Hi community,
I'm unable to configure a working two factor authentication with my fortigate unit. I have a working SSL-VPN Portal using either Windows Active Directory authentication (LDAP; username & password) or RADIUS OTP Token authentication (using SafeNet Authentication Manager 8.2; username and one time passcode). Right now I want to implement the Portal using both - LDAP Authentication AND OTP (the same time) so that a username and password combination cannot be cracked (that easy) using brute force attacks.
Has anyone done this or something like this before?
Thanks for your Feedback,
best regards
I have multi-factor authentication working with Microsoft's Multifactor app and 2012 Network Policy Servers, but no your specific combination. The fundamentals may be the same tho.
We specify the MS MFA server as the RADIUS server in the Fortigate, and set up the NPS servers as RADIUS targets of the MS MFA server. Seems to work pretty well.
We have it similar to Jim, basically:
Fortigate VPN portal -> Duo (RADIUS) Server -> AD Security Group -> Duo Notification -> Login
If you can point your Token server to use your AD server then you only need to point the Fortigate to the Token server.
Yes many times but with LDAP with sms and|or Email and or just fortiToken. The fortitoken is ideal since you don't have to worrying about SMS and Email relays or delays within the delivery of the OTP or even failures in the delivery of the OTP
just my acts
PCNSE
NSE
StrongSwan
gsarica wrote:in my opinion this is the important part. you can't combine two auth servers on the fortigate (one for username/password, one for username/token) do do this.If you can point your Token server to use your AD server then you only need to point the Fortigate to the Token server.
it will only work if your authentication server can deal with handling both in one go. so you send the token added to the password (or username) and the authentication server separates these and checks if both are valid. or your radius authentication server can do a radius challenge after checking username/password thereby getting the fortigate to show a new field for the token.
I am also using Duo Security and it works very well :)
Felix
I have this working. We Duo Security integrated for 2FA. Our RADIUS server also hosts the Duo Authentication Proxy. You create a RADIUS server entry, and add that to a user group and specify it on the VPN page. The user group gets added to the web portal/ssl authentication. And the group is also added to the policy rule for the VPN/Portal access. << This is key.
The RADIUS server determines if the user can authenticate (we use AD groups to allow/disallow remote access).
I'll see if I can dig out the relevant config sections
I have the same setup with Duo Proxy on a server with a LDAP group entry, but I don't understand what you mean with "And the group is also added to the policy rule for the VPN/Portal access. << This is key."
I have another thread where I want to have different AD groups for access to different servers, but have not yet solve that
Here is our policy for SSL VPNs.
config user radius edit "Duo Server set server <snip> set secret ENC <snip> set timeout 240 set radius-port 1812 set auth-type pap set source-ip <snip> next end
config user group
edit "Duo SSL VPN" set member "Duo Server next
end
config firewall policy
edit 28 set name "SSL to Internal" set uuid c074da74-a129-51e6-7534-ba952eec26a4 set srcintf "ssl.root" set dstintf "any" set srcaddr "all" set dstaddr "Internal" "Site1 Legacy" "Site2 External" "Site2 Legacy" set action accept set schedule "always" set service "ALL" set groups "Duo SSL VPN" next
end
With the GUI I can't see the "groups" definition, only from CLI - is this normal?
But great I will try that :)
User | Count |
---|---|
2675 | |
1410 | |
810 | |
702 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.