- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: FortiClient to FortiGate SSL-VPN using SMS 2FA...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiClient to FortiGate SSL-VPN using SMS 2FA via Azure MFA - group match not supported
Hi all.
I'm hoping someone will be able to advise me on a work around, or an alternative solution, to avoid the following limitations with Microsoft NPS Extension for Azure MFA (without having to implement a completely different solution!):
For context, our customer originally had a FortiClient to FortiGate SSL VPN that utilized LDAP authentication, allowing different levels of network access depending on AD user group membership.
Our customer subsequently moved their AD into Azure cloud and introduced Azure MFA.
Our customer now wants to integrate the existing SSL VPN to with their Azure MFA for 2-factor authentication.
We followed the following Cookbook document to successfully implement this:
For the existing network access based on AD user group membership to work, the NPS server (RADIUS) had to send RADIUS attributes for group membership back to the FortiGate with the Access-Accept. This was achieved using Network Access Policies on the NPS server.
This works exactly how we want when using Push Notification or Phone Call 2FA methods (via Microsoft Authenticator App).
Unfortunately our customer has tried to use the SMS and passcode (MS Authenticator App) methods and reported it didn't work. After looking into it and doing much debugging/testing:
1) The user authentication with 2FA part works as the NPS server returns an Access-Challenge to the FortiGate, which opens a 2FA prompt in FortiClient, then an Access-Accept response when the 2FA authentication is successful.
2) Because the NPS server doesn't return any RADIUS attributes, the SSL VPN connection fails as there is no group matched to the one configured on the FortiGate.
As it stands we will need to go back to our customer and advise them to use only Push/Phone 2FA methods. However, it would be great if we could provide an acceptable workaround or alternative.
I have no experience using FortiAuthenticator, but was wondering if this can be integrated with Azure MFA as an alternative to using the NPS server/extension?
Sorry for the long post and many thanks in advance for any help.
Kind regards,
Phil.
Solved! Go to Solution.
2 Solutions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ken.
Yes, we followed the cookbook recipe, as well as referring to the Microsoft documentation for Azure MFA, etc...
To clarify, I was responsible for the FortiClient/FortiGate configuration, while our customer's 3rd party Microsoft support company dealt with the Azure MFA and on-premises NPS server, so I don't know all the ins and outs of how the Microsoft side of things is configured.
The RADIUS attributes, specifically those that send the user's AD group membership, are part of the Network Access Policies on the NPS server.
These attributes get sent to the FortiGate with the Access-Accept, so the FortiGate then knows what AD groups the user is a member of and can match them against the firewall user groups defined on the FortiGate, and then against the firewall policies.
Obviously, the firewall user groups specify the RADIUS remote authentication server, in this case an NPS server, but more importantly the firewall user group also specifies an AD user group (rather than just "any").
This works fine when using Push Notification or Phone Call 2FA methods, as this part of the authentication process is not dealt with by the Fortinet components.
Once the primary and 2FA are validated, the NPS server sends the Access-Accept to the FortiGate, along with the RADIUS attributes for AD group membership.
SMS and App pass code 2FA methods fail when we specify AD groups in the firewall user groups, because the NPS server does not send the RADIUS attributes to the FortiGate, just the Access-Accept.
The NPS extension limitation is that it won't process any attributes in the Network Access Policies if a Challenge-Response is required and sent to the Fortinet components.
Once the user enters the SMS/App pass code in box presented by FortiClient, this gets sent back to Azure MFA and validated, then the NPS server sends the Access-Accept to the FortiGate.
However, the Fortigate receives the Access-Accept but no RADIUS attributes with AD groups to match against its firewall user groups, so the authentication fails.
The SMS/App pass code 2FA method DOES WORK, if the FortiGate firewall user group does not specify an AD group, just "any".
However, using "any" means we can't then differentiate the users by group and so give them different network access.
Ultimately I'm trying to work out if there is a way around this without introducing massive admin overhead and/or extra cost, or if I need to go back to our customer and advise they can't use those 2FA methods exactly how they want.
Sorry for another long post!
Kind regards,
Phil
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Tomasz.
Firstly, I should apologise for not updating my forum post.
I raised a support ticket with Fortinet, who ultimately confirmed what I'd discovered through research and testing, that the limitation is with the Microsoft NPS server.
In the end we agreed with our customer that any user who had to use the SMS or App pass code methods, would only be allowed the minimum access granted by an "any other user" SSL VPN firewall rule.
Users requiring more access, depending on their group membership, would have to use the Push Notification or Phone Call methods, with access granted by specific SSL VPN firewall rules placed above the "any other user" rule.
I haven't had time to investigate other possibilities that wouldn't require the customer to incur additional costs.
I hope this helps you in some way.
Phil
- « Previous
-
- 1
- 2
- Next »
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reply, Debbie.
This is exactly what I am looking for, get NPS to send a notification that Fortigate could forward it to Forticlient. So far, no luck ;)
- « Previous
-
- 1
- 2
- Next »
Related Posts
Labels
-
FortiGate
6,608 -
FortiClient
1,318 -
5.2
801 -
5.4
639 -
FortiManager
572 -
FortiAnalyzer
417 -
6.0
416 -
5.6
362 -
FortiSwitch
339 -
FortiAP
337 -
FortiClient EMS
269 -
6.2
251 -
FortiMail
248 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
152 -
6.4
128 -
FortiNAC
108 -
FortiGuard
103 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
73 -
FortiToken
72 -
Customer Service
70 -
4.0MR3
64 -
SSL-VPN
63 -
Wireless Controller
58 -
FortiProxy
45 -
FortiADC
44 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
29 -
Firewall policy
26 -
SD-WAN
26 -
FortiConnect
24 -
High Availability
22 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
FortiPortal
18 -
FortiAuthenticator
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Certificate
14 -
DNS
13 -
FortiGate v5.0
13 -
Interface
13 -
FortiDDoS
13 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
LDAP
11 -
VDOM
11 -
Logging
11 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
fortilink
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
FortiAnalyzer v5.0
7 -
Application control
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
SSO
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Automation
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
Fortinet Engage Partner Program
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
VoIP profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
System settings
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Replacement messages
1 -
Schedule
1 -
Subscription Renewal Policy
1 -
SDN connector
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Multicast routing
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.