Remote LDAP users with 2FA

Author
mikecel79
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/06/06 07:30:03
  • Status: offline
2019/06/11 08:47:01 (permalink) 6.0
0

Remote LDAP users with 2FA

We are testing the use of FAC with a Fortigate 101E to support 2FA using FortiTokens but running into a small issue. 
 
We have configured FAC to use a remote LDAP server (our AD) and importing users from a specific group in AD using a remote sync rule. We are also adding them to a remote group in FAC. This works fine and we are able to assign them FortiTokens.  When logging into the FAC portal they authenticate with their Windows username and password and then are prompted for a code from the FortiToken.  All this works perfectly.  
 
The issue we are having is when trying to authenticate these users from a Fortigate using IPSec in the Forticlient.  We have configured the FAC as a RADIUS server in our Fortigate appliance for the VPN connection.  When we authenticate to the Forticlient we enter in our Windows username and password but are never prompted for a code from the token.  Authentication completes and we are connected.  The strange thing is if I test connectivity on the RADIUS server setup on the FortiGate it tells me that the account authenticated but "More validation is required" and it's expecting a code from the token, so it appears everything is setup.
 
If I create a local user on FAC and assign a token then everything works as expected.  It seems to only be with remote users it's bypassing the 2FA.
 
I noticed in the logs on the FAC I am always getting these messages when authenticating:
"Remote LDAP user authentication(mschap) with FortiToken failed: remote server supports pap only"
 
Anyone ever seen this issue before?  Can you use FortiTokens for 2FA with Remote users on FAC?
 
 
post edited by mikecel79 - 2019/06/11 13:00:37
#1

3 Replies Related Threads

    xsilver_FTNT
    Expert Member
    • Total Posts : 422
    • Scores: 87
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Status: offline
    Re: Remote LDAP users with 2FA 2019/06/12 02:37:18 (permalink)
    0
    Hi mikecel79,
     
    token application depend on RADIUS Client Profile config.
    See attached and make sure you have "Apply two-factor authentication if available", or even "Enforce two-factor authentication" selected if it suits your design.
    Next, in Remote User Sync Rules you can sync user to specific group, and use that group in Realms/Groups setting, to enforce that authentication will be done towards synced users and not directly towards LDAP from Realm only.
    Then use https://<fac-ip-fqdn>/debug/radius/ (or even switch it to debug mode), to check that once your user tries to auth to IPSec on FortiGate, then right/intended RADIUS Client profile is chosen of FortiAuthenticator.

    https://drive.google.com/...3O7G2/view?usp=sharing

    Kind Regards,
    Tomas
    #2
    mikecel79
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/06/06 07:30:03
    • Status: offline
    Re: Remote LDAP users with 2FA 2019/06/12 04:59:38 (permalink)
    0
    I made sure in the RADIUS client config was setup to "Enforce two-factor authentication" and also tried "Apply two-factor authentication.  Also limited authentiction just to my synced remote users group.
     
    Looking at the logs I keep seeing this which I think is causing the issue.
     "ERROR: client is using remote LDAP, but remote LDAP supports PAP only!"
     
    Not sure how to resolve this though.
    #3
    mikecel79
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/06/06 07:30:03
    • Status: offline
    Re: Remote LDAP users with 2FA 2019/06/12 05:09:50 (permalink)
    0
    Actually I realized I did not have "Windows AD domain authentication" setup when I tried this.  I've since turned that on and the PAP error has gone away but I have a new error now.  
     
    2019-06-12T08:03:54.448094-04:00 FortiAuthenticator radiusd[25178]: Exec plaintext: Logon failure (0xc000006d)
    2019-06-12T08:03:54.448344-04:00 FortiAuthenticator radiusd[25178]: [mschap] Exec: program returned: 1
    2019-06-12T08:03:54.448352-04:00 FortiAuthenticator radiusd[25178]: Module-Failure-Message: mschap: External script says Logon failure (0xc000006d)
    2019-06-12T08:03:54.448356-04:00 FortiAuthenticator radiusd[25178]: MS-CHAP-Error: aE=691 R=1
    2019-06-12T08:03:54.448358-04:00 FortiAuthenticator radiusd[25178]: Remote Windows AD user authentication failed
    2019-06-12T08:03:54.451078-04:00 FortiAuthenticator radiusd[25178]: Updated auth log user@domain.com': Windows AD user authentication(mschap) with FortiToken failed: AD auth error: Logon failure (0xc000006d)
     
    The strange thing is I am still authenticated even though it says Windows AD user authentication failed.
    #4
    Jump to:
    © 2019 APG vNext Commercial Version 5.5