SSL and Cisco Duo- Automatic Login

chipcoit · ‎01-31-2022

Issue: We enter in our username and password for SSL, we receive the Duo push, duo push stays for a few seconds, then passes/approves the connection without user intervention. This doesn't allow the user to allow or deny the connection thus rendering Duo useless.

Fortinet Users,

We currently are using LDAP to sync our FortiGate 400E. We then create a local firewall group on our 400E and tie the remote server (LDAP) to this group. Typically this is a group we have in AD already to match.

From here we tie this same group into the Authentication portal for SSL VPN connection.

Next, we set up the firewall policies to also use this group.

This process works without issues but now that we are trying to layer Cisco Duo on it we are having problems. What we did was add a radius to the firewall and then add an additional user to the remote group. We also had to make a NPS policy on our domain controller.

We then make sure the NPS policy is in place. Conditions include the windows group, Client IPv4 of the Duo server, PAP unencrypted to be allowed, and vender specific radius standard.

Does anyone know why this isn't working correctly? I feel this should be a simple configuration since it works without Duo.

Thanks,
Michael

chipcoit · ‎02-01-2022

I appreciate your reply- yesterday we resolved the issue. As I mentioned we set up a firewall group with a remote server of our domain controller (LDAP.) We followed the documentation on Duo's end and ended up making an LDAP Proxy application connection instead of the Radius/NPS setup. Once the LDAP proxy application was configured we then modified the duo proxy server's auto-config file to reflect LDAP authentication.

Duo LDAP Proxy:

Create application
Set Username normalization to simple.

Proxy Config:

; Domain Controllers (LDAP-PROXY FOR VPN).
[ad_client2]
host=10.*.*.*
host_2=10.*.*.*
service_account_username=duo
service_account_password=**********
search_dn=DC=******,DC=local

[ldap_server_auto]
client=ad_client2
ikey=******************
skey=******************
api_host=**************
failmode=safe
exempt_ou_1=CN=duo,OU=ServiceAccounts,OU=****,DC=********,DC=Local
exempt_primary_bind=false

Firewall Change:

Add Duo Proxy servers under User & Authentication> LDAP Servers
Go into the firewall user group. Make sure only the Duo Proxy LDAP connection is listed under Remote Server.
Make sure the firewall group is correctly set under Authentication/Portal Mapping.
Create your SSL to Inside/Outside/All policies using the firewall group.
config system global
set remoteauthtimeout 90
end

This configuration cuts out NPS and allows LDAP to be used. Make sure you restart the proxy server after configuration changes. I hope this helps someone in the future looking for this as a sort of guide.

Reference Documents:

LDAP | Duo Security

2FA for Fortinet FortiGate SSL VPN and FortiClient with RADIUS Auto Push | Duo Security

View solution in original post

Debbie_FTNT · ‎02-01-2022

Hey Michael,

there are two issues here:

- For authentication, FortiGate expects a user trying to authenticate to be a member of ANY relevant group, not ALL

-> it is sufficient for your users to either authenticate via LDAP OR RADIUS, FortiGate does not expect them to authenticate via both

- FortiGate attempts to authenticate a user against any applicable server; in your case, it will send requests to both LDAP and RADIUS (Duo), and whichever server replies with a success first, that's the one it goes with. Since LDAP will reply with a success first (as Duo has to go through push notification), FortiGate will then discard the authentication attempt against Duo

-> see https://community.fortinet.com/t5/FortiGate/Technical-Tip-A-quick-guide-to-FortiGate-SSL-VPN-authent... for details on SSLVPN authentication

For your setup to work, you probably need something like this:
- all users authenticate via RADIUS (which in turn checks credentials against LDAP, I assume)
- Duo triggers push notification where appropriate and sends an Access-Accept to FortiGate if that is successful

-> remove the LDAP user groups from your SSLVPN setup to achieve this (this forces all users to be authenticated via RADIUS)
-> you might need to increase the remoteauthtimeout setting:
(#config global)

#config system global
#set remoteauthtimeout <in seconds>
#end

This is how long the FortiGate will wait for a response from an authentication server; by default 5 seconds. Given that push notification can take a bit longer, you might want to increase this to 30-60 seconds.
-> if you want to handle group memberships, you can define matches on FortiGate same as for LDAP groups. The FortiGate will expect a Fortinet-Group-Name attribute as VSA in the Access-Accept message, and match users into groups based on that attribute.

I hope that clears it up for you :)

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

chipcoit · ‎02-01-2022