DescriptionThis article describes how to properly configure remote LDAP users to use two-factor authentication.
SolutionWhen configuring remote LDAP users to use two-factor authentication (for example FortiTokens), it is possible for such authentication to be bypassed by entering a username not matching the case-sensitive username configured for one of the local users.
This case will occur if the following are configured on the FortiGate for a desired user group:
(a) Local users with two-factor are configured
AND
(b) A user group associated with a remote LDAP group, with usernames matching those of the already defined local users
In this case, for all LDAP users that require two-factor authentication, corresponding local LDAP users need to be created on the FortiGate and added to a user group only containing local LDAP users.
* Only usernames matching the case specified in the local LDAP users will be prompted for two-factor authentication.
* Usernames with other cases not matching the exact case defined in the local LDAP users will be denied access
Usernames on the FortiGate are case-sensitive while usernames in Windows Active Directory are not case-sensitive.
Therefore, it is recommended to adhere to a standard/convention for remote LDAP users created on the FortiGate (i.e. all caps or all lowercase) to prevent confusion for users.
Related Articles
Restricting VPN access with two-factor and LDAP authentication
