This article describes why MFA is bypassed when the user-case-sensitivity is set to ‘enabled’ under LDAP user settings.
Scope
FortiGate.
Solution
The Token field is not displayed.
The user is created using the LDAP remote server with the option username-case-sensitivity set to enable using an MFA FortiToken.
This feature ensures that only a username matching the defined name (i.e: john) should be allowed to connect with MFA.
Other attempts with usernames such as John and JOHN will not match the defined user, and will therefore be denied access.
config user local edit "john" set status enable set type ldap set two-factor fortitoken set fortitoken "*****" set email-to "******" set sms-server fortiguard set sms-phone '' set authtimeout 0 set auth-concurrent-override disable set username-sensitivity enable set ldap-server "ABC-LDAP" set workstation '' next end
In some scenarios, these settings do not seem to work and allow the user with usernames such as John or JOHN access by matching it against the LDAP server, by bypassing the MFA.
For this to work properly, the user group needs to be defined with the user definition instead of using the LDAP remote group:
If the user group is configured with a combination of the LDAP remote server and a user definition as shown below, it could bypass the username-sensitivity setting defined under the user definition.
This happens because the ‘user-case-sensitivity’ setting is defined under the user definition and is not a global setting on LDAP server. This means that, if the group is set up with both a user definition and the remote server, it could bypass the MFA settings configured on the user level and could match with the same user under the LDAP server directly.