Skip to main content
maxime_valcin
maxime_valcin
New Member
October 2, 2020
Question

SSL VPN 2FA with Duo Security

  • October 2, 2020
  • 1 reply
  • 10394 views

Hello, 

 

I am having an issue with my SSLVPN 2FA implementation with Duo.  I have an account with Duo Security and create an appropriate user, installed and configured the Duo Authentication Proxy, configured a Radius server on my FG50E UTM and created a user/group on my FG50 and added the group to the appropriate policy.  on my FG50, the Radius connectivity test is successful and so is the test using user credentials.  

 

The issue that I am facing is when I enter my credentials using ForticlientVPN (iOS) or using a web browser.  If I enter my username with the correct password, the login isn't challenged with Duo 2FA.  My FG50 accepts my credentials and establishes an encrypted session.  If I enter my username with no or an incorrect password, I get challenged with Duo 2FA.  

 

The desired behavior is to have my FG50 as the primary authenticator. If the entered credentials are valid, further challenge the login with Radius/Duo.  If the entered credentials are not valid, the FG50 should throw an error.

 

The credentials in question is a local account on the FG.  AD/LDAP is not being used.

 

Anyone else using Duo encountered this issue?  Any assistance would be greatly appreciated.

 

Thanks

    1 reply

    emnoc
    emnoc
    New Member
    October 2, 2020

    Never heard  anybody ever doing that. Don't even think it's possible. fwiw.

     Here's how we setup duo for MFA and VPN.

     

    http://socpuppet.blogspot.com/2017/04/securing-fortigate-sslvpn-with-mfa-by.html

     

    If you want to do one shot you can call up the username password and otp on the login.

     

    userpassword,otp

     

     

    ken Felix

    maxime_valcin
    maxime_valcinAuthor
    New Member
    October 3, 2020

    Hi Ken, 

     

    Thanks for the response.

     

    I fear that I may not have explained myself properly.

     

    All I want is user+password(Fortigate) and Duo Push to my mobile device.  My FG50 does the initial credential validation and if it passes, I get a Duo Push to accept or deny the request.  

     

    Right now, my FG50 validates my credentials and connects me without getting a Duo Push.  The only time I get the Duo Push when I enter a valid username but an invalid password.  

     

    I hope I better described my issue and you can provide further assistance.

     

    Thanks

    boneyard
    boneyard
    Valued Contributor
    October 4, 2020

    as emnoc points out this wont be possible with just a FortiGate. it is quite annoying limited in doing two factor against an outside RADIUS setup. you will need a proxy like pointed out which does part of the authentication itself (user / password) or on a different device and the other part (two factor) on another device.

     

    what you see is probably as the first authention fails (local user auth i guess?) it tries the next and that is then Duo. but if the first authentication succeeded that is enough.

    Terms & ConditionsAccessibility statement