Description
This article discusses case sensitive username implementation in different types of authentication methods available on the FortiGate unit.
When performing Firewall Authentication (Authentication against firewall policy or captive portal), the following authentication methods are case sensitive on FortiOS:
Local User Authentication.
Remote Radius Authentication.
The following Remote Authentication types are case insensitive:
Remote LDAP
Remote TACACS
POP3
Case insensitive usernames can be a problem especially when auth-concurrent setting is implemented in FortiOS to limit number of logins for a user (Firewall Authentication).
Example:
Auth-concurrent setting is configured to limit 1 login for a single user.
User authentications from PC1, with username 'fortinet' and authentication is successful.
Now the same (or different user) authenticates from PC2 with username 'Fortinet' and authentication will also be successful.
Solution
The following solutions can be implemented to avoid these issues.
1) Implement Local users.
The local user database on the FortiGate unit is case sensitive.
If the network contains a large number of Users authentication against Firewall authentication on FortiGate unit, then 2) can be implemented.
2) User Remote Radius authentication and enable case sensitive comparison of usernames.
# config user radius
edit <name>
set username-case-sensitive ?
enable Enable username case-sensitive.
disable Disable username case-sensitive.
# config user radius
edit <name>
set username-case-sensitive enable
end
The setting 'username-case-sensitive' is disabled by default so the usernames comparison will be case insensitive by default.
Related Articles
Technical Tip: 'policy-auth-concurrent' system global command clarified
