Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
chipcoit
New Contributor II

Created on ‎01-31-2022 09:58 AM

SSL and Cisco Duo- Automatic Login

Issue: We enter in our username and password for SSL, we receive the Duo push, duo push stays for a few seconds, then passes/approves the connection without user intervention. This doesn't allow the user to allow or deny the connection thus rendering Duo useless.

 

Fortinet Users,

We currently are using LDAP to sync our FortiGate 400E. We then create a local firewall group on our 400E and tie the remote server (LDAP) to this group. Typically this is a group we have in AD already to match.LocalGroup.jpg

From here we tie this same group into the Authentication portal for SSL VPN connection.

AuthenticationPortal.jpg

Next, we set up the firewall policies to also use this group.

Policy.jpg

 

This process works without issues but now that we are trying to layer Cisco Duo on it we are having problems. What we did was add a radius to the firewall and then add an additional user to the remote group. We also had to make a NPS policy on our domain controller.
withRadius.jpg

We then make sure the NPS policy is in place. Conditions include the windows group, Client IPv4 of the Duo server, PAP unencrypted to be allowed, and vender specific radius standard.

FVPN.NPS.jpg

 

RadiusStandard.jpg

 

 

Does anyone know why this isn't working correctly? I feel this should be a simple configuration since it works without Duo.

 

Thanks,
Michael

Labels:
3302
0 Kudos
1 Solution
chipcoit
New Contributor II

Created on ‎02-01-2022 07:44 AM

I appreciate your reply- yesterday we resolved the issue. As I mentioned we set up a firewall group with a remote server of our domain controller (LDAP.) We followed the documentation on Duo's end and ended up making an LDAP Proxy application connection instead of the Radius/NPS setup. Once the LDAP proxy application was configured we then modified the duo proxy server's auto-config file to reflect LDAP authentication. 

 

Duo LDAP Proxy:

  • Create application 
  • Set Username normalization to simple.

 

Proxy Config:

; Domain Controllers (LDAP-PROXY FOR VPN).
[ad_client2]
host=10.*.*.*
host_2=10.*.*.*
service_account_username=duo
service_account_password=**********
search_dn=DC=******,DC=local


[ldap_server_auto]
client=ad_client2
ikey=******************
skey=******************
api_host=**************
failmode=safe
exempt_ou_1=CN=duo,OU=ServiceAccounts,OU=****,DC=********,DC=Local
exempt_primary_bind=false

 

Firewall Change:

  • Add Duo Proxy servers under User & Authentication> LDAP Servers
  • Go into the firewall user group. Make sure only the Duo Proxy LDAP connection is listed under Remote Server.
  • Make sure the firewall group is correctly set under Authentication/Portal Mapping.
  • Create your SSL to Inside/Outside/All policies using the firewall group.
  • config system global
    set remoteauthtimeout 90
    end

 

This configuration cuts out NPS and allows LDAP to be used. Make sure you restart the proxy server after configuration changes. I hope this helps someone in the future looking for this as a sort of guide.

 

Reference Documents:

LDAP | Duo Security

2FA for Fortinet FortiGate SSL VPN and FortiClient with RADIUS Auto Push | Duo Security

View solution in original post

3280
0 Kudos
2 REPLIES 2
Debbie_FTNT
Staff
Staff

Created on ‎02-01-2022 12:26 AM

Hey Michael,

there are two issues here:

- For authentication, FortiGate expects a user trying to authenticate to be a member of ANY relevant group, not ALL

-> it is sufficient for your users to either authenticate via LDAP OR RADIUS, FortiGate does not expect them to authenticate via both

- FortiGate attempts to authenticate a user against any applicable server; in your case, it will send requests to both LDAP and RADIUS (Duo), and whichever server replies with a success first, that's the one it goes with. Since LDAP will reply with a success first (as Duo has to go through push notification), FortiGate will then discard the authentication attempt against Duo

-> see https://community.fortinet.com/t5/FortiGate/Technical-Tip-A-quick-guide-to-FortiGate-SSL-VPN-authent... for details on SSLVPN authentication

 

For your setup to work, you probably need something like this:
- all users authenticate via RADIUS (which in turn checks credentials against LDAP, I assume)
- Duo triggers push notification where appropriate and sends an Access-Accept to FortiGate if that is successful

-> remove the LDAP user groups from your SSLVPN setup to achieve this (this forces all users to be authenticated via RADIUS)
-> you might need to increase the remoteauthtimeout setting:
(#config global)

#config system global
#set remoteauthtimeout <in seconds>
#end

This is how long the FortiGate will wait for a response from an authentication server; by default 5 seconds. Given that push notification can take a bit longer, you might want to increase this to 30-60 seconds.
-> if you want to handle group memberships, you can define matches on FortiGate same as for LDAP groups. The FortiGate will expect a Fortinet-Group-Name attribute as VSA in the Access-Accept message, and match users into groups based on that attribute.

I hope that clears it up for you :)

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
3246
0 Kudos
chipcoit
New Contributor II

Created on ‎02-01-2022 07:44 AM

I appreciate your reply- yesterday we resolved the issue. As I mentioned we set up a firewall group with a remote server of our domain controller (LDAP.) We followed the documentation on Duo's end and ended up making an LDAP Proxy application connection instead of the Radius/NPS setup. Once the LDAP proxy application was configured we then modified the duo proxy server's auto-config file to reflect LDAP authentication. 

 

Duo LDAP Proxy:

  • Create application 
  • Set Username normalization to simple.

 

Proxy Config:

; Domain Controllers (LDAP-PROXY FOR VPN).
[ad_client2]
host=10.*.*.*
host_2=10.*.*.*
service_account_username=duo
service_account_password=**********
search_dn=DC=******,DC=local


[ldap_server_auto]
client=ad_client2
ikey=******************
skey=******************
api_host=**************
failmode=safe
exempt_ou_1=CN=duo,OU=ServiceAccounts,OU=****,DC=********,DC=Local
exempt_primary_bind=false

 

Firewall Change:

  • Add Duo Proxy servers under User & Authentication> LDAP Servers
  • Go into the firewall user group. Make sure only the Duo Proxy LDAP connection is listed under Remote Server.
  • Make sure the firewall group is correctly set under Authentication/Portal Mapping.
  • Create your SSL to Inside/Outside/All policies using the firewall group.
  • config system global
    set remoteauthtimeout 90
    end

 

This configuration cuts out NPS and allows LDAP to be used. Make sure you restart the proxy server after configuration changes. I hope this helps someone in the future looking for this as a sort of guide.

 

Reference Documents:

LDAP | Duo Security

2FA for Fortinet FortiGate SSL VPN and FortiClient with RADIUS Auto Push | Duo Security

3281
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.