Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jimmy6154
New Contributor

2 factor auth

We are looking to setup 2 factor auth for our SSL VPN access. I have a user who I setup in the user definition (Fortigate 310B). Set the 2 factor check. This is a mobile token code. 

 

Everything looks normal but when they log in via the client, they are not presented with the field to enter in their 2 factor code. 

 

Not sure how to troubleshoot or field this issue. 

1 REPLY 1
xsilver_FTNT
Staff
Staff

Hi,

if the user is locally defined, but remote type - residing on LDAP for example, then pay attention to username, match against local users is on FGT case sensitive.

This is usually caused by misconfiguration where firewall group used in authentication (SSL VPN in here) contain both, local user AND LDAP server as well.

Initial idea to have a backup is fine.

And local account even takes precedence over the remote ones (LDAP server), but if user logs in as Tomas, but local user with the token is named tomas, then local user do not match. And so next in row in the group is LDAP, which is tried. And if the user does exist there it will match and authenticate just fine with password and without token.

This most often happen with LDAP which is not case sensitive, so user Tomas and tomas are the same account on LDAP, while they are different on FGT.

 

Solution:

---

SPLIT !

Define users with tokens on FGT directly in one group.

Set LDAP server into second group. That rest of the users without tokens will be authenticated directly against LDAP. To prevent users With tokens to fall to that LDAP server group via SSL VPN config, make the group on LDAP and those users without token put to it and then use group match rule in the group definition for that second LDAP server group. So users with token will not match. Same can be set for token based users.

 

Kind regards,

Tomas

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Labels
Top Kudoed Authors