Created on 04-24-2020 11:05 PM Edited on 10-22-2023 11:42 PM By Jean-Philippe_P
Description
This article describes how to correctly configure Two Factor-Authentication on a FortiGate firewall for LDAP users.
Scope
FortiGate with LDAP.
Solution
Two-Factor-Authentication works when specifying an LDAP user name, but when specifying a group name, permission is denied and the Token code is not received.
Verification of Configuration:
Create a remote group with a remote server and group name.
Create an LDAP user with Two-Factor Authentication enabled with any of the available methods, such as SMS, email, and FortiToken.
Create a local group for the LDAP users.
Include the local group in the SSL VPN settings and firewall policy.
Make sure not to refer to the remote group. Create a local firewall group for LDAP users with Two-Factor Authentication enabled.
Try to connect to an SSL VPN from FortiClient. It will ask for the token code:
Users who do not have the FortiToken configured will simply be able to log in as shown below:
Troubleshooting:
If this has been configured properly and users are still not getting prompted for 2FA, check if there are any RADIUS groups configured.
If 'Include in every user group' is enabled on that RADIUS group, this will also affect the LDAP groups and prevent 2FA from working.
Use the following commands to debug:
diag debug reset
diag debug application fnbamd -1 <----- To verify the authentication process.
diag vpn ssl debug-filter src-addr4 x.x.x.x (Substitute the client's public IP).
diag debug application alertmail -1 <----- To verify Token delivery.
diagnose fortitoken debug enable -1 <----- To verify Fortitoken issues.
diag debug appl sslvpn -1
diag debug enable
diag debug disable <----- Once the issue has been identified, disable the debug.
Related Articles:
Restricting VPN access with two-factor and LDAP authentication
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.