Accounts are store on 2 LDAP servers. Those accounts are blocked after 3 bad attempts within 5 min.
All is working fine when I'm using the correct login and password. But when, unlikely, my password is wrong (it happens ^^) I can see this following exchange (for this exemple, I'm using local account instead of LDAP but the behaviour is the same):
37: 11:55:54.421 1/00000000: - cidr match level 0 = world
37: 11:55:54.421 1/00000000: - connection request from 300.300.300.151
37: 11:55:54.421 1/1fb73344: 300.300.300.151 New session
37: 11:55:54.421 1/1fb73344: 300.300.300.151 ---<start packet>---
37: 11:55:54.421 1/1fb73344: 300.300.300.151 key used: fortinet
37: 11:55:54.421 1/1fb73344: 300.300.300.151 version: 192, type: 1, seq no: 1, flags: unencrypted
37: 11:55:54.421 1/1fb73344: 300.300.300.151 session id: 4433b71f, data length: 22
37: 11:55:54.421 1/1fb73344: 300.300.300.151 packet body (len: 22): \001\000\001\001\004\000\n\000raph10.87.2.23
37: 11:55:54.421 1/1fb73344: 300.300.300.151 0000 01 00 01 01 04 00 0a 00 72 61 70 68 31 30 2e 38 ........ raph10.8
37: 11:55:54.421 1/1fb73344: 300.300.300.151 0010 37 2e 32 2e 32 33 7.2.23
37: 11:55:54.421 1/1fb73344: 300.300.300.151 AUTHEN/START, priv_lvl=0
37: 11:55:54.421 1/1fb73344: 300.300.300.151 action=login (1)
37: 11:55:54.421 1/1fb73344: 300.300.300.151 authen_type=ascii (1)
37: 11:55:54.421 1/1fb73344: 300.300.300.151 service=login (1)
37: 11:55:54.421 1/1fb73344: 300.300.300.151 user_len=4 port_len=0 rem_addr_len=10
37: 11:55:54.421 1/1fb73344: 300.300.300.151 data_len=0
37: 11:55:54.421 1/1fb73344: 300.300.300.151 user (len: 4): raph
37: 11:55:54.421 1/1fb73344: 300.300.300.151 port (len: 0):
37: 11:55:54.421 1/1fb73344: 300.300.300.151 rem_addr (len: 10): 10.87.2.23
37: 11:55:54.421 1/1fb73344: 300.300.300.151 ---<end packet>---
37: 11:55:54.421 1/1fb73344: 300.300.300.151 authen: hdr->seq_no: 1
37: 11:55:54.421 1/1fb73344: 300.300.300.151 looking for user raph realm default
37: 11:55:54.421 1/1fb73344: 300.300.300.151 cfg_get: checking user/group raph, tag (NULL)
37: 11:55:54.421 1/1fb73344: 300.300.300.151
ra...@10.87.2.23: ACL __internal__realm_default: NAS matched (unrestricted)
37: 11:55:54.421 1/1fb73344: 300.300.300.151
ra...@10.87.2.23: ACL __internal__realm_default: NAC matched (unrestricted)
37: 11:55:54.421 1/1fb73344: 300.300.300.151
ra...@10.87.2.23: ACL __internal__realm_default: Port matched (unrestricted)
37: 11:55:54.421 1/1fb73344: 300.300.300.151
ra...@10.87.2.23: ACL __internal__realm_default line 1: Realm "default" <=> "default"
37: 11:55:54.421 1/1fb73344: 300.300.300.151
ra...@10.87.2.23: ACL __internal__realm_default: Realm matched
37: 11:55:54.421 1/1fb73344: 300.300.300.151
ra...@10.87.2.23: ACL __internal__realm_default: Timespec matched (unrestricted)
37: 11:55:54.421 1/1fb73344: 300.300.300.151
ra...@10.87.2.23: ACL __internal__realm_default: ACL matched (unrestricted)
37: 11:55:54.421 1/1fb73344: 300.300.300.151
ra...@10.87.2.23: ACL __internal__realm_default: match
37: 11:55:54.421 1/1fb73344: 300.300.300.151 cfg_get: checking user/group ADMIN, tag (NULL)
37: 11:55:54.421 1/1fb73344: 300.300.300.151 user lookup succeded
37: 11:55:54.421 1/1fb73344: 300.300.300.151 Writing AUTHEN/GETPASS size=63
37: 11:55:54.421 1/1fb73344: 300.300.300.151 ---<start packet>---
37: 11:55:54.421 1/1fb73344: 300.300.300.151 key used: fortinet
37: 11:55:54.421 1/1fb73344: 300.300.300.151 version: 192, type: 1, seq no: 2, flags: unencrypted
37: 11:55:54.421 1/1fb73344: 300.300.300.151 session id: 4433b71f, data length: 51
37: 11:55:54.421 1/1fb73344: 300.300.300.151 packet body (len: 51): \005\001\000-\000\000Unauthorized access is prohibited!\nPassword:
37: 11:55:54.421 1/1fb73344: 300.300.300.151 0000 05 01 00 2d 00 00 55 6e 61 75 74 68 6f 72 69 7a ...-..Un authoriz
37: 11:55:54.421 1/1fb73344: 300.300.300.151 0010 65 64 20 61 63 63 65 73 73 20 69 73 20 70 72 6f ed acces s is pro
37: 11:55:54.421 1/1fb73344: 300.300.300.151 0020 68 69 62 69 74 65 64 21 0a 50 61 73 73 77 6f 72 hibited! .Passwor
37: 11:55:54.421 1/1fb73344: 300.300.300.151 0030 64 3a 20 d:
37: 11:55:54.421 1/1fb73344: 300.300.300.151 AUTHEN, status=5 (AUTHEN/GETPASS) flags=0x1
37: 11:55:54.421 1/1fb73344: 300.300.300.151 msg_len=45, data_len=0
37: 11:55:54.421 1/1fb73344: 300.300.300.151 msg (len: 45): Unauthorized access is prohibited!\nPassword:
37: 11:55:54.421 1/1fb73344: 300.300.300.151 data (len: 0):
37: 11:55:54.421 1/1fb73344: 300.300.300.151 ---<end packet>---
37: 11:55:54.432 1/1fb73344: 300.300.300.151 ---<start packet>---
37: 11:55:54.432 1/1fb73344: 300.300.300.151 key used: fortinet
37: 11:55:54.432 1/1fb73344: 300.300.300.151 version: 192, type: 1, seq no: 3, flags: unencrypted
37: 11:55:54.432 1/1fb73344: 300.300.300.151 session id: 4433b71f, data length: 13
37: 11:55:54.432 1/1fb73344: 300.300.300.151 packet body [partially masked] (len: 13): \000\b\000\000\000********
37: 11:55:54.432 1/1fb73344: 300.300.300.151 0000 00 08 00 00 00 2a 2a 2a 2a 2a 2a 2a 2a .....*** *****
37: 11:55:54.432 1/1fb73344: 300.300.300.151 AUTHEN/CONT user_msg_len=8, user_data_len=0
37: 11:55:54.432 1/1fb73344: 300.300.300.151 ---<end packet>---
37: 11:55:54.432 1/1fb73344: 300.300.300.151 authen: hdr->seq_no: 3
37: 11:55:54.432 1/1fb73344: 300.300.300.151 looking for user raph realm default
37: 11:55:54.432 1/1fb73344: 300.300.300.151 cfg_get: checking user/group raph, tag (NULL)
37: 11:55:54.432 1/1fb73344: 300.300.300.151
ra...@10.87.2.23: ACL __internal__realm_default: match (cached)
37: 11:55:54.432 1/1fb73344: 300.300.300.151 cfg_get: checking user/group ADMIN, tag (NULL)
37: 11:55:54.432 1/1fb73344: 300.300.300.151 user lookup succeded
37: 11:55:54.432 1/1fb73344: 300.300.300.151 shell login for 'raph' from 10.87.2.23 failed
37: 11:55:54.432 1/1fb73344: 300.300.300.151 Writing AUTHEN/GETPASS size=48
37: 11:55:54.432 1/1fb73344: 300.300.300.151 ---<start packet>---
37: 11:55:54.432 1/1fb73344: 300.300.300.151 key used: fortinet
37: 11:55:54.432 1/1fb73344: 300.300.300.151 version: 192, type: 1, seq no: 4, flags: unencrypted
37: 11:55:54.432 1/1fb73344: 300.300.300.151 session id: 4433b71f, data length: 36
37: 11:55:54.432 1/1fb73344: 300.300.300.151 packet body (len: 36): \005\001\000\036\000\000Password incorrect.\nPassword:
37: 11:55:54.432 1/1fb73344: 300.300.300.151 0000 05 01 00 1e 00 00 50 61 73 73 77 6f 72 64 20 69 ......Pa ssword i
37: 11:55:54.432 1/1fb73344: 300.300.300.151 0010 6e 63 6f 72 72 65 63 74 2e 0a 50 61 73 73 77 6f ncorrect ..Passwo
37: 11:55:54.432 1/1fb73344: 300.300.300.151 0020 72 64 3a 20 rd:
37: 11:55:54.432 1/1fb73344: 300.300.300.151 AUTHEN, status=5 (AUTHEN/GETPASS) flags=0x1
37: 11:55:54.432 1/1fb73344: 300.300.300.151 msg_len=30, data_len=0
37: 11:55:54.432 1/1fb73344: 300.300.300.151 msg (len: 30): Password incorrect.\nPassword:
37: 11:55:54.432 1/1fb73344: 300.300.300.151 data (len: 0):
37: 11:55:54.432 1/1fb73344: 300.300.300.151 ---<end packet>---
37: 11:55:54.454 1/1fb73344: 300.300.300.151 ---<start packet>---
37: 11:55:54.454 1/1fb73344: 300.300.300.151 key used: fortinet
37: 11:55:54.454 1/1fb73344: 300.300.300.151 version: 192, type: 1, seq no: 5, flags: unencrypted
37: 11:55:54.454 1/1fb73344: 300.300.300.151 session id: 4433b71f, data length: 13
37: 11:55:54.454 1/1fb73344: 300.300.300.151 packet body [partially masked] (len: 13): \000\b\000\000\000********
37: 11:55:54.454 1/1fb73344: 300.300.300.151 0000 00 08 00 00 00 2a 2a 2a 2a 2a 2a 2a 2a .....*** *****
37: 11:55:54.454 1/1fb73344: 300.300.300.151 AUTHEN/CONT user_msg_len=8, user_data_len=0
37: 11:55:54.454 1/1fb73344: 300.300.300.151 ---<end packet>---
37: 11:55:54.454 1/1fb73344: 300.300.300.151 authen: hdr->seq_no: 5
37: 11:55:54.454 1/1fb73344: 300.300.300.151 looking for user raph realm default
37: 11:55:54.454 1/1fb73344: 300.300.300.151 cfg_get: checking user/group raph, tag (NULL)
37: 11:55:54.454 1/1fb73344: 300.300.300.151
ra...@10.87.2.23: ACL __internal__realm_default: match (cached)
37: 11:55:54.454 1/1fb73344: 300.300.300.151 cfg_get: checking user/group ADMIN, tag (NULL)
37: 11:55:54.454 1/1fb73344: 300.300.300.151 user lookup succeded
37: 11:55:54.454 1/1fb73344: 300.300.300.151 shell login for 'raph' from 10.87.2.23 failed (retry with identical password)
37: 11:55:54.454 1/1fb73344: 300.300.300.151 Writing AUTHEN/GETPASS size=48
37: 11:55:54.454 1/1fb73344: 300.300.300.151 ---<start packet>---
37: 11:55:54.454 1/1fb73344: 300.300.300.151 key used: fortinet
37: 11:55:54.454 1/1fb73344: 300.300.300.151 version: 192, type: 1, seq no: 6, flags: unencrypted
37: 11:55:54.454 1/1fb73344: 300.300.300.151 session id: 4433b71f, data length: 36
37: 11:55:54.454 1/1fb73344: 300.300.300.151 packet body (len: 36): \005\001\000\036\000\000Password incorrect.\nPassword:
37: 11:55:54.454 1/1fb73344: 300.300.300.151 0000 05 01 00 1e 00 00 50 61 73 73 77 6f 72 64 20 69 ......Pa ssword i
37: 11:55:54.454 1/1fb73344: 300.300.300.151 0010 6e 63 6f 72 72 65 63 74 2e 0a 50 61 73 73 77 6f ncorrect ..Passwo
37: 11:55:54.454 1/1fb73344: 300.300.300.151 0020 72 64 3a 20 rd:
37: 11:55:54.454 1/1fb73344: 300.300.300.151 AUTHEN, status=5 (AUTHEN/GETPASS) flags=0x1
37: 11:55:54.454 1/1fb73344: 300.300.300.151 msg_len=30, data_len=0
37: 11:55:54.454 1/1fb73344: 300.300.300.151 msg (len: 30): Password incorrect.\nPassword:
37: 11:55:54.454 1/1fb73344: 300.300.300.151 data (len: 0):
37: 11:55:54.454 1/1fb73344: 300.300.300.151 ---<end packet>---
37: 11:55:54.468 1/1fb73344: 300.300.300.151 ---<start packet>---
37: 11:55:54.468 1/1fb73344: 300.300.300.151 key used: fortinet
37: 11:55:54.468 1/1fb73344: 300.300.300.151 version: 192, type: 1, seq no: 7, flags: unencrypted
37: 11:55:54.468 1/1fb73344: 300.300.300.151 session id: 4433b71f, data length: 13
37: 11:55:54.468 1/1fb73344: 300.300.300.151 packet body [partially masked] (len: 13): \000\b\000\000\000********
37: 11:55:54.468 1/1fb73344: 300.300.300.151 0000 00 08 00 00 00 2a 2a 2a 2a 2a 2a 2a 2a .....*** *****
37: 11:55:54.468 1/1fb73344: 300.300.300.151 AUTHEN/CONT user_msg_len=8, user_data_len=0
37: 11:55:54.468 1/1fb73344: 300.300.300.151 ---<end packet>---
37: 11:55:54.468 1/1fb73344: 300.300.300.151 authen: hdr->seq_no: 7
37: 11:55:54.468 1/1fb73344: 300.300.300.151 looking for user raph realm default
37: 11:55:54.468 1/1fb73344: 300.300.300.151 cfg_get: checking user/group raph, tag (NULL)
37: 11:55:54.468 1/1fb73344: 300.300.300.151
ra...@10.87.2.23: ACL __internal__realm_default: match (cached)
37: 11:55:54.468 1/1fb73344: 300.300.300.151 cfg_get: checking user/group ADMIN, tag (NULL)
37: 11:55:54.468 1/1fb73344: 300.300.300.151 user lookup succeded
37: 11:55:54.468 1/1fb73344: 300.300.300.151 shell login for 'raph' from 10.87.2.23 failed (retry with identical password)
37: 11:55:54.468 1/1fb73344: 300.300.300.151 Writing AUTHEN/GETPASS size=48
37: 11:55:54.468 1/1fb73344: 300.300.300.151 ---<start packet>---
37: 11:55:54.468 1/1fb73344: 300.300.300.151 key used: fortinet
37: 11:55:54.468 1/1fb73344: 300.300.300.151 version: 192, type: 1, seq no: 8, flags: unencrypted
37: 11:55:54.468 1/1fb73344: 300.300.300.151 session id: 4433b71f, data length: 36
37: 11:55:54.468 1/1fb73344: 300.300.300.151 packet body (len: 36): \005\001\000\036\000\000Password incorrect.\nPassword:
37: 11:55:54.468 1/1fb73344: 300.300.300.151 0000 05 01 00 1e 00 00 50 61 73 73 77 6f 72 64 20 69 ......Pa ssword i
37: 11:55:54.468 1/1fb73344: 300.300.300.151 0010 6e 63 6f 72 72 65 63 74 2e 0a 50 61 73 73 77 6f ncorrect ..Passwo
37: 11:55:54.468 1/1fb73344: 300.300.300.151 0020 72 64 3a 20 rd:
37: 11:55:54.468 1/1fb73344: 300.300.300.151 AUTHEN, status=5 (AUTHEN/GETPASS) flags=0x1
37: 11:55:54.468 1/1fb73344: 300.300.300.151 msg_len=30, data_len=0
37: 11:55:54.468 1/1fb73344: 300.300.300.151 msg (len: 30): Password incorrect.\nPassword:
37: 11:55:54.468 1/1fb73344: 300.300.300.151 data (len: 0):
37: 11:55:54.468 1/1fb73344: 300.300.300.151 ---<end packet>---
37: 11:55:54.484 1/1fb73344: 300.300.300.151 ---<start packet>---
37: 11:55:54.484 1/1fb73344: 300.300.300.151 key used: fortinet
37: 11:55:54.484 1/1fb73344: 300.300.300.151 version: 192, type: 1, seq no: 9, flags: unencrypted
37: 11:55:54.484 1/1fb73344: 300.300.300.151 session id: 4433b71f, data length: 13
37: 11:55:54.484 1/1fb73344: 300.300.300.151 packet body [partially masked] (len: 13): \000\b\000\000\000********
37: 11:55:54.484 1/1fb73344: 300.300.300.151 0000 00 08 00 00 00 2a 2a 2a 2a 2a 2a 2a 2a .....*** *****
37: 11:55:54.484 1/1fb73344: 300.300.300.151 AUTHEN/CONT user_msg_len=8, user_data_len=0
37: 11:55:54.484 1/1fb73344: 300.300.300.151 ---<end packet>---
37: 11:55:54.484 1/1fb73344: 300.300.300.151 authen: hdr->seq_no: 9
37: 11:55:54.484 1/1fb73344: 300.300.300.151 looking for user raph realm default
37: 11:55:54.484 1/1fb73344: 300.300.300.151 cfg_get: checking user/group raph, tag (NULL)
37: 11:55:54.484 1/1fb73344: 300.300.300.151
ra...@10.87.2.23: ACL __internal__realm_default: match (cached)
37: 11:55:54.484 1/1fb73344: 300.300.300.151 cfg_get: checking user/group ADMIN, tag (NULL)
37: 11:55:54.484 1/1fb73344: 300.300.300.151 user lookup succeded
37: 11:55:54.484 1/1fb73344: 300.300.300.151 shell login for 'raph' from 10.87.2.23 failed (retry with identical password)
37: 11:55:54.484 1/1fb73344: 300.300.300.151 Writing AUTHEN/FAIL size=82
37: 11:55:54.484 1/1fb73344: 300.300.300.151 ---<start packet>---
37: 11:55:54.484 1/1fb73344: 300.300.300.151 key used: fortinet
37: 11:55:54.484 1/1fb73344: 300.300.300.151 version: 192, type: 1, seq no: 10, flags: unencrypted
37: 11:55:54.484 1/1fb73344: 300.300.300.151 session id: 4433b71f, data length: 70
37: 11:55:54.484 1/1fb73344: 300.300.300.151 packet body (len: 70): \002\000\000@\000\000Password incorrect.\n\nGo away! Unauthorized access is prohibited!
37: 11:55:54.484 1/1fb73344: 300.300.300.151 0000 02 00 00 40 00 00 50 61 73 73 77 6f 72 64 20 69 ...@..Pa ssword i
37: 11:55:54.484 1/1fb73344: 300.300.300.151 0010 6e 63 6f 72 72 65 63 74 2e 0a 0a 47 6f 20 61 77 ncorrect ...Go aw
37: 11:55:54.484 1/1fb73344: 300.300.300.151 0020 61 79 21 20 55 6e 61 75 74 68 6f 72 69 7a 65 64 ay! Unau thorized
37: 11:55:54.484 1/1fb73344: 300.300.300.151 0030 20 61 63 63 65 73 73 20 69 73 20 70 72 6f 68 69 access is prohi
37: 11:55:54.484 1/1fb73344: 300.300.300.151 0040 62 69 74 65 64 21 bited!
37: 11:55:54.484 1/1fb73344: 300.300.300.151 AUTHEN, status=2 (AUTHEN/FAIL) flags=0x0
37: 11:55:54.484 1/1fb73344: 300.300.300.151 msg_len=64, data_len=0
37: 11:55:54.484 1/1fb73344: 300.300.300.151 msg (len: 64): Password incorrect.\n\nGo away! Unauthorized access is prohibited!
37: 11:55:54.484 1/1fb73344: 300.300.300.151 data (len: 0):
37: 11:55:54.484 1/1fb73344: 300.300.300.151 ---<end packet>---
Once login is accepted by the Tacacs, Tacacs initiate a "send password (5)" with a sequence number 2. Fortigate reply with a wrong password which is not accepted by the Tacacs. But instead of refusing access, it instantly sends another “send user” requests. To which the fortigate responds once again. And that's a total of 4 times.
As the request is relayed to the LDAP server, my account is blocked even though I've really only made one attempt.
This behaviour happens in WEBUI or SSH conection.
Is it a correct behaviour ? if so, Is there a work around in order to resolve my issue ?