Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
cchivers
New Contributor

MFA for SSL VPN using LDAP

I have a Fortigate 80E. We want to move away from local users on the firewall for VPN and to using LDAP sync, so that we can simply add/remove people to the VPN Access security group on the AD. We also want to force 2FA/MFA when those users sign in to the VPN. 

 

I have been unable to determine how to do this for the 30 users that use the VPN from time to time. 

 

Can anyone point me in the right direction? I am running 7.0.5.

 

Thank you. 

3 REPLIES 3
Markus_M
Staff
Staff

Hi,

 

What will be your second factor and where will it be enforced?

You could have FortiTokens on the FGT on one-by-one create remote LDAP users with a token each. Put these users into a local(! - not remote)  group and you are done. that is still having users on the firewall though.

 

Now if you want to implement a second factor elsewhere, you will need to understand the flow of authentication:

user authenticates against an authenticator (FortiGate here) and this authenticator will authenticate the user against a user DB. That can be your LDAP server.

Your second factor can either be inserted on the authenticator as described right before, or be implemented on the user DB (the LDAP server). Either of these nodes must be compatible with setting a second factor and asking for an answer, prior sending a final response to the end user.

 

Best regards,

 

Markus

sstrudwick
New Contributor

We are using LDAP for authenticating our end users. Define your LDAP server on the firewall. then create a new user, select remote LDAP server, select your server previously defined and search for the user, select then add. I am running a 100E on version 7.0.5. I then defined a group on the firewall that they also have to be a member of. Now that the user is defined on the firewall, you can add a fortitoken to that user. They will need the fortitoken mobile app on either their iphone or android. Yes they are defined on the firewall but they are not considered local. they are LDAP users. Works extremely well for us.

 

Markus_M
Staff
Staff

Can add to Sstrudwick that we tend to call these users "locally defined remote users".

These are locally defined on the FortiGate one by one, so you can add the tokens to the individual users, but they authenticate against a remote userDB (LDAP or RADIUS).

Labels
Top Kudoed Authors