Hello,
We have a Fortinet Fortigate 60F that we use to connect to our office with a VPN. And for a layer of security, we also have Duo MFA setup to send push notifications. Previously, in the Forticlient app, when it got to around 45% in the connection process, it would send an MFA push notification and if you did nothing with DUO. It would just sit there and eventually error out. Now I am seeing that the process gets to about 95% then if you don't touch the notification it just connects you anyway. In fact, no mater what you do (Accept, Ignore, Deny) it connects to the VPN if the AD credentials are still valid.
In the RADIUS Servers tab, I used the “Test User Credentials” option and it works as expected. When you accept the DUO Push it goes through. If you ignore it errors on both tests and then if you deny it, I get a successful connection Status, but the user credentials show as “Invalid credentials”.
What could be the issue?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
What type of RADIUS server is deployed in this setup?
Based on your description, FGT is not aware and doesn't participate in the MFA process (it doesn't ask for a token input during the authentication). FGT will just wait for the RADIUS response (reject or accept), the push notification in this case is handled by the RADIUS server, so I guess you should focus the troubleshooting on the RADIUS server.
I believe the RADIUS server is the Duo Auth Proxy Manager that is running on our PDC.
In the RADIUS tab in the FGT settings, it is pointing to that server as the main server.
Which in fact has an update for 5.7.4 > 6.3.0. I'll be running that when I can.
Than most probably this behavior is not related to the FGT, it will just wait for the RADIUS response.
It looks like the account being used is matching the non-2FA criteria:
[256:root:6d9d]Auth successful for user ABC in group ABC-VPN_Users
...
[257:root:6d9b]sslvpn_user_match:1170 add user ABC in group ABC-VPN_Users
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1702 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.