Hey,
I am currently investigating a migration to MFA for the SSL VPN. Currently LDAP authentication is used and for MFA we have set up a radius server that provides MFA (microsoft authenticator). On its own the MFA works perfectly on a test system. Since we cannot migrate all users to MFA simultaneously, the idea is to slowly move end users from ldap to radius auth but i have not been able to get this to work.
If i add Radius to the SSL groups, a user logging in will get the MFA request but gets logged in before he can even accept or deny. I suspect this is due to the fact that fortigate queries all auth servers and takes the first result. Since ldap does not need to wait for the MFA comfirmation, this is always going to be first.
If i remove the end user from the VPN group in AD, then authentication fails before he gets the chance to accept or deny the MFA request. Again I suspect this is due to the fact that LDAP answers first. Authentication to LDAP succeeds, but the list of AD groups does not contain the one requested for VPN and thus authorization fails.
Is there any way to force fortigate to try radius first and if it fails then fallback to LDAP, or to wait for Radius even though LDAP auth succeeds but does not have the required groups?
If not, any suggestions on how to slowly migrate end users to MFA?
Thanks
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
i have tested with something similar and i dont believe what you want is possible within normal configuration. it does indeed fall through and try the next.
you might try with different realms and request people to try another realm when they are moved.
As you already noticed, there is no way to prefer Radius/LDAP in the same remote users group. IF I were to do this I'd try to separate users by groups/protocols and then used the Top-Down rule matching logic - higher VPN SSL rules would use groups with Radius authentication, lower security rules would use LDAP-based user groups. Fortigate starts from the top and checks every VPN SSL rule to find matching remote group/authentication server, so it would 1st try to match groups/users on Radius server, and if not found then would try LDAP servers.
Unrelated - mixing authentication servers in the same rule may/will cause troubles, for back up purposes there is a command under authentication server config to specify secondary server/additional IP in case the main one fails.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1640 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.