Hi All ,
We trying to figure out if we can use ubikeys with FortiGate SSL VPN for 2FA without the Forti authenticator?
Ubikeys supports fido ,ooauth ..
Now we do need Forti authenticator can we use the cloud version ?
thank you :)
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello @machine2389
We trying to figure out if we can use ubikeys with FortiGate SSL VPN for 2FA without the Forti authenticator? ---> Is this a Question?
Now we do need Forti authenticator can we use the cloud version ? ---> Are you interested on Public or Privat cloud environment?
BR
Hey Thank you for the reply - I have just got confirmation from FortiGate that only the FortiAuth VM supports it
Hi, FortiGate itself does not support FIDO2, or any other third party 2FA (FGT directly supports only FortiToken, email, SMS).
For FIDO2, the best match is SAML, already supported by FortiGate. The 2FA will be done and managed on the IdP-side, the FortiGate has no awareness of what happens there. FortiAuthenticator can be used as SAML IdP. Or any other standard SAML implementation.
Another option on Yubikeys is HOTP (like FortiToken, but hash-counter-based, not time-based). This is supported by FortiAuthenticator (=> RADIUS, SAML), or potentially other third party RADIUS/SAML service providers. (configuration guide)
Lastly, if you consider client-certificates as a valid "second factor", you can store those on Yubikeys as well and use them for authentication to SSL-VPN (or IPsec).
Great thanks :)
We will use the FortiAuthenticator to import the ubikeys using HOTP. Do you know if we can use Forti Authenticator Could for the import or stick with the VM ?
If you mean FortiTrust Identy, which uses a Fortinet-managed cloud instance of FAC - I am not 100% sure. The option needs to be enabled in a special debug /url/path, not sure if it is available there.
With that said, I see it mentioned in fixed issues (https://docs.fortinet.com/document/fortitrust-id/latest/fortitrust-identity-23-2-a-release-notes/737... - "Using Yubikey as OTP second factor increases drift/counter unexpectedly"), which suggests compatibility.
Otherwise FAC Cloud is just a regular self-managed FAC VM running in public cloud, so Yubikeys will work with it.
Understood
Thank you for the valuable responses.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1641 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.