FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
fmerin_FTNT
Staff
Staff
Description
This article describes how to properly configure remote LDAP users to use two-factor authentication.

Solution
When configuring remote LDAP users to use two-factor authentication (for example FortiTokens), it is possible for such authentication to be bypassed by entering a username not matching the case-sensitive username configured for one of the local users.

This case will occur if the following are configured on the FortiGate for a desired user group:

(a) Local users with two-factor are configured

AND

(b) A user group associated with a remote LDAP group, with usernames matching those of the already defined local users

In this case, for all LDAP users that require two-factor authentication, corresponding local LDAP users need to be created on the FortiGate and added to a user group only containing local LDAP users.

* Only usernames matching the case specified in the local LDAP users will be prompted for two-factor authentication.

* Usernames with other cases not matching the exact case defined in the local LDAP users will be denied access

Usernames on the FortiGate are case-sensitive while usernames in Windows Active Directory are not case-sensitive.

Therefore, it is recommended to adhere to a standard/convention for remote LDAP users created on the FortiGate (i.e. all caps or all lowercase) to prevent confusion for users.

Related Articles

Restricting VPN access with two-factor and LDAP authentication

Contributors