Helpful ReplyHot!LDAP Admin Login to FGT - Change Default Password Request

Author
AtiT
Gold Member
  • Total Posts : 436
  • Scores: 32
  • Reward points: 0
  • Joined: 2012/04/18 12:13:27
  • Location: Prague / Czech Republic
  • Status: offline
2018/03/07 01:35:56 (permalink)
0

LDAP Admin Login to FGT - Change Default Password Request

Hello.
We have a problem on FortiOS 5.6.3 with LDAP admin accounts. When the admin tries to login into the firewall the login is accepted but a password change is requested:
 
This Account is using the default password, it is strongly recommended that you change your password.
 
Does anyone to know why it is happening?
 

 

Attached Image(s)


AtiT
--------------------
NSE 8, CCNP R+S
#1
xsilver_FTNT
Expert Member
  • Total Posts : 331
  • Scores: 61
  • Reward points: 0
  • Joined: 2015/02/02 03:22:58
  • Status: offline
Re: LDAP Admin Login to FGT - Change Default Password Request 2018/03/08 01:32:21 (permalink)
0
Hi,
 
I thought it's obvious from the message and your logon, but  ... 
 
It happens simply because you are using default admin with default "blank" password which is really not a great idea for the firewall.
Anybody who can find out IP/FQDN of your firewall and can access through the port (allowaccess, trusted hosts) is then able to login as Admin and change whatever he/she wants.
As Fortinet decided that this is really bad practice to leave the super admin account unprotected, then that's why you get warning/reminder each logon you do without password set.
 
Best regards,
Tomas

Kind Regards,
Tomas
#2
AtiT
Gold Member
  • Total Posts : 436
  • Scores: 32
  • Reward points: 0
  • Joined: 2012/04/18 12:13:27
  • Location: Prague / Czech Republic
  • Status: offline
Re: LDAP Admin Login to FGT - Change Default Password Request 2018/03/08 01:36:49 (permalink)
0
Hello,
Thanks for the update.
 
But it is not the case. The account has a regular password, not blank.
We have a customer with the same problem and I was able to replicate the issue in the lab.

AtiT
--------------------
NSE 8, CCNP R+S
#3
xsilver_FTNT
Expert Member
  • Total Posts : 331
  • Scores: 61
  • Reward points: 0
  • Joined: 2015/02/02 03:22:58
  • Status: offline
Re: LDAP Admin Login to FGT - Change Default Password Request 2018/03/08 23:14:18 (permalink)
0
Hi,
I did quick retest and was not able to reproduce the issue.
Once I have used the button to change the password for default "admin" account I have no more warnings.
My setup is as bellow:
 
- Version: FortiGate-VM64 v5.6.3,build1547,171204 (GA)

config user ldap
edit "LDAP_ALFA"
set server "10.109.19.88"
set cnid "cn"
set dn "dc=alfa,dc=xsilver,dc=org"
set type regular
set username "administrator@alfa.xsilver.org"
set password ENC Y2fC2kVGd0h...cut...
next
end

config user group
edit "remote-admins"
set member "LDAP_ALFA"
next
end

config system admin
edit "admin"
set accprofile "super_admin"
set vdom "root"
set password ENC SH2ImCGhgpKr330gEBA/Lh62cWD7MhkCkcFva0Nz8sSnJ+zyHxP76cppL3RZQc=
next
edit "test"
set remote-auth enable
set accprofile "super_admin"
set vdom "root"
set remote-group "remote-admins"
set password ENC SH2qR4eenfT6qoqMt+bD3ic53i6tj7R31IeEh8bb6XJrCR44rtBM9tHju4Zo9A=
next
end
 
 
What is your config ?
 
kind regards,
Tomas

Kind Regards,
Tomas
#4
AtiT
Gold Member
  • Total Posts : 436
  • Scores: 32
  • Reward points: 0
  • Joined: 2012/04/18 12:13:27
  • Location: Prague / Czech Republic
  • Status: offline
Re: LDAP Admin Login to FGT - Change Default Password Request 2018/03/09 01:53:05 (permalink)
0
Hello,
 
This is my config:
 
# get sys status | grep build
Version: FortiGate-80D v5.6.3,build1547,171204 (GA)
 
config user ldap
edit "LAB"
set server "192.168.221.10"
set secondary-server "192.168.222.10"
set cnid "sAMAccountName"
set dn "ou=lab,dc=lab,dc=gts,dc=cz"
set type regular
set username "administrator@lab.gts.cz"
set password ENC 3gXQSQKut2Tn5dPpXZjx9cMoUJNyNFOuJvgEYwAWvmpIQ6Dlfs1J+IVi1obbsO6LoburGJMcveexLBBqXUB5HdUHr71ldKXxSWR0MEsugzJZQpzFFNVK5hUSENaShXmWyn6sEuxTvpG4Lqo8P+lgfmnUkFYGh9aQdMIcu3W/SujGP4Em2z/RENXttVW6WuOjq28NwQ==
set secure ldaps
set ca-cert "CA_Cert_3"
set port 636
set password-expiry-warning enable
set password-renewal enable
next
end
 
config user group
edit "fwadminsldap"
set member "LAB"
config match
edit 1
set server-name "LAB"
set group-name "CN=fwadminsldap,OU=Users,OU=LAB,DC=lab,DC=gts,DC=cz"
next
end
next
end
 
config system admin
edit "LDAPadmins"
set remote-auth enable
set accprofile "super_admin"
set vdom "root"
set wildcard enable
set remote-group "fwadminsldap"
next
end
 
 
I can see that in your admin config the wildcard option is missing. It means that the admin "test" with the password stored in LDAP will be authenticated. This is not our case. (But it not worked for me either - the login was successful but the FGT showed me the login page again.)
 
 
The authd and fnband debug shows this:
 
[2127] handle_req-Rcvd auth req 825730477 for fwadmin in fwadminsldap opt=00014001 prot=10
[355] __compose_group_list_from_req-Group 'fwadminsldap'
[605] fnbamd_pop3_start-fwadmin
[340] radius_start-Didn't find radius servers (0)
[701] auth_tac_plus_start-Didn't find tac_plus servers (0)
[871] resolve_ldap_FQDN-Resolved address 192.168.221.10, result 192.168.221.10
[871] resolve_ldap_FQDN-Resolved address 192.168.222.10, result 192.168.222.10
[1147] build_search_base-search base is: ou=lab,dc=lab,dc=gts,dc=cz
[1267] fnbamd_ldap_init-search filter is: sAMAccountName=fwadmin
[492] create_auth_session-Total 1 server(s) to try
[263] start_search_dn-base:'ou=lab,dc=lab,dc=gts,dc=cz' filter:sAMAccountName=fwadmin
[1653] fnbamd_ldap_get_result-Going to SEARCH state
[2832] auth_ldap_result-Continue pending for req 825730477
[296] get_all_dn-Found DN 1:CN=fwadmin,OU=Users,OU=LAB,DC=lab,DC=gts,DC=cz
[310] get_all_dn-Found 1 DN's
[344] start_next_dn_bind-Trying DN 1:CN=fwadmin,OU=Users,OU=LAB,DC=lab,DC=gts,DC=cz
[1701] fnbamd_ldap_get_result-Going to USERBIND state
[2832] auth_ldap_result-Continue pending for req 825730477
[570] start_user_attrs_lookup-Adding attr 'memberOf'
[591] start_user_attrs_lookup-base:'CN=fwadmin,OU=Users,OU=LAB,DC=lab,DC=gts,DC=cz' filter:cn=*
[1757] fnbamd_ldap_get_result-Entering CHKUSERATTRS state
[2832] auth_ldap_result-Continue pending for req 825730477
[793] get_member_of_groups-Get the memberOf groups.
[828] get_member_of_groups- attr='memberOf', found 1 values
[91] ldap_grp_list_add-added CN=fwadminsldap,OU=Users,OU=LAB,DC=lab,DC=gts,DC=cz
[837] get_member_of_groups-val[0]='CN=fwadminsldap,OU=Users,OU=LAB,DC=lab,DC=gts,DC=cz'
[626] start_primary_group_lookup-starting check...
[630] start_primary_group_lookup-number of sub auths 5
[648] start_primary_group_lookup-base:'ou=lab,dc=lab,dc=gts,dc=cz' filter:(&(objectclass=group)(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\5b\93\7a\51\bb\78\68\5c\bf\c4\1a\88\01\02\00\00))
[1780] fnbamd_ldap_get_result-Entering CHKPRIMARYGRP state
[2832] auth_ldap_result-Continue pending for req 825730477
[765] get_primary_groups-
[1814] fnbamd_ldap_get_result-Auth accepted
[1925] fnbamd_ldap_get_result-Going to DONE state res=0
[146] __ldap_copy_grp_list-copied CN=fwadminsldap,OU=Users,OU=LAB,DC=lab,DC=gts,DC=cz
[2738] fnbamd_auth_poll_ldap-Result for ldap svr 192.168.221.10 is SUCCESS
[2753] fnbamd_auth_poll_ldap-Passed group matching
[943] find_matched_usr_grps-Group 'fwadminsldap' passed group matching
[944] find_matched_usr_grps-Add matched group 'fwadminsldap'(12)
[182] fnbamd_comm_send_result-Sending result 0 (error 0, nid 0) for req 825730477
[637] destroy_auth_session-delete session 825730477
[53] ldap_grp_list_del_all-Del CN=fwadminsldap,OU=Users,OU=LAB,DC=lab,DC=gts,DC=cz
 
====== here I tried to change the password - but no success =======
[2530] handle_req-Rcvd 8 req
[928] fnbamd_cfg_get_radius_acct_servers-Error finding rad server LAB
[365] fnbamd_acct_start_STOP-Error getting radius server
[1345] create_acct_session-Error start acct type 8
[2544] handle_req-Error creating acct session 8
------ it seems to me that it tries to change the password via RADIUS server. Probably LDAP is not supported?
 
 
 

AtiT
--------------------
NSE 8, CCNP R+S
#5
xsilver_FTNT
Expert Member
  • Total Posts : 331
  • Scores: 61
  • Reward points: 0
  • Joined: 2015/02/02 03:22:58
  • Status: offline
Re: LDAP Admin Login to FGT - Change Default Password Request 2018/03/09 05:56:30 (permalink) ☄ Helpfulby AtiT 2018/03/09 06:02:22
5 (2)
Ahaaa .. wildcard admin which has no backup password .. got it !
That's actually a bug 0294898 in 5.6.3 which is supposed to be fixed in 5.6.4 and 6.0.0
And the workaround is simple:
 
config system admin
edit "LDAPadmins"
unset wildcard
set password someWeryRandomAndStrongPaSsword
set wildcard enable
end
 
 
post edited by xsilver_FTNT - 2018/03/09 05:58:17

Kind Regards,
Tomas
#6
AtiT
Gold Member
  • Total Posts : 436
  • Scores: 32
  • Reward points: 0
  • Joined: 2012/04/18 12:13:27
  • Location: Prague / Czech Republic
  • Status: offline
Re: LDAP Admin Login to FGT - Change Default Password Request 2018/03/09 06:02:07 (permalink)
0
This workaround fixed the issue. Thank you :)
 

AtiT
--------------------
NSE 8, CCNP R+S
#7
Elthon Abreu
Bronze Member
  • Total Posts : 29
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/04/29 11:37:55
  • Location: Brazil
  • Status: offline
Re: LDAP Admin Login to FGT - Change Default Password Request 2018/03/12 10:20:49 (permalink)
0
Tomas (xsilver),
 
That workaround is perfect.
 
Thank you so so much!
 
Cheers,
Elthon

Elthon Abreu
FCNSA v5
#8
Jump to:
© 2018 APG vNext Commercial Version 5.5