I’m helping a small business set up MFA to meet cybersecurity insurance requirements they’ll be subject to soon. They have one location and are a heavy Fortinet shop. FortiGate, FortiSwitches, FortiAPs, FortiRecorder, etc. They are also a Microsoft shop with a handful of servers, on-prem AD domain controller, Microsoft 365, and Azure AD Connect cloud sync to sync user accounts. They are generally willing to spend to get the right technology to run their business, so cost isn’t a big concern here. They have around 30 user accounts. To meet the new MFA requirement, would you do FortiAuthenticator, use Microsoft 365’s MFA capabilities, or do something else entirely? Two more bits of info: some users exist in on-prem AD but not M365, and the on-prem AD isn’t going away any time soon because they have it integrated with their Synology, Trane HVAC controls, and something else I’m not thinking of.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @piven8
In order to use FAC integration with SAML using Office 365 with MFA ,please check the below documentation
For other users that are on premise AD ,you can use SSLVPN authentication with FAC and MFA enabled for AD users , please check the below KB.
FortiAuthenticator, FAC in short and hereinafter, is definitely step up towards centralized user management and IAM in general.
It could be used to learn users from AD, automatically sync those into FAC and enhance those with FortiTokens automatically assigned to those users. Either HW tokens like 200B model, or Mobile tokens.
It could be set the way it cooperate with O365 and Microsoft Azure and enhance those users with tokens for 2FA authentication. Kindly see the first link @rbraha posted for more details (Docs.fortinet.com and FortiAuthenticator Examples/Cookbook).
That cookbook contains a lot more.
Besides tokens directly on FAC (or FortiGate [FGT]) you can use:
- FortiToken Cloud solution with pay-as-you-need for just amount of tokens you need
- 3rd party tokens like FIDO tokens, as those could be used in FAC as well
- 3rd party like DUO servers, generally any 2FA/MFA RADIUS based service, as FAC can chain that RADIUS 3rd party MFA into Realm with LDAP, so user credentials will be authenticated against that LDAP, like your MS AD. And upon successful authentication that RADIUS server will be contacted to verify 2nd (additional) factors.
more on Chaining in Admin guide https://docs.fortinet.com/document/fortiauthenticator/6.5.3/administration-guide/485114/realms
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.