Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
piven8
New Contributor

Created on ‎10-05-2023 07:47 PM

FortiAuthenticator vs. M365 vs. Other MFA Options

I’m helping a small business set up MFA to meet cybersecurity insurance requirements they’ll be subject to soon. They have one location and are a heavy Fortinet shop. FortiGate, FortiSwitches, FortiAPs, FortiRecorder, etc. They are also a Microsoft shop with a handful of servers, on-prem AD domain controller, Microsoft 365, and Azure AD Connect cloud sync to sync user accounts. They are generally willing to spend to get the right technology to run their business, so cost isn’t a big concern here. They have around 30 user accounts. To meet the new MFA requirement, would you do FortiAuthenticator, use Microsoft 365’s MFA capabilities, or do something else entirely? Two more bits of info: some users exist in on-prem AD but not M365, and the on-prem AD isn’t going away any time soon because they have it integrated with their Synology, Trane HVAC controls, and something else I’m not thinking of.

omegle xender
omegle xender
Labels:
2692
0 Kudos
2 REPLIES 2
rbraha
Staff
Staff

Created on ‎10-06-2023 12:48 AM

Hi @piven8 

In order to use FAC integration with SAML using Office 365 with MFA ,please check the below documentation 

 

https://docs.fortinet.com/document/fortiauthenticator/6.5.0/cookbook/878737/office-365-saml-authenti...

 

For other users that are on premise AD ,you can use SSLVPN authentication with FAC and MFA enabled for AD users , please check the below KB.

 

https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-Guide-to-setting-up-FortiGate-SSL...

2669
xsilver_FTNT
Staff
Staff

Created on ‎10-09-2023 12:37 AM Edited on ‎10-09-2023 12:39 AM

 FortiAuthenticator, FAC in short and hereinafter, is definitely step up towards centralized user management and IAM in general.


It could be used to learn users from AD, automatically sync those into FAC and enhance those with FortiTokens automatically assigned to those users. Either HW tokens like 200B model, or Mobile tokens.

 

It could be set the way it cooperate with O365 and Microsoft Azure and enhance those users with tokens for 2FA authentication. Kindly see the first link @rbraha posted for more details (Docs.fortinet.com and FortiAuthenticator Examples/Cookbook). 
That cookbook contains a lot more.

 

Besides tokens directly on FAC (or FortiGate [FGT]) you can use:

- FortiToken Cloud solution with pay-as-you-need for just amount of tokens you need

- 3rd party tokens like FIDO tokens, as those could be used in FAC as well

- 3rd party like DUO servers, generally any 2FA/MFA RADIUS based service, as FAC can chain that RADIUS 3rd party MFA into Realm with LDAP, so user credentials will be authenticated against that LDAP, like your MS AD. And upon successful authentication that RADIUS server will be contacted to verify 2nd (additional) factors.
more on Chaining in Admin guide https://docs.fortinet.com/document/fortiauthenticator/6.5.3/administration-guide/485114/realms 

 

fac-chained-RADIUS-MFA.jpg

 

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

2640
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.