Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
asapHO
New Contributor

Created on ‎11-07-2016 11:07 PM

Has anyone implemented TwoFactor SSL-VPN Portal with RADIUS/ActiveDirectory?

Hi community,

 

I'm unable to configure a working two factor authentication with my fortigate unit. I have a working SSL-VPN Portal using either Windows Active Directory authentication (LDAP; username & password) or RADIUS OTP Token authentication (using SafeNet Authentication Manager 8.2; username and one time passcode). Right now I want to implement the Portal using both - LDAP Authentication AND OTP (the same time) so that a username and password combination cannot be cracked (that easy) using brute force attacks.

 

Has anyone done this or something like this before?

 

Thanks for your Feedback,

 

best regards

Labels:
24415
0 Kudos
14 REPLIES 14
Jim_FH
New Contributor III

Created on ‎01-12-2017 11:36 AM

I have multi-factor authentication working with Microsoft's Multifactor app and 2012 Network Policy Servers, but no your specific combination.  The fundamentals may be the same tho.

 

We specify the MS MFA server as the RADIUS server in the Fortigate, and set up the NPS servers as RADIUS targets of the MS MFA server.  Seems to work pretty well.  

5384
0 Kudos
gsarica
Contributor
In response to Jim_FH

Created on ‎01-12-2017 12:09 PM

We have it similar to Jim, basically:

 

Fortigate VPN portal -> Duo (RADIUS) Server -> AD Security Group -> Duo Notification -> Login

 

If you can point your Token server to use your AD server then you only need to point the Fortigate to the Token server.

5384
0 Kudos
emnoc
Esteemed Contributor III
In response to gsarica

Created on ‎01-12-2017 12:30 PM

Yes many times but with   LDAP  with  sms and|or Email   and   or just fortiToken. The fortitoken is ideal since you don't have to worrying about SMS and Email relays or delays within the delivery of the OTP or even failures in the delivery of the OTP

 

just my acts

 

 

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
5384
0 Kudos
boneyard
Valued Contributor
In response to gsarica

Created on ‎01-12-2017 10:18 PM

gsarica wrote:

If you can point your Token server to use your AD server then you only need to point the Fortigate to the Token server.

in my opinion this is the important part. you can't combine two auth servers on the fortigate (one for username/password, one for username/token) do do this.

 

it will only work if your authentication server can deal with handling both in one go. so you send the token added to the password (or username) and the authentication server separates these and checks if both are valid. or your radius authentication server can do a radius challenge after checking username/password thereby getting the fortigate to show a new field for the token.

 

 

5384
0 Kudos
flexyz
New Contributor

Created on ‎01-16-2017 02:13 PM

I am also using Duo Security and it works very well :)

 

Felix

5384
0 Kudos
ashmite
New Contributor

Created on ‎01-18-2017 03:27 PM

I have this working.  We Duo Security integrated for 2FA.  Our RADIUS server also hosts the Duo Authentication Proxy.  You create a RADIUS server entry, and add that to a user group and specify it on the VPN page.  The user group gets added to the web portal/ssl authentication.  And the group is also added to the policy rule for the VPN/Portal access.  << This is key.

 

The RADIUS server determines if the user can authenticate (we use AD groups to allow/disallow remote access).

I'll see if I can dig out the relevant config sections

 

5384
0 Kudos
flexyz
New Contributor
In response to ashmite

Created on ‎01-18-2017 10:45 PM

I have the same setup with Duo Proxy on a server with a LDAP group entry, but I don't understand what you mean with "And the group is also added to the policy rule for the VPN/Portal access.  << This is key."

 

I have another thread where I want to have different AD groups for access to different servers, but have not yet solve that

 

 

5384
0 Kudos
ashmite
New Contributor
In response to flexyz

Created on ‎01-19-2017 08:25 AM

Here is our policy for SSL VPNs. 

 

config user radius     edit "Duo Server         set server <snip>         set secret ENC <snip>         set timeout 240         set radius-port 1812         set auth-type pap         set source-ip <snip>     next end

 

config user group

    edit "Duo SSL VPN"         set member "Duo Server     next

end

config firewall policy

    edit 28         set name "SSL to Internal"         set uuid c074da74-a129-51e6-7534-ba952eec26a4         set srcintf "ssl.root"         set dstintf "any"         set srcaddr "all"         set dstaddr "Internal" "Site1 Legacy" "Site2 External" "Site2 Legacy"         set action accept         set schedule "always"         set service "ALL"         set groups "Duo SSL VPN"     next

end

 

 

5384
0 Kudos
flexyz
New Contributor
In response to ashmite

Created on ‎01-19-2017 02:21 PM

With the GUI I can't see the "groups" definition, only from CLI - is this normal?

 

But great I will try that :)

 

 

 

5384
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.