Skip to main content
tgold
tgold
New Member
May 19, 2022
Question

SSL VPN Saml authentication with Duo

  • May 19, 2022
  • 1 reply
  • 4442 views

We have been using SSL VPN with Azure AD without issue for a couple months now. I am currently doing a POC with Duo for mfa and am running into some problems with SSL VPN. The setup seems straight forward and Duo has some documentation on it, but I cannot get VPN to work. I get the Duo login screen and have to allow the MFA, then I just get a message saying "No Access."

 

So it seems like the Saml part is working it's just that the Fortigate is not giving my account access. The only difference in the config between this and Azure is that with Azure, we were using the group matching like so.

 

edit "VPNtest"

        set member "azure"

        config match

            edit 1

                set server-name "azure"

                set group-name "object id from Azure AD"

 

With Duo, I simple want to allow all users so it is configured as:

 

edit "VPNtestduo"

        set member "duo"

    next

 

I tried running some debug commands for sslvpn, and saml, but I can't see why it isn't allowing access. Any ideas?

1 reply

Debbie_FTNT
Staff & Editor
Debbie_FTNT
Staff & Editor
May 20, 2022

Hey tgold,

the group object should be fine; as long as Duo returns a successful authentication to FortiGate, FortiGate should consider the user a member of the 'VPNtestduo' group and act accordingly.

I would suggest double-checking the following:


- you have the correct username attribute set:

#config user saml

#edit <>

#set user-name <SAML attribute>

-> double-check that the attribute defined here is one that Duo sends in its response and does contain a username

 

- the DUO VPN group is associated with at least one SSLVPN policy and has a portal mapped

-> verify that the 'VPNtestduo' group is in at least one policy with the SSLVPN tunnel interface as source

-> verify that you have a portal mapping for the group in your VPN settings (and that the portal allows web-mode/tunnel-mode as necessary)

 

- The FortiGate SAML server config has the correct certificate and URLs

-> double-check that you have the Duo IdP certificate imported and referenced in the SAML server settings on FGT

-> double-check that you have the correct URLs configured

-> I once had the issue in lab where FortiGate was configured to access an IdP on its IP, but the IdP was configured to reply with its URL in the SAML response, leading to a mismatch and FGT not accepting the SAML response :\

 

If you have checked through all the settings, I would dig deeper into sslvpn and saml debug to find error messages, such as 'failed group matching' or 'The identifier of a provider is unknown to #LassoServer'.

If you're not sure what to look for, I would suggest opening a ticket with Technical Support to dig into the samld and sslvpnd debug to figure out what's going on.

Terms & ConditionsAccessibility statement