Fortinet Community

random_guy · ‎01-19-2021

I'm setting up Duo MFA for admin logins. It does the LDAP query, sends me the push buuuut then just proceeds with the login. Doesn't matter if I ignore the prompt or hit accept/decline it just sent me right in. Would this be a Duo or Forti issue?

Device: 60e

Firmware: 6.4.3

config user radius edit "Duo" set server "192.168.0.111" set secret ENC <secret>

set auth-type pap set source-ip "192.168.222.1" set password-renewal disable next end

config user group

edit "Firewall - Admins" set member "LDAP" "Duo" config match edit 1 set server-name "LDAP" set group-name "CN=Fortigate - Admins,OU= etc....." next end

random_guy · ‎01-19-2021

And resolved by removing the below from the user group...

set group-name "CN=Fortigate - Admins,OU= etc....."

ede_pfau · ‎01-20-2021

so effectively you authenticate against the whole LDAP tree instead of just a subtree. I wonder if you already specified a restricted subtree in the definition of your "LDAP" server object. If the server def and the group def here do not overlap you will never get an authentication.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

random_guy · ‎01-20-2021

Yes, in LDAP it is restricted to the group and in Duo Auth Proxy it is restricted

Fortinet Community

Duo on admin login