Issue: We enter in our username and password for SSL, we receive the Duo push, duo push stays for a few seconds, then passes/approves the connection without user intervention. This doesn't allow the user to allow or deny the connection thus rendering Duo useless.
Fortinet Users,
We currently are using LDAP to sync our FortiGate 400E. We then create a local firewall group on our 400E and tie the remote server (LDAP) to this group. Typically this is a group we have in AD already to match.
From here we tie this same group into the Authentication portal for SSL VPN connection.
Next, we set up the firewall policies to also use this group.
This process works without issues but now that we are trying to layer Cisco Duo on it we are having problems. What we did was add a radius to the firewall and then add an additional user to the remote group. We also had to make a NPS policy on our domain controller.
We then make sure the NPS policy is in place. Conditions include the windows group, Client IPv4 of the Duo server, PAP unencrypted to be allowed, and vender specific radius standard.
Does anyone know why this isn't working correctly? I feel this should be a simple configuration since it works without Duo.
Thanks,
Michael
Solved! Go to Solution.
I appreciate your reply- yesterday we resolved the issue. As I mentioned we set up a firewall group with a remote server of our domain controller (LDAP.) We followed the documentation on Duo's end and ended up making an LDAP Proxy application connection instead of the Radius/NPS setup. Once the LDAP proxy application was configured we then modified the duo proxy server's auto-config file to reflect LDAP authentication.
Duo LDAP Proxy:
Proxy Config:
; Domain Controllers (LDAP-PROXY FOR VPN).
[ad_client2]
host=10.*.*.*
host_2=10.*.*.*
service_account_username=duo
service_account_password=**********
search_dn=DC=******,DC=local
[ldap_server_auto]
client=ad_client2
ikey=******************
skey=******************
api_host=**************
failmode=safe
exempt_ou_1=CN=duo,OU=ServiceAccounts,OU=****,DC=********,DC=Local
exempt_primary_bind=false
Firewall Change:
This configuration cuts out NPS and allows LDAP to be used. Make sure you restart the proxy server after configuration changes. I hope this helps someone in the future looking for this as a sort of guide.
Reference Documents:
2FA for Fortinet FortiGate SSL VPN and FortiClient with RADIUS Auto Push | Duo Security
Hey Michael,
there are two issues here:
- For authentication, FortiGate expects a user trying to authenticate to be a member of ANY relevant group, not ALL
-> it is sufficient for your users to either authenticate via LDAP OR RADIUS, FortiGate does not expect them to authenticate via both
- FortiGate attempts to authenticate a user against any applicable server; in your case, it will send requests to both LDAP and RADIUS (Duo), and whichever server replies with a success first, that's the one it goes with. Since LDAP will reply with a success first (as Duo has to go through push notification), FortiGate will then discard the authentication attempt against Duo
-> see https://community.fortinet.com/t5/FortiGate/Technical-Tip-A-quick-guide-to-FortiGate-SSL-VPN-authent... for details on SSLVPN authentication
For your setup to work, you probably need something like this:
- all users authenticate via RADIUS (which in turn checks credentials against LDAP, I assume)
- Duo triggers push notification where appropriate and sends an Access-Accept to FortiGate if that is successful
-> remove the LDAP user groups from your SSLVPN setup to achieve this (this forces all users to be authenticated via RADIUS)
-> you might need to increase the remoteauthtimeout setting:
(#config global)
#config system global
#set remoteauthtimeout <in seconds>
#end
This is how long the FortiGate will wait for a response from an authentication server; by default 5 seconds. Given that push notification can take a bit longer, you might want to increase this to 30-60 seconds.
-> if you want to handle group memberships, you can define matches on FortiGate same as for LDAP groups. The FortiGate will expect a Fortinet-Group-Name attribute as VSA in the Access-Accept message, and match users into groups based on that attribute.
I hope that clears it up for you :)
I appreciate your reply- yesterday we resolved the issue. As I mentioned we set up a firewall group with a remote server of our domain controller (LDAP.) We followed the documentation on Duo's end and ended up making an LDAP Proxy application connection instead of the Radius/NPS setup. Once the LDAP proxy application was configured we then modified the duo proxy server's auto-config file to reflect LDAP authentication.
Duo LDAP Proxy:
Proxy Config:
; Domain Controllers (LDAP-PROXY FOR VPN).
[ad_client2]
host=10.*.*.*
host_2=10.*.*.*
service_account_username=duo
service_account_password=**********
search_dn=DC=******,DC=local
[ldap_server_auto]
client=ad_client2
ikey=******************
skey=******************
api_host=**************
failmode=safe
exempt_ou_1=CN=duo,OU=ServiceAccounts,OU=****,DC=********,DC=Local
exempt_primary_bind=false
Firewall Change:
This configuration cuts out NPS and allows LDAP to be used. Make sure you restart the proxy server after configuration changes. I hope this helps someone in the future looking for this as a sort of guide.
Reference Documents:
2FA for Fortinet FortiGate SSL VPN and FortiClient with RADIUS Auto Push | Duo Security
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1759 | |
1116 | |
766 | |
447 | |
242 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.