Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: radius MFA
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
radius MFA
Hello guys! Got a bit confused with FG's auth process for remote ssl-vpn users. For now we have a simple LDAP/AD (w/o agent) based authentication for remote users and ACL based on AD group names, everything just works and works fine. Now I got the case that I have to implement MFA via an MS NPS(plus azure MFA) as a radius server (please don't ask why). I don't understand how to implement this transparently. Do I have to add all existing groups by name in the same way how I do this with LDAP into each ACL(that's could be long, but ok)? And how the FG knows in which group a user in ? What if the user is in several groups? So can anyone elaborate these moments ? I read this article , but it's still unclear https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-User-Groups-to-match-multiple-... AFAIK the FG gets the group name AVP from the radius server (MS-NPS) , but is it all groups for each client or like a first group per client ? Do we have to change settings on the client's side like for SAML or the 2FA string appears by default ?
Thanks for advices in advance!
the FOS is 7.4.7
Solved! Go to Solution.
Labels:
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Ivan90,
regarding VPN authentication in general: FortiGate checks all possible servers in parallel to ensure a speedy authentication. It it worked with priorities, it would have to wait for each individual server before trying the next.
FortiGate determines what servers to check based on the user groups set in the policies with SSL tunnel interface as source.
-> any server referenced in any group is fair game to check against
-> at this point FortiGate has no idea which server or group the user belongs to and doesn't filter
--> FortiGate can limit its authentication request to specific groups/servers if you configure SSLVPN realms, as outlined in the article linked above
Regarding the groups and matching conditions:
-> as long as you set 'Any' as match, then FortiGate only checks if the user is a member of the server (successful authentication), and does not check if the user is member of any specific group
-> if you set a specific string as match, then FortiGate expects to receive that string in the RADIUS server response (as Fortinet-Group-Name attribute by default)
-> you can find more details here: Technical Tip: How FortiGate determines group memberships from RADIUS responses
-> the NPS should return each group in an individual instance of the Fortinet-Group-Name (or Class or FilterID) attribute; so if a user is member of multiple groups, the NPS should send back an Access-Accept message with multiple occurrences of the Fortinet-Group-Name or Class or FilterID attribute
-> FortiGate can parse them, and match the user to multiple groups then
-> each group attribute sent by NPS needs an equivalent group object on FortiGate with the correct matching condition
--> if there is no corresponding group object on FortiGate, FortiGate simply ignores the attribute
Please let us know if you still have any questions!
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you considered using SAML instead? SAML is far more modern and a much better user experience than RADIUS/NPS.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know, I know, unfortunately for some reasons it's not acceptable for this exact case , so we have a radius NPS server only
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
FortiGate checks against all possible authentication servers in parallel to allow the fastest possible response time and prevent undue wait times during login. It does NOT check against secondary server IPs: these are only queried if no response has been observed from primary servers. FortiGate will check the secondary servers once the remote authentication timeout has been reached ('remoteauthtimeout' under 'config system global' in CLI).
Please check this kb, which clarifies how FortiGate handles Radius requests:
Tuli
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes, FG does request for all possible available servers and methods , that is behaviour that I can't understand why they implement this, why without priorities and steps ? There are a lot of cases where people got confused. Could you explain how FG gets user's group participating in the case of Radius server? Especially if a user has more that 1 AD group? Thanks for the KB, will read.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
guys, it's still unclear should I select the option "any" in the creating group menu and exact group names will be delivered as a AVP value or create all AD groups with "specify" option ?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Ivan90,
regarding VPN authentication in general: FortiGate checks all possible servers in parallel to ensure a speedy authentication. It it worked with priorities, it would have to wait for each individual server before trying the next.
FortiGate determines what servers to check based on the user groups set in the policies with SSL tunnel interface as source.
-> any server referenced in any group is fair game to check against
-> at this point FortiGate has no idea which server or group the user belongs to and doesn't filter
--> FortiGate can limit its authentication request to specific groups/servers if you configure SSLVPN realms, as outlined in the article linked above
Regarding the groups and matching conditions:
-> as long as you set 'Any' as match, then FortiGate only checks if the user is a member of the server (successful authentication), and does not check if the user is member of any specific group
-> if you set a specific string as match, then FortiGate expects to receive that string in the RADIUS server response (as Fortinet-Group-Name attribute by default)
-> you can find more details here: Technical Tip: How FortiGate determines group memberships from RADIUS responses
-> the NPS should return each group in an individual instance of the Fortinet-Group-Name (or Class or FilterID) attribute; so if a user is member of multiple groups, the NPS should send back an Access-Accept message with multiple occurrences of the Fortinet-Group-Name or Class or FilterID attribute
-> FortiGate can parse them, and match the user to multiple groups then
-> each group attribute sent by NPS needs an equivalent group object on FortiGate with the correct matching condition
--> if there is no corresponding group object on FortiGate, FortiGate simply ignores the attribute
Please let us know if you still have any questions!
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
god bless you mate! At last it's exact answer for my questions.
Thanks !
Created on 09-04-2025 06:38 AM Edited on 09-04-2025 11:04 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sorry, one more question: in the case with Radius\NPS + Azure MFA will we need to configure the client's side (like with SAML) or the 2FA field will pop up automatically ?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Ivan,
if the NPS can send a challenge for the Azure MFA (I'm not sure tbh), then this can happen as part of RADIUS no problem; the possibility to challenge for token code in built into the RADIUS protocol and FGT can properly prompt the user for a token code if the RADIUS server demands one.
If you use push notification for your Azure MFA instead, then FortiGate isn't even involved; the NPS would only send back the Access-Accept message after push notification is completed, and the push/reply bypasses FortiGate entirely.
-> It basically depends on how the NPS loops in Azure MFA
-> please note that I've seen a few cases where NPS does NOT send group attributes if push notification/MFA is involved, which means FortiGate cannot match the user to groups based on the attributes
Cheers,
Debbie
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Labels
-
FortiGate
10,532 -
FortiClient
2,141 -
FortiManager
886 -
5.2
687 -
FortiAnalyzer
675 -
5.4
638 -
FortiSwitch
581 -
FortiAP
558 -
FortiClient EMS
553 -
6.0
416 -
IPsec
414 -
SSL-VPN
373 -
FortiMail
371 -
5.6
362 -
FortiNAC
278 -
FortiWeb
252 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
191 -
FortiAuthenticator
169 -
FortiGuard
159 -
5.0
152 -
Firewall policy
142 -
6.4
128 -
FortiGate-VM
127 -
FortiCloud Products
116 -
FortiSIEM
112 -
FortiGateCloud
112 -
FortiToken
111 -
Wireless Controller
95 -
Customer Service
88 -
High Availability
83 -
FortiProxy
77 -
ZTNA
75 -
Routing
74 -
SAML
71 -
DNS
71 -
VLAN
70 -
Fortivoice
69 -
FortiEDR
68 -
FortiADC
68 -
BGP
67 -
Authentication
66 -
Certificate
64 -
RADIUS
59 -
LDAP
58 -
SSO
54 -
fortilink
54 -
FortiSandbox
53 -
NAT
52 -
FortiExtender
51 -
4.0MR3
49 -
VDOM
44 -
Application control
44 -
FortiDNS
43 -
Interface
43 -
Logging
40 -
Virtual IP
39 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
35 -
SSL SSH inspection
35 -
Web profile
35 -
FortiConnect
34 -
Automation
32 -
FortiWAN
31 -
FortiConverter
30 -
FortiGate v5.2
27 -
Traffic shaping
26 -
SNMP
25 -
SSID
25 -
Static route
25 -
API
24 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
FortiGate Cloud
23 -
System settings
22 -
OSPF
20 -
WAN optimization
20 -
FortiMonitor
19 -
Security profile
19 -
Web application firewall profile
18 -
IP address management - IPAM
18 -
FortiSoar
17 -
Web rating
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
FortiAP profile
16 -
Explicit proxy
15 -
Admin
15 -
Proxy policy
15 -
FortiCASB
14 -
IPS signature
14 -
Intrusion prevention
14 -
FortiManager v4.0
13 -
DNS filter
13 -
FortiManager v5.0
12 -
NAC policy
12 -
Users
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
Port policy
12 -
FortiRecorder
11 -
FortiDeceptor
10 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
FortiBridge
10 -
Trunk
10 -
Traffic shaping profile
10 -
Authentication rule and scheme
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
Application signature
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiCarrier
5 -
FortiNDR
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiInsight
2 -
FortiAI
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
lacework
2 -
FortiEdge Cloud
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2561 | |
| 1357 | |
| 796 | |
| 650 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.