FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
js2
Staff
Staff
Article Id 191794

Description

 

This article describes how to correctly configure Two Factor-Authentication on a FortiGate firewall for LDAP users.

 

Scope

 

FortiGate with LDAP.

Solution


Two-Factor-Authentication works when specifying an LDAP user name, but when specifying a group name, permission is denied and the Token code is not received.

Verification of Configuration:

 

  1. Integrate the firewall with the LDAP server and verify the connectivity:

 

dbhavsar_0-1671630314092.png

 

  1. Create a remote group with a remote server and group name.

  2. Create an LDAP user with Two-Factor Authentication enabled with any of the available methods, such as SMS, email, and FortiToken.

     

    dbhavsar_6-1671630534225.png

     

  3. Create a local group for the LDAP users.

     

    remote-group.png

  4. Include the local group in the SSL VPN settings and firewall policy.

    Make sure not to refer to the remote group. Create a local firewall group for LDAP users with Two-Factor Authentication enabled.

     

     

  5. Try to connect to an SSL VPN from FortiClient. It will ask for the token code: 

     

    dbhavsar_2-1671630390359.png

     

  6. Users who do not have the FortiToken configured will simply be able to log in as shown below: 

     

    dbhavsar_3-1671630390361.png

     dbhavsar_4-1671630390361.png


Troubleshooting:

If this has been configured properly and users are still not getting prompted for 2FA, check if there are any RADIUS groups configured.

If 'Include in every user group' is enabled on that RADIUS group, this will also affect the LDAP groups and prevent 2FA from working.

 

Use the following commands to debug:

 

diag debug reset 
diag debug application fnbamd -1   <----- To verify the authentication process.
diag vpn ssl debug-filter src-addr4 x.x.x.x (Substitute the client's public IP).
diag debug application alertmail -1    <----- To verify Token delivery.
diagnose fortitoken debug enable -1    <----- To verify Fortitoken issues.
diag debug appl sslvpn -1
diag debug enable
diag debug disable    <----- Once the issue has been identified, disable the debug.

 

Related Articles:

Restricting VPN access with two-factor and LDAP authentication