I have successfully configured a Windows Native L2TP connection, but the user account I have setup is supposed to provide a Fortitoken MFA when connecting. For some reason, the prompt isn't asked for so the user can connect and then access both internal and external resources. I know I have seen guides on here for SAML configurations with AzureAD/EntraID, but I'm having a hard time finding ones with FortiToken MFA requirements. Anyone got a link?
Edit to Add: No, I cannot use FortiClient because it isn't supported on ARM64 devices (CoPilot+ PC for this user), so it needs to be with the Windows Native L2TP connection... forgot that in the original post.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
L2TP comes after PPTP, a protocol that does not provide security features such as Encryption or strong authentication. To accomplish this, it is combined with IPsec.
The combination of these two protocols is known as L2TP over IPsec.
Now the IPsec Remote Access is simply a host-to-host IPSec connection in tunnel mode.
That means MFA does not work with L2TP on Windows Native VPN.
To have MFA you may try to use FortiClient VPN only free version if you don't have a paid version of FortiClient.
Normally, I would agree with you, but as SAML authentication with M365 is supposedly working with the native windows L2TP client, I'm not sure that's correct. Again, I can't confirm, but even if that were the case and it works with FortiClient (not an option on an ARM64 device), that doesn't negate the fact that I can log into a device without MFA when it should be prompted for, using a Windows Native L2TP connection.
I will test another device tomorrow that is x64 to confirm if it asks for the MFA when using L2TP via Native or FortiClient, as it's entirely possible I have something misconfigured (though I followed the steps for my user account that's being pulled from LDAP and has been assigned a token).
I strongly recommend to open a TAC ticket to investigate this further, in detail.
I have no expectation of the native client supporting a two-step 2FA (ask for username+pwd first, then for OTP code) in its GUI for L2TP, but if we assume that the configuration is correct, the user being let through without a token is absolutely a security issue/bug.
unfortunately, I'm a homelab user that can't afford to keep up with the licensing needed for TAC support, so I won't be able to do that. I want to confirm that I have it setup correctly, hence why I asked for a guide using FortiToken vs. SAML with M365 as I don't have that option, either. As it sits right now, I have the Token assigned to my user account, and when I VPN in with L2TP using the Windows Native client (again, Forticlient is not possible as it's not available for ARM64), I am not prompted for 2FA, nor am I turned away.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1561 | |
1034 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.