I'm setting up Duo MFA for admin logins. It does the LDAP query, sends me the push buuuut then just proceeds with the login. Doesn't matter if I ignore the prompt or hit accept/decline it just sent me right in. Would this be a Duo or Forti issue?
Device: 60e
Firmware: 6.4.3
config user radius edit "Duo" set server "192.168.0.111" set secret ENC <secret>
set auth-type pap set source-ip "192.168.222.1" set password-renewal disable next end
config user group
edit "Firewall - Admins" set member "LDAP" "Duo" config match edit 1 set server-name "LDAP" set group-name "CN=Fortigate - Admins,OU= etc....." next end
And resolved by removing the below from the user group...
set group-name "CN=Fortigate - Admins,OU= etc....."
so effectively you authenticate against the whole LDAP tree instead of just a subtree. I wonder if you already specified a restricted subtree in the definition of your "LDAP" server object. If the server def and the group def here do not overlap you will never get an authentication.
Yes, in LDAP it is restricted to the group and in Duo Auth Proxy it is restricted
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.