在fortigate上設定好ad帳號登入vpn,要啟用token驗證,才能連線。
但有些使用者設定好,手機上的程式也啟用了,登入vpn時就不會跳出要輸入token code,就直接登入成功了。
後來才發現是登入帳號大小寫的問題,有的人帳號是用大寫,就不需要輸入token code,用小寫才需要。
後來發現是我們在設定vpn的權限時,一開始是還沒用token時,直接把ad群組加入vpn的設定中。
現在因為要用token,需要把個別的ad帳號加到用戶名單,再加到vpn設定中。
所以vpn的設定裡就會有兩個不同的帳號來源,這時後只要把在vpn設定裡的ad群組拿掉,就行了。
user登入後,就只能接受跟用戶名單裡大小寫都要相符的帳號做登入。
Fortigate VPN Token Sometimes Doesn't Work
When setting up an AD account for VPN login on Fortigate, token authentication needs to be enabled to establish a connection.
However, some users have successfully configured their accounts and activated the token authentication on their mobile devices, but when they log in to the VPN, they are not prompted to enter the token code. Instead, they are logged in directly.
Later, we realized that the issue was related to the case sensitivity of the login credentials. Some users had their usernames in uppercase, which bypassed the need for a token code, while lowercase usernames required it.
We discovered that when initially setting up VPN permissions, before using tokens, we directly added the AD group to the VPN configuration.
Now, with the token requirement, individual AD accounts need to be added to the user list and then included in the VPN configuration.
As a result, the VPN configuration will have two different sources for account information. To resolve this, we simply need to remove the AD group from the VPN configuration.
After this change, users will only be able to log in with usernames that match the case sensitivity specified in the user list.
沒有留言:
張貼留言