Technical Tip: How to configure ZTNA Session Based Authentication with MFA token

This article describes how to configure ZTNA Session Based Authentication with MFA Token.

During this setup, it was necessary to deploy the Session based form authentication with MFA.

This document is for log in with support for MFA (FortiToken).

Versions.

EMS: 7.0.7
FortiClient: 7.0.7

FortiGate: 7.0.6

This type of Session/form based authentication requires MFA and allows users to log in to internal resources.

This can be applied to local and remote users.

Lab Setup:

1) From the client machine, ensure it is able to resolve the domains and the portal domain:

2) It is possible to use LDAP user or local user with FortiToken:

-  Enable 2FA with Token or use Local User Group with 2FA as per lab test below:

Username is abcd

Usergroup is LocalEMS

3) Configure ZTNA Authentication Scheme.

If using LDAP:

# config authentication scheme
    edit "ZNTA_Auth_Scheme"
        set method form
        set require-tfa enable
        set user-database "LDAPsvr"

If using Local User:

edit "LocalZTNA"
    set method form
    set require-tfa enable
    set user-database "local-user-db"
next

These are required:

set method form
set require-tfa enable

4) Configure ZTNA server as per the diagram above.

5) Create an access proxy virtual host that points to the ZTNA access proxy.

The client will be redirected to this page for form authentication:

# config firewall access-proxy-virtual-host
    edit "auth-portal-vhost"
        set ssl-certificate "ztna-wildcard"
        set host "authportal.ztnademo.com"
    next
end

6) Enable auth-portal on the access proxy and point it to the virtual host:

# config firewall access-proxy
    edit "ZTNA_S1"
        set auth-portal enable
        set auth-virtual-host "auth-portal-vhost"
    next
end

7) Finally Create a ZTNA rule to allow the flow. 

- It possible to use the ZTNA tagging as well to create matching:

Testing.

1) Test local local user with a Token prompt.

Saga-kvm24 # diag test authserver local LocalEMS abcd xxxxxx
Token Code:******
authenticate user 'abcd' in group 'LocalEMS' succeeded

2) Ensure FortiClient is connected to the EMS telemetry and gets the right tag assigned.

3) Access the website to trigger the authportal site.

- Ensure Certificate gets prompted for the FortiClient <> EMS cert authentication portion:

It will be redirected to the Auth Portal Page:

Once accepted:

Apply the credentials and Token and it will bring the request to the backend webserver:

Successfully able to load internal Webserver:

Troubleshooting commands:

# diag debug application sslvpn -1
# diag debug application fnbamd -1
# diag debug application fcnacd -1
# diag endpoint fctems test-connectivity xxx
# execute fctems verify xxx
# diag test application fcnacd 2

# diag endpoint record list x.x.x.x

# diag firewall dynamic list

WAD debug:

# diag wad debug enable cat all
# diag wad debug enable level verbose
# diag debug enable

Related document:

https://docs.fortinet.com/document/fortigate/7.2.1/administration-guide/591056/ztna-session-based-fo...