Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Tim_86
New Contributor III

FortiAuthenticator as LDAP server, token user Permission Denied

Hi everybody,

 

I've got a strange problem with an Authenticator and Fortigate.

 

We've configured an Authenticator as LDAP Server.

The Fortigate authenticates against the Authenticator.

 

When I create a new user this user is discovered by the LDAP connection, this works fine and I'm able to login with this user.

 

But when I creat a token (mobile app) for this user and try to logon, I get the message "Permission Denied".

Unassign the token and the user is able to login again.

 

I also tried to change the token to e-mail verification, after entering the credentials I immediately get premission denied.

2 seconds later I get an e-mail with the token but can't enter it.

 

So the Fortigate does authenticate agains te FAC and sees the user has a token setup but it's stuck on the permission denied.

This is a part of the log:

[344] start_next_dn_bind-Trying DN 1:uid=tim,cn=LOCATION,ou=EXAMPLE,dc=EXAMPLE,dc=EXAMPLE [1701] fnbamd_ldap_get_result-Going to USERBIND state [2832] auth_ldap_result-Continue pending for req 6xxxxxx

[328] start_next_dn_bind-No more DN left [1942] fnbamd_ldap_get_result-Auth denied

 

This is the report without the token:

without the token (same user in the exact same group, just simply token disabled).

[1757] fnbamd_ldap_get_result-Entering CHKUSERATTRS state [2832] auth_ldap_result-Continue pending for req 6xxxxx8 [1551] fnbamd_ldap_get_result-Not ready yet [2832] auth_ldap_result-Continue pending for req 6xxxxx8 [793] get_member_of_groups-Get the memberOf groups. [828] get_member_of_groups- attr='memberOf', found 1 values [91] ldap_grp_list_add-added cn=EXAMPLE,ou=EXAMPLE,dc=EXAMPLE,dc=local [837] get_member_of_groups-val[0]='cn=EXAMPLE,ou=EXAMPLE,dc=EXAMPLE,dc=local' [1789] fnbamd_ldap_get_result-Auth accepted [1925] fnbamd_ldap_get_result-Going to DONE state res=0 [146] __ldap_copy_grp_list-copied cn=EXAMPLE,ou=EXAMPLE,dc=EXAMPLE,dc=local [2738] fnbamd_auth_poll_ldap-Result for ldap svr 10.131.0.10 is SUCCESS [2758] fnbamd_auth_poll_ldap-Skipping group matching [898] find_matched_usr_grps-Skipped group matching [182] fnbamd_comm_send_result-Sending result 0 (error 0, nid 0) for req 6xxxxx8 [637] destroy_auth_session-delete session 6xxxxx8 [53] ldap_grp_list_del_all-Del cn=EXAMPLE,ou=EXAMPLE,dc=EXAMPLE,dc=local authenticate 'tim' against 'LDAP_FAC' succeeded! Group membership(s) - cn=EXAMPLE,ou=EXAMPLE,dc=EXAMPLE,dc=local

 

 

What am I missing?

 

Kind regards,

Tim 

1 Solution
Tim_86
New Contributor III

It looks like the issue has been resolved..

 

It seems that a RADIUS config is mandatory next to LDAP to have users authenticate over 2FA.

 

This  seems a bit strange to me, could someone elaborate on this?

 

Kind regards,

Tim

View solution in original post

1 REPLY 1
Tim_86
New Contributor III

It looks like the issue has been resolved..

 

It seems that a RADIUS config is mandatory next to LDAP to have users authenticate over 2FA.

 

This  seems a bit strange to me, could someone elaborate on this?

 

Kind regards,

Tim

Labels
Top Kudoed Authors