| Description |
This article describes how to configure ZTNA Session-Based Authentication with MFA Token. |
| Scope |
During this setup, it was necessary to deploy the Session-based form authentication with MFA.
For logging in with support for MFA (FortiToken): EMS: v7.0.7. FortiGate: v7.0.6. |
| Solution |
FortiGate ZTNA supports authenticating users to HTTPS and TCP Forward-Access Proxy protected resources using username/password plus FortiToken-based multi-factor authentication (MFA). Consider the following example topology:
In this example, a ZTNA HTTPS Access Proxy will be configured such that the Remote FortiClient will be able to navigate to 'webserver.ztnademo.com' via TCP port 9443 in a web browser and access the protected Web Server via FortiGate ZTNA. As part of this process, the FortiGate is configured to redirect the user to 'authportal.ztnademo.com' so that the user may authenticate to ZTNA using LDAP and FortiTokens located on the FortiGate itself.
Before ZTNA Setup: Before starting, ensure that the client machine can resolve both the ZTNA access-proxy FQDN and the authentication portal FQDN, and that both resolve to the FortiGate's external IP address:
Additionally, FortiTokens may only be assigned to user entries created on the FortiGate, such as Local Users or Remote LDAP/RADIUS users. The following screenshots show examples of creating a Remote LDAP user entry, which includes adding an LDAP server, creating the Remote LDAP User, and assigning the user to a group:
Note: It is not necessary to put the LDAP server itself into the Remote Groups section of the User Group in this case. Only the individual Remote LDAP user entries need to be added to the FortiGate's User Group, as these entries have the FortiToken MFA tokens associated with them. This is also true in the cases of Local Users on the FortiGate and Remote RADIUS users.
Before beginning ZTNA configuration, make sure that basic authentication is working correctly. For LDAP and RADIUS, this can be done in the GUI by navigating to User & Authentication -> LDAP Servers or RADIUS Servers, respectively, selecting the server entry, then selecting the Test User Credentials button. Alternatively, the diagnose test authserver series of commands in the CLI can be used for testing authentication:
FortiGate # diagnose test authserver ? radius Test RADIUS server. [Take 0-4 arg(s)]
For more information on configuring remote authentication servers, adding user entries to the FortiGate, and enabling FortiToken MFA, check out the following documents from the FortiGate Admin Guide:
Configuring ZTNA Authentication Scheme and Rule ZTNA requires an Authentication Scheme to be setup (which defines how the authentication is conducted and what user database should be checked) as well as an associated Authentication Rule (which defines the conditions for when this authentication should be triggered).
When configuring the Authentication Scheme for MFA-enabled authentication, it is mandatory to use method form and require-tfa, as basic type authentication does not allow for multi-factor authentication (see also: ZTNA session-based form authentication). For authentication with remote servers (e.g., LDAP, RADIUS), specify the associated server here:
config authentication scheme edit 'ZTNA_SCHEME_LDAP' set method form <--- Mandatory to support FortiToken MFA in ZTNA next end
If Local Users are being used for Authentication, then set user-database local-user-db instead:
config authentication scheme edit 'ZTNA_SCHEME_LOCAL' set method form next end
config authentication rule edit 'ZTNA_RULE_LDAP' set srcintf 'any' next end
Configuring ZTNA Server and Proxy Policy The following screenshots show an example ZTNA Server configuration that matches the setup described at the top of the article. For instructions on setting up an HTTPS Access proxy like the following, start by consulting the following document: ZTNA HTTPS access proxy example
 
Important: When configuring form-based authentication as described in this article, it is mandatory to enable set auth-portal in the ZTNA access-proxy settings via the CLI. If this setting is not enabled, then authentication will not succeed and the user will see a web page from the FortiGate stating 'you must authenticate to use this service'. For more information, refer to the following KB article: Technical Tip: FortiGate ZTNA presents authentication error message after configuring session-based ...
Another optional setting is adding auth-virtual-host to the configuration. If this option is not set, then authentication will still succeed, but users will need to authenticate to each ZTNA application individually. By applying an auth-virtual-host entry to the ZTNA access-proxy, users will only need to authenticate to one application and will have single sign-on (SSO) access to all services tied to that ZTNA server (the above KB article discusses this as well).
To configure this, first create an entry under config firewall access-proxy-virtual-host:
config firewall access-proxy-virtual-host edit 'authportal.ztnademo.com' set ssl-certificate 'ztna-wildcard' next end
Enable auth-portal and an auth-virtual-host entry to the ZTNA configuration. The following is based on the screenshots above:
config firewall access-proxy edit 'ZTNA_S1' set vip 'ZTNA_S1' edit 1 set service http edit 1 set ip 10.62.2.218 next end next end next end
Configure a ZTNA-type Proxy Policy under Policy & Objects -> Proxy Policy (in v7.4 and later) or Policy & Objects -> ZTNA -> ZTNA Rules (7.2 and earlier) to allow incoming access to the ZTNA server for authenticated users/groups:
For more information on ZTNA rule creation, including simple vs. full ZTNA policies, refer to the following:
Testing and Verification: Ensure that FortiClient is connected to the EMS telemetry and is receiving the right tags:
In a web browser, navigate to the ZTNA gateway URL (https://webserver.ztnademo.com:9443) to begin the connection. The FortiGate will prompt the user to present the EMS-signed FortiClient certificate for certificate-based authentication:
After providing the certificate, the user will then be redirected to authentication portal (either the auth-virtual-host URL if specified, otherwise the same URL as the ZTNA gateway):
Once the certificate authentication prompt is accepted, the authentication portal will prompt the user for username and password (and token, as long as require-tfa was enabled in the Authentication Scheme):
After supplying valid credentials and the MFA token, the FortiGate will allow the user to access the ZTNA protected web server:
Troubleshooting For guidance with troubleshooting ZTNA, refer to the following sections of the FortiGate Admin Guide:
Note: RADIUS authentication with FortiToken MFA will only work correctly if the FortiToken is hosted on the FortiGate. RADIUS with MFA hosted on external servers (such as FortiAuthenticator or third-party RADIUS servers) is not supported.
For cases where MFA is handled externally to the FortiGate, the recommendation is to use SAML-based authentication instead: ZTNA application gateway with SAML and MFA using FortiAuthenticator example
Related documents |
