Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mikecel79
New Contributor

Remote LDAP users with 2FA

We are testing the use of FAC with a Fortigate 101E to support 2FA using FortiTokens but running into a small issue. 

 

We have configured FAC to use a remote LDAP server (our AD) and importing users from a specific group in AD using a remote sync rule. We are also adding them to a remote group in FAC. This works fine and we are able to assign them FortiTokens.  When logging into the FAC portal they authenticate with their Windows username and password and then are prompted for a code from the FortiToken.  All this works perfectly.  

 

The issue we are having is when trying to authenticate these users from a Fortigate using IPSec in the Forticlient.  We have configured the FAC as a RADIUS server in our Fortigate appliance for the VPN connection.  When we authenticate to the Forticlient we enter in our Windows username and password but are never prompted for a code from the token.  Authentication completes and we are connected.  The strange thing is if I test connectivity on the RADIUS server setup on the FortiGate it tells me that the account authenticated but "More validation is required" and it's expecting a code from the token, so it appears everything is setup.

 

If I create a local user on FAC and assign a token then everything works as expected.  It seems to only be with remote users it's bypassing the 2FA.

 

I noticed in the logs on the FAC I am always getting these messages when authenticating:

"Remote LDAP user authentication(mschap) with FortiToken failed: remote server supports pap only"

 

Anyone ever seen this issue before?  Can you use FortiTokens for 2FA with Remote users on FAC?

 

 

5 REPLIES 5
xsilver_FTNT
Staff
Staff

Hi mikecel79,

 

token application depend on RADIUS Client Profile config. See attached and make sure you have "Apply two-factor authentication if available", or even "Enforce two-factor authentication" selected if it suits your design. Next, in Remote User Sync Rules you can sync user to specific group, and use that group in Realms/Groups setting, to enforce that authentication will be done towards synced users and not directly towards LDAP from Realm only. Then use https://<fac-ip-fqdn>/debug/radius/ (or even switch it to debug mode), to check that once your user tries to auth to IPSec on FortiGate, then right/intended RADIUS Client profile is chosen of FortiAuthenticator.

https://drive.google.com/...3O7G2/view?usp=sharing

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

mikecel79

I made sure in the RADIUS client config was setup to "Enforce two-factor authentication" and also tried "Apply two-factor authentication.  Also limited authentiction just to my synced remote users group.

 

Looking at the logs I keep seeing this which I think is causing the issue.

 "ERROR: client is using remote LDAP, but remote LDAP supports PAP only!"

 

Not sure how to resolve this though.

mikecel79

Actually I realized I did not have "Windows AD domain authentication" setup when I tried this.  I've since turned that on and the PAP error has gone away but I have a new error now.  

 

[size="2"]2019-06-12T08:03:54.448094-04:00 FortiAuthenticator radiusd[25178]: Exec plaintext: Logon failure (0xc000006d) [/size] [size="2"]2019-06-12T08:03:54.448344-04:00 FortiAuthenticator radiusd[25178]: [mschap] Exec: program returned: 1[/size] [size="2"]2019-06-12T08:03:54.448352-04:00 FortiAuthenticator radiusd[25178]: Module-Failure-Message: mschap: External script says Logon failure (0xc000006d) [/size] [size="2"]2019-06-12T08:03:54.448356-04:00 FortiAuthenticator radiusd[25178]: MS-CHAP-Error: aE=691 R=1 [/size] [size="2"]2019-06-12T08:03:54.448358-04:00 FortiAuthenticator radiusd[25178]: Remote Windows AD user authentication failed [/size] [size="2"]2019-06-12T08:03:54.451078-04:00 FortiAuthenticator radiusd[25178]: Updated auth log user@domain.com': Windows AD user authentication(mschap) with FortiToken failed: AD auth error: Logon failure (0xc000006d)[/size]

 

The strange thing is I am still authenticated even though it says Windows AD user authentication failed.

Nytro
New Contributor

I have a setup very similar to yours. 500E HA pair on the edge terminating Forticlient SSL VPN connections. The FAC is the RADIUS server. The FAC uses remote LDAP to poll AD to authenticate users.

Unfortunately I can't speak for your issue regarding the IPSec FC Client connecting without being prompted for Token code BUT for your other issue, this can be remedied by enabling your FAC to join the Windows AD domain. This is done under Authentication/Remote Auth. Servers/LDAP. The section in the middle, 'Windows Active Directory Authentication' needs to be enabled with the proper domain info for you. 

You can then verify you are connected via Monitor/Authentication/Windows AD. The important field is 'Connection:'

It should read 'joined domain, connected'. From what I was told, MS CHAP and MS CHAP v2 will only work if the device/Server is on the active directory domain.

(If its not connecting you will also see TONS of messages in the logs saying failed to join Windows domain.) Hope this helps!

Windows Active Directory Server #1Server name:SLCDCPrimary IP Address:10.1.2.20Secondary IP addressNoneAuthentication Realm:C3connect.lanAgent:running  [link=https://10.1.2.252/winad_reset/?id=4][Reset][/link]Connection:joined domain, connectedUpdated:17 seconds ago

 

Cheers!

Noel

Cheers! Noel
mikecel79

So turns out the issue I had was related to another RADIUS server we had configured on the Fortigate.  When we started testing the FortiGate we configured it to authenticate users to a Windows RADIUS server.  Unfortunately we had enabled the "Include in every user group" option under the RADIUS server configuration.  When we started testing the FortiAuthenticator we didn't turn that off.

I discovered the issue when capturing traffic between the FortiGate and FortiAuthenticator.  The authentication attempt was being sent to both servers at the same time, and sometimes the Windows server would answer first which results in no prompt for 2FA.  Once I removed this server everything worked as expected.

Labels
Top Kudoed Authors