FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes how to properly configure remote LDAP users to use two-factor authentication.
When configuring remote LDAP users to use two-factor authentication (for example FortiTokens), it is possible for such authentication to be bypassed by entering a username not matching the case-sensitive username configured for one of the local users.
This case will occur if the following are configured on the FortiGate for a desired user group:
(a) Local users with two-factor are configured
(b) A user group associated with a remote LDAP group, with usernames matching those of the already defined local users
In this case, for all LDAP users that require two-factor authentication, corresponding local LDAP users need to be created on the FortiGate and added to a user group only containing local LDAP users.
* Only usernames matching the case specified in the local LDAP users will be prompted for two-factor authentication.
* Usernames with other cases not matching the exact case defined in the local LDAP users will be denied access
Usernames on the FortiGate are case-sensitive while usernames in Windows Active Directory are not case-sensitive.
Therefore, it is recommended to adhere to a standard/convention for remote LDAP users created on the FortiGate (i.e. all caps or all lowercase) to prevent confusion for users.