Skip to Content

Why radius user bypass 2FA when connecting to SSL VPN

By: Author Alex Lim

Posted on

Categories Troubleshooting

This article describes why radius user bypasses 2FA while connecting to SSL VPN.

Scope

FortiGate.

Solution

Note: username-case-sensitive is enabled under Radius server(i.e config user radius).

config user radius
edit "FNF6"
set server "172.16.3.2 "
set secret ENC 4jC7L+ +2xWFoF4N+23984ysdfebnjkQ1tORYOmgoTnnuE
set timeout 5
set all-usergroup disable
set use-management-vdom disable
set nas-ip 0.0.0.0
set acct-interim-interval 0
set radius-coa disable
set radius-port 0
set h3c-compatibility disable
set auth-type auto
set source-ip ''
set username-case-sensitive enable
unset group-override-attr-type
set password-renewal enable
set password-encoding auto
set acct-all-servers disable
set switch-controller-acct-fast-framedip-detect 2
set interface-select-method auto
unset switch-controller-service-type
set rsso disable
next
end

Remote User on FortiGate under user definition ‘jimmy1124’ (radius user)

config user local
edit "jimmy1124"
set type radius
set radius-server " FNF6"
next
end

Scenario 1

The remote radius user was added under the user group on FortiGate and further, this user group was being used under SSL VPN, which is incorrect.

#1 success, mfa prompted , connectivity ok <----- If the exact name is used.
#2 success, bypassed MFA, connectivity ok <----- If not used the exact name

e.g JimMy1124.

The reason user bypasses the #2 test is that username-sensitivity is not enabled under remote user(config user local), used under SSL VPN setting as mentioned previously, case sensitivity is enabled under radius server configuration (config user radius).

As a fact, the user gets authenticated by FortiGate itself(proof: no MFA is prompted however the user is still allowed to log in).

Scenario2

The Radius server(FNF6) was added as a member under the user group on FortiGate and further this user group was being used under SSL VPN.

user definition : Roy21066
#1 success, mfa prompted , connectivity ok <----- If the exact name is used.
#2 success, mfa prompted , connectivity ok <----- If not used exact name e.g JimMy1124.

The user was prompted with 2FA, even if it did not match the exact username. Because, now the user auth request was forwarded to the radius server (if it had matched FortiGate, 2FA would not have been prompted as 2FA is not configured on FortiGate). However, some Radius server needs to be configured with case sensitivity as well to make this config work.