|
This article refers to non-SSO authentication. For an example of a VPN deployment using SSO authentication, see Technical Tip: How to configure Microsoft Entra ID SAML authentication for Dial-up IPsec VPN.
This article is a companion article to Technical Tip: IKEv2 Dialup IPsec tunnel with RADIUS and FortiToken MFA, demonstrating how to integrate third-party MFA in place of FortiToken Mobile.
Requirements:
- VPN client supporting EAP-MSCHAPv2 authentication (e.g. FortiClient v6.2.1 or later).
- FortiOS v6.2.4 or later.
- Third-party RADIUS authentication proxy supporting EAP-MSCHAPv2 (e.g. Duo Authentication Proxy v6.5.1 or later).
- NPS Server.
Configure the Duo application:
Refer to the third-party article Duo Two-Factor Authentication with RADIUS and Primary Authentication for basic steps.
- Enroll one or more MFA users in Duo, see the third-party reference Enrolling Users. Optionally, assign the user(s) to a Duo user group for ease of administration.
- Go to Applications -> Applications -> Search for RADIUS or 'FortiGate SSL VPN'.
Note: the 'support ending' flag on the 'Fortinet FortiGate SSL VPN' Duo application refers to Duo support for the traditional Duo Prompt using iFrame, which IKEv2 does not use. See the third-party reference Guide to Traditional Duo Prompt End of Support for more information. It is possible to use either application template to configure the Duo application for IKEv2.
-
Note the Integration Key, Secret Key, and API hostname of the application. The secret key is sensitive and should only be entered in the authentication proxy configuration.
Configure the Duo authentication proxy:
- Install Duo authentication proxy on a Windows or Linux server and verify the proxy version. Note that the proxy must be at least version 6.5.1 or 6.6.0 to support EAP-MSCHAPv2. See the third-party reference: Does the Duo Authentication Proxy support EAP or PEAP?
- Configure the Authentication Proxy by editing the authproxy.cfg file.
; CLIENTS: Include one or more of the following configuration sections.
; To configure more than one client configuration of the same type, append a
; number to the section name (e.g. [ad_client2])
[ad_client] <-- ad_client information is left blank
host=
service_account_username=
service_account_password=
search_dn=
[radius_client]
host=172.16.1.10 <-- NPS IP address.
secret=DUO_NPS_RADIUS_secret
pass_through_all=true <-- Only required if the configured NPS RADIUS VSA, such as Fortinet-group-name, should be forwarded from NPS to FortiGate, see this article: Technical Tip: Configuring FortiGate and Microsoft NPS (Radius with AD authentication).
; SERVERS: Include one or more of the following configuration sections.
; To configure more than one server configuration of the same type, append a
; number to the section name (e.g. radius_server_auto1, radius_server_auto2)
[radius_server_auto]
ikey=****************NDY3 <-- DUO application integration key.
skey=************************************aIAX <-- DUO application secret key.
api_host=api-abcdef12.duosecurity.com <-- Duo application API hostname
radius_ip_1=172.16.1.15 <-- FortiGate NAS IP address.
radius_secret_1=DUO_FGT_RADIUS_secret
failmode=safe
client=radius_client <-- Not ad_client.
force_message_authenticator=true <-- message-authenticator should be enabled on FortiGate and Duo, or disabled on both.
By default, it is disabled on the Duo authentication proxy and enabled on FortiGate. See the article Troubleshooting Tip: RADIUS authentication failure after the firmware upgrade to v7.2.10/v7.4.5/v7.6....
If needed, secrets in this file can be encrypted. See the third-party reference How do I use the Duo Authentication Proxy password encryption tool?
-
Start or Restart the Authentication Proxy Service.
Configure NPS server:
The NPS configuration is similar to Technical Tip: IKEv2 Dialup IPsec tunnel with RADIUS and FortiToken MFA, updating the FortiGate IP address and secret with the Duo authentication proxy.
FortiOS configuration:
FortiGate configuration is similar to Technical Tip: IKEv2 Dialup IPsec tunnel with RADIUS and FortiToken MFA, with the following differences:
RADIUS server configuration references the Duo authentication proxy IP address and uses the RADIUS secret shared between Duo and FortiGate:
config user radius
edit "Duo-Proxy"
set server "172.16.1.22"
set secret DUO_FGT_RADIUS_secret
set timeout 60 <-- Extended to allow for third-party MFA.
set nas-ip 172.16.1.15
set require-message-authenticator { enable | disable } <-- Must match authproxy.cfg setting.
next
end
Since no FortiToken is assigned, no remote RADIUS user is defined. Instead, the user group is configured to reference the radius server directly.
config user group
edit "Escalations-Radius-DC1"
set member "Duo-Proxy"
next
end
Since the FortiGate is not aware of the MFA taking place, the global remoteauthtimeout must be extended.
config system global
set remoteauthtimeout 60
end
FortiGate VPN tunnel and firewall policy settings are the same as in the FortiToken MFA use case.
Limitation:
If using third-party MFA, the user must use an out-of-band MFA method such as DUO push. Third-party MFA servers do not support the customized EAP messages FortiOS uses to trigger an inline OTP prompt on FortiClient.
Related articles:
Technical Tip: FortiOS IKEv2 Dialup VPN User and Multi-factor authentication resources
Technical Tip: FortiOS IKEv2 EAP user authentication operation
|
