
For extra credit.. try creating a site to site vpn between a 300C and say a 94D... at the CLI, you can ping the internal interface of the other... on the other you can't... Tell me which one can.. and why it does not work on the other for bonus points.
FG support are eligible to play because at least 4 of them have argued with me this should "never work" even after I literally showed them... Again.. took level 3 support to referee the fight... I won.
Labels
-
FortiGate
10,577 -
FortiClient
2,151 -
FortiManager
889 -
5.2
687 -
FortiAnalyzer
680 -
5.4
638 -
FortiSwitch
583 -
FortiClient EMS
560 -
FortiAP
559 -
IPsec
419 -
6.0
416 -
SSL-VPN
375 -
FortiMail
372 -
5.6
362 -
FortiNAC
281 -
FortiWeb
252 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
192 -
FortiAuthenticator
171 -
FortiGuard
160 -
5.0
152 -
Firewall policy
144 -
FortiGate-VM
129 -
6.4
128 -
FortiCloud Products
116 -
FortiSIEM
112 -
FortiGateCloud
112 -
FortiToken
111 -
Wireless Controller
95 -
Customer Service
88 -
High Availability
86 -
FortiProxy
77 -
Routing
75 -
ZTNA
75 -
Fortivoice
73 -
SAML
71 -
DNS
71 -
VLAN
71 -
FortiEDR
69 -
FortiADC
68 -
BGP
67 -
Authentication
66 -
certificate
65 -
RADIUS
60 -
LDAP
60 -
fortilink
55 -
SSO
54 -
FortiSandbox
53 -
NAT
52 -
FortiExtender
51 -
4.0MR3
49 -
VDOM
47 -
Application control
45 -
FortiDNS
43 -
Interface
43 -
Logging
41 -
Virtual IP
39 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
35 -
SSL SSH inspection
35 -
Web profile
35 -
FortiConnect
34 -
Automation
33 -
FortiWAN
31 -
FortiConverter
30 -
FortiGate v5.2
27 -
Traffic shaping
26 -
Static route
26 -
SNMP
25 -
API
25 -
SSID
25 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
FortiGate Cloud
23 -
System settings
22 -
OSPF
20 -
WAN optimization
20 -
FortiMonitor
19 -
Security profile
19 -
Web rating
19 -
Web application firewall profile
18 -
IP address management - IPAM
18 -
FortiSoar
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
FortiAP profile
16 -
Explicit proxy
15 -
Admin
15 -
Proxy policy
15 -
FortiCASB
14 -
IPS signature
14 -
Intrusion prevention
14 -
FortiManager v4.0
13 -
DNS filter
13 -
FortiManager v5.0
12 -
NAC policy
12 -
users
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
Port policy
12 -
FortiDeceptor
11 -
FortiRecorder
11 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
FortiBridge
10 -
Trunk
10 -
Traffic shaping profile
10 -
Authentication rule and scheme
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
Application signature
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiCarrier
5 -
FortiNDR
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiEdge Cloud
3 -
FortiInsight
2 -
FortiAI
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
Lacework
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2587 | |
| 1378 | |
| 796 | |
| 658 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.