Description
This article describes how to configure multiple remote administrators to be assigned different administrator profiles based on Active Directory group membership and Vendor Specific Attributes (VSA's) from Radius.
Scope
FortiGate Administration via HTTPS or SSH, Active Directory, Radius, and DUO Proxy
Solution
Remote authentication such as LDAP, RADIUS, TACACS+, can be used for administrators in FortiGate HTTPS and SSH connections.
Wildcard administrator option simplifies the process by reducing the number of accounts to be created in FortiGate.
Moreover, Active Directory group membership and RADIUS attributes can be used to assign different profiles to administrators for more granular control.
To increase security, Multifactor Authentication has been widely implemented, and a variety of solutions provide MFA options (Fortitoken, email, sms, DUO, Okta, Azure, and so on).
In this article, we will focus in DUO Proxy.
In case DUO has been already configured as MFA solution for SSL-VPN users, there is no change needed in the DUO side of the configuration as per DUO documentation below. Otherwise, follow the instructions until section 'Start the Proxy'.
https://duo.com/docs/fortinet#overview
Configuration Steps in FortiGate if LDAP (ad_client) is used:
FortiGate IP: 172.16.1.15
Primary DC: 172.16.1.10
Secondary DC: 172.16.1.5
DUO Proxy Auth: 172.16.1.13
1) Configure Remote Authentication timeout if not already done. The default setting is too short for MFA solutions as it is set to 5 seconds.
# config system global
set remoteauthtimeout 60
end
2) Create an LDAP server entry pointing to server where DUO Proxy application is installed.
# config user ldap
edit "DUO-LDAP"
set server "172.16.1.13"
set cnid "sAMAccountName"
set dn "dc=colombas,dc=lab"
set type regular
set username "cn=administrator,cn=users,dc=colombas,dc=lab"
set password ENC
next
end
3) Create firewall groups as desired. Two groups are show below as example.
4) Create Administrator Profiles as desired.
5) Create Administrators as desired and assign profile and remote user group.
# config system admin
edit "DUO-Admins-LDAP-Level3"
set remote-auth enable
set accprofile "Level3"
set vdom "root"
set wildcard enable
set remote-group "DUO-Admins-LDAP-Level3"
next
end
# config system admin
edit "DUO-Admins-LDAP-Level2"
set remote-auth enable
set accprofile "Level2"
set vdom "root"
set wildcard enable
set remote-group "DUO-Admins-LDAP-Level2"
next
end
6) For reference, authproxy configuration file from DUO should look like this.
Configuration Steps in FortiGate if RADIUS (radius_client) is used.
FortiGate IP: 172.16.1.15
Primary DC: 172.16.1.10
Secondary DC: 172.16.1.5
NPS RADIUS Server: 172.16.1.10
DUO Proxy Auth: 172.16.1.13
1) Configure Remote Authentication timeout if not already done. The default setting is too short for MFA solutions as it is set to 5 seconds.
# config system global
set remoteauthtimeout 60
end
2) Create a RADIUS server entry pointing to server where DUO Proxy application is installed.
# config user radius
edit "DUO-Radius"
set server "172.16.1.13"
set secret ENC
set auth-type ms_chap_v2
next
end
3) Create a single group if using VSA to override profile, otherwise create multiple groups similar to LDAP done previously.
# config user group
edit "DUO-Admins-Radius"
set member "DUO-Radius"
config match
edit 1
set server-name "DUO-Radius"
set group-name "DUO-Admins-FGT1"
next
end
next
end
4) Create Administrator Profiles as desired.
5) Create Administrators as desired and assign profile and remote user group.
# config system admin
edit "DUO-Admins-Radius"
set remote-auth enable
set accprofile "admin_no_access"
set vdom "root"
set wildcard enable
set remote-group "DUO-Admins-Radius"
set accprofile-override enable
set radius-vdom-override enable
next
end
Note.
Options 'set accprofile-override enable' and 'set radius-vdom-override enable' require that those attributes are sent from Radius server.
If accprofile-override is not enabled, the profile assigned to this remote wildcard administrator will be used ('admin_no_access').
6) For reference, authproxy configuration file from DUO should look like this.
Microsoft NPS Configuration.
1) Define DUO Proxy as a RADIUS Client.
2) Define Connection Request Policy. If there are multiple, it may be useful to set a condition for the DUO Proxy server IP address.
3) Define Network Policies for each group as needed.
4) Add the VSA's for Group Name and Account Profile attributes. Optionally for VDOM
VSA.
5) Define another Network Policy for the other groups with same VSA for Group Name, but different Profile VSA.
Verification.
With the above configuration in place, remote administrators will be able to login and be assigned specific Admin Profile.
Active Administrator Sessions can be viewed from the 'Administrators' Widget in the default 'Status' Dashboard.
Active sessions can also be seen from CLI, but the profiles associated to them are not displayed.
FGT1-A # get system info admin status
However, leveraging a command that is used to disconnect an administrator session, the profiles can be displayed:
FGT1-A # execute disconnect-admin-session ?
Additionally, disconnecting a session indicating the session Index.
Troubleshooting.
Failed or successful attempts can be checked from 'System Events' under 'Log & Report'.
Debugging information can be checked from CLI with commands below:
# diagnose debug console timestamp enable
# diagnose debug application fnbamd -1
# diagnose debug enable
