Technical Tip: Multi-Factor Authentication support for Windows FortiClient with LDAP (EAP-TTLS)
Description
This article describes the support of Multi-Factor Authentication on Windows FortiClient with LDAP (EAP-TTLS) on IKEv2 IPsec dial-up connection.
Scope
FortiGate v7.4.9 and later, FortiClient Windows v7.4.4.
Solution
Required firmware versions:
EAP-TTLS MFA support requires the following minimum firmware versions:
- FortiOS v7.4.9, v7.6.1.
- FortiClient Windows v7.4.4. Note the VPN-only free version of FortiClient Windows does not have a v7.4.4 release, see: Special notices.
EAP-TTLS is configured using the 'EAP Authentication Method' GUI option in FortiClient EMS v7.4.4 and later. While FortiClient Windows v7.4.3 does support EAP-TTLS using XML configuration, it does not support combining EAP-TTLS with MFA.
EAP methods:
FortiGate IKEv2 dial-up user authentication is done using EAP methods and FortiClient. Active Directory users authenticating to FortiOS IKEv2 Dialup VPN use one of the following options:
- EAP-MSCHAPv2: requires a domain-joined FortiAuthenticator RADIUS proxy, see this article: Technical Tip: Joining FortiAuthenticator in the active directory as a machine entity.
- EAP-TTLS/PAP: Used when FortiGate connects to an LDAP server directly or when the remote RADIUS server is not part of the Active Directory domain.
When no external RADIUS server is configured, the EAP-TTLS authentication terminates on the FortiGate. If FortiAuthenticator is used as a RADIUS proxy, the EAP-TTLS authentication passes through FortiGate to terminate on the FortiAuthenticator. See this article: Technical Tip: FortiOS IKEv2 EAP user authentication operation.
When FortiAuthenticator terminates EAP-TTLS, the CA certificate signing FortiAuthenticator's EAP service certificate must be present in the client device's system store (the user certificate store is not sufficient). If the CA certificate is not present on the client, an error like the following is visible in a FortiAuthenticator's debug log:
FortiAuthenticator radiusd[2154]: (8) eap_ttls: (TLS) The client is informing us that it does not recognize the CA used to issue the server certificate. Please update the client so that it knows about the CA.
In the case of the FortiAuthenticator default certificate, download the certificate from Certificate Management -> Trusted CA and install the certificate on the client device system store.
Note: Currently, no version of FortiAuthenticator supports challenge-based EAP-TTLS with two-factor authentication (2FA).
As a workaround, users must use a concatenation token for EAP-TTLS 2FA, which combines the password and token. For example: p@ssw0rd345678.
FortiToken assigned to FortiGate:
FortiToken Mobile OTP code prompt and push are supported for individual FortiGate users with 'Remote LDAP' User Type and assigned FortiToken, see this document: Users.
FortiToken assigned to FortiAuthenticator:
FortiAuthenticator does not support token prompt when FortiClient is using EAP-TTLS. However, appending the token code to the user's password can be used as a workaround, see this article: Technical Tip: How to resolve the 'EAP authentication failed due to missing token' error when using EAP-TTLS /PAP + 2FA Authentication.
If FortiTokens are assigned to Active Directory users in FortiAuthenticator, it is recommended to enable EAP-MSCHAPv2 on FortiClient and enable 'Windows Active Directory Domain Authentication' on FortiAuthenticator. See this document: Remote authentication servers.
FortiToken assigned to FortiIdentity Cloud:
FortiOS v7.6.6 and earlier does not support FortiIdentity Cloud MFA for LDAP users authenticating as part of a firewall user group. For an example of this user type, see this document: Synchronizing LDAP Active Directory users to FortiToken Cloud using the group filter 7.0.6. This is tracked as issue ID 1213238.
As a workaround, define the users individually on FortiGate with a matching remote LDAP server and two-factor 'fortitoken-cloud'.
config user local
edit <username>
set type ldap
set two-factor fortitoken-cloud
set ldap-server <LDAP server>
next
end
This issue is scheduled for resolution in FortiOS v7.6.6 and v8.0.0.
Third-party MFA:
Third-party MFA support depends on the remote server type. FortiGate can support MFA by remote RADIUS authentication servers if the 'config user radius' timeout allows enough time to perform MFA, and no token prompt is required on the FortiClient.
config system global
set remoteauthtimeout <seconds>
end
config user radius
edit <server name>
set timeout <seconds>
next
end
In FortiOS v7.6.7 and later, there is a planned enhancement to support third-party MFA on remote LDAP servers using the global remoteauthtimeout. See the article Technical Tip: EAP proxy times out after 5 seconds on dial-up IKEv2 tunnel when using remote authentication server.
Related articles:
Technical Tip: How to configure IPsec VPN Tunnel using IKE v2
Technical Tip: Overview of compatible IKE versions, user authentication methods, and FortiGate/FortiClient firmware