Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
DerekWSmall
New Contributor II

Multiple SSL-VPN policies and MFA

We have a number of vendors who require remote access to Vlans on our network to provide support for gear hosted on those Vlans.  We need to limit each Vendor to only be able to access the Vlan(s) to which they provide support.  I have this working by setting up a different Radius server on our Fortigates, for each VPN portal and using a different NAS IP configured on each Radius server defined on the Fortigate.  The Radius server definitions are all the same target Radius server (IP), but the NAS IP line is different in each Radius server definition on the Fortigate.  The Radius request then hits our Microsoft NPS server, and I have a differnt policy for each NAS IP that matches a given AD user group for that vendor to the correct NAS IP.  Hence a given vendor can only log into their portal.

 

Now we need to add MFA for the vendors to access our SSL-VPN.  Duo was already choosen (by other groups and for other uses), but the problem is (as far as I know) that the Duo portal only supports AD group membership to one AD group per Duo proxy.  So I would have to put all the Vendor AD accounts into the same group, which would allow them to log into any VPN portal we have defined, even our internal one, which would give them full access to our internal network.  The only other option would be to have a different DUO proxy server for each vendor group, and we have over 12 vendors currently with expectations to grow that to 20-40 or more.

 

Question 1:

Does anyone know of a way with Duo to have each login attempt to each SSL-VPN portal be authenticated against group membership specific to that portal, which scales and doesn't require a different Duo proxy for each group of SSL-VPN users.  So users from ACME can only authenticate to https://my.company.com/ACME, and not https://my.company.com/ROBOTS, or even just https://my.company.com

 

Question 2:

Does anyone know of any MFA solutions which would allow this?  I have not worked extensively with FortiToken, but I don't believe this would be supported for that either as I don't see a way to configure multiple policies each with it's own group membership.  The MFA solutions I've worked with all work pretty much the same as DUO, where either a proxy or cloud hosted radius server is configured to check membership in just one AD group, or list of groups.  I don't know of any that would check for membership in one of several groups based on some parameter you pass like NAS IP, or some other VSA.

Derek Small
Derek Small
3 REPLIES 3
Anthony_E
Community Manager
Community Manager

Hello Derek,

 

Thank you for using the Community Forum.

I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

 

Regards,

Anthony-Fortinet Community Team.
Anthony_E
Community Manager
Community Manager

Hello,

 

We are still looking for an answer to your question.

We will come back to you as soon as we find one.

 

Regards,

Anthony-Fortinet Community Team.
Debbie_FTNT
Staff
Staff

Hey Anthony,

 

I can't really speak about Duo side, I have no experience with that, but you could leverage FortiAuthenticator and SSLVPN realms.

-> You can set up FortiAuthenticator to apply different RADIUS policies based on the NAS IP identifier FortiGate can send

-> you can use SSLVPN realms on FortiGate to force particular URLs (and portals and groups) for users

 

You could also do a setup something like this:

- use a FortiAuthenticator (or different RADIUS server) with one authentication policy

-> make sure that when users authenticate, the Access-Accept contains a 'Fortinet-Group-Name' attribute based on AD group membership

- you can map that Fortinet-Group-Name to multiple user groups on FortiGate

- you can set up SSLVPN authentication rules to link specific groups to specific portals

- you can apply firewall policies on this group basis to allow access to specific VLANs only

 

As long as the RADIUS server can send back Fortinet-Group-Name attribute based on AD group membership to FortiGate, FortiGate can separate users into groups automatically and apply SSLVPN portals and policies based on that group membership.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Labels
Top Kudoed Authors