FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Anonymous
Not applicable
Article Id 226318
Description

This article describes how to configure ZTNA Session-Based Authentication with MFA Token.

Scope

During this setup, it was necessary to deploy the Session-based form authentication with MFA.

 

For logging in with support for MFA (FortiToken):

EMS: v7.0.7.
FortiClient: v7.0.7.

FortiGate: v7.0.6.

Solution

This type of Session/form-based authentication requires MFA and allows users to log in to internal resources.

This can be applied to local and remote users.

 

Lab Setup:

 

ganeshcs_0-1665478481486.png

 

From the client machine, ensure it can resolve the domains and the portal domain:

 

ganeshcs_1-1665478540804.png

 

It is possible to use an LDAP user, or RADIUS user, or a local user with FortiToken:

 

ganeshcs_2-1665478629956.pngganeshcs_3-1665478715014.pngganeshcs_5-1665479001561.png

 

Enable 2FA with Token or use Local User Group with 2FA as per the lab test below:

  

ganeshcs_6-1665479038672.png

 

Username is abcd.

Usergroup is LocalEMS.

 

Configure ZTNA Authentication Scheme.

 

If using LDAP:

 

config authentication scheme
    edit "ZNTA_Auth_Scheme"
        set method form
        set require-tfa enable
        set user-database "LDAPsvr"

 

If using Local User:

 

edit "LocalZTNA"
    set method form
    set require-tfa enable
    set user-database "local-user-db"
next

 

These are required:

 

set method form
set require-tfa enable


Configure the authentication rule:

config authentication rule
    edit "ztna_form_rule"
        set srcaddr "all"
        set ip-based disable
        set active-auth-method "ZTNA-Auth-scheme"
        set web-auth-cookie enable
    next
end

 

Configure the ZTNA server as per the diagram above.

 

ganeshcs_7-1665479429866.pngganeshcs_8-1665479457399.png

 

Create an access proxy virtual host that points to the ZTNA access proxy. The client will be redirected to this page for form authentication:


config firewall access-proxy-virtual-host
    edit "auth-portal-vhost"
        set ssl-certificate "ztna-wildcard"
        set host "authportal.ztnademo.com"
    next
end

 

Enable auth-portal on the access proxy and point it to the virtual host:


config firewall access-proxy
    edit "ZTNA_S1"
        set auth-portal enable
        set auth-virtual-host "auth-portal-vhost"
    next
end

 

Create a ZTNA rule to allow the flow. It is possible to use the ZTNA tagging as well to create a match:

 

ganeshcs_9-1665479616756.png

 

Testing.

Test local users with a Token prompt.

 

Saga-kvm24 # diagnose test authserver local LocalEMS abcd xxxxxx
Token Code:******
authenticate user 'abcd' in group 'LocalEMS' succeeded

 

Ensure FortiClient is connected to the EMS telemetry and gets the right tag assigned.

 

ganeshcs_10-1665479874455.png

 

Access the w o trigger the authportal site. Ensure Certificate gets prompted for the FortiClient <> EMS cert authentication portion:

 

ganeshcs_11-1665479968335.png

 

It will be redirected to the Auth Portal Page:

 

ganeshcs_12-1665480008678.png

 

Once accepted:

 

ganeshcs_13-1665480035746.png

 

Apply the credentials and Token, and it will bring the request to the backend Web server:

 

ganeshcs_14-1665480117012.png

 

Successfully able to load internal Web server:

 

ganeshcs_15-1665480155783.png

 

Troubleshooting commands:

 

diagnose debug application sslvpn -1
diagnose debug application fnbamd -1
diagnose debug application fcnacd -1
diagnose endpoint fctems test-connectivity xxx
execute fctems verify xxx
diagnose test application fcnacd 2

diagnose endpoint record list x.x.x.x

diagnose firewall dynamic list

 

WAD debug:

 

diagnose wad debug enable cat all
diagnose wad debug enable level verbose
diagnose debug enable

 

To stop the debug, use the commands given below:

 

diagnose debug disable

diagnose debug reset

 

The RADIUS authentication with FortiToken will work only if the FortiToken is hosted on the FortiGate. RADIUS with FortiToken or MFA hosted on the FortiAuthenticator or third-party RADIUS server is not supported. Use SAML authentication to use FortiToken hosted in FortiAuthenticator.

 

Related document:

ZTNA session-based form authentication