Remote LDAP users with 2FA
We are testing the use of FAC with a Fortigate 101E to support 2FA using FortiTokens but running into a small issue.
We have configured FAC to use a remote LDAP server (our AD) and importing users from a specific group in AD using a remote sync rule. We are also adding them to a remote group in FAC. This works fine and we are able to assign them FortiTokens. When logging into the FAC portal they authenticate with their Windows username and password and then are prompted for a code from the FortiToken. All this works perfectly.
The issue we are having is when trying to authenticate these users from a Fortigate using IPSec in the Forticlient. We have configured the FAC as a RADIUS server in our Fortigate appliance for the VPN connection. When we authenticate to the Forticlient we enter in our Windows username and password but are never prompted for a code from the token. Authentication completes and we are connected. The strange thing is if I test connectivity on the RADIUS server setup on the FortiGate it tells me that the account authenticated but "More validation is required" and it's expecting a code from the token, so it appears everything is setup.
If I create a local user on FAC and assign a token then everything works as expected. It seems to only be with remote users it's bypassing the 2FA.
I noticed in the logs on the FAC I am always getting these messages when authenticating:
"Remote LDAP user authentication(mschap) with FortiToken failed: remote server supports pap only"
Anyone ever seen this issue before? Can you use FortiTokens for 2FA with Remote users on FAC?
post edited by mikecel79 - 2019/06/11 13:00:37