Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- radius MFA
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
radius MFA
Hello guys! Got a bit confused with FG's auth process for remote ssl-vpn users. For now we have a simple LDAP/AD (w/o agent) based authentication for remote users and ACL based on AD group names, everything just works and works fine. Now I got the case that I have to implement MFA via an MS NPS(plus azure MFA) as a radius server (please don't ask why). I don't understand how to implement this transparently. Do I have to add all existing groups by name in the same way how I do this with LDAP into each ACL(that's could be long, but ok)? And how the FG knows in which group a user in ? What if the user is in several groups? So can anyone elaborate these moments ? I read this article , but it's still unclear https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-User-Groups-to-match-multiple-... AFAIK the FG gets the group name AVP from the radius server (MS-NPS) , but is it all groups for each client or like a first group per client ? Do we have to change settings on the client's side like for SAML or the 2FA string appears by default ?
Thanks for advices in advance!
the FOS is 7.4.7
Solved! Go to Solution.
Labels:
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Ivan90,
regarding VPN authentication in general: FortiGate checks all possible servers in parallel to ensure a speedy authentication. It it worked with priorities, it would have to wait for each individual server before trying the next.
FortiGate determines what servers to check based on the user groups set in the policies with SSL tunnel interface as source.
-> any server referenced in any group is fair game to check against
-> at this point FortiGate has no idea which server or group the user belongs to and doesn't filter
--> FortiGate can limit its authentication request to specific groups/servers if you configure SSLVPN realms, as outlined in the article linked above
Regarding the groups and matching conditions:
-> as long as you set 'Any' as match, then FortiGate only checks if the user is a member of the server (successful authentication), and does not check if the user is member of any specific group
-> if you set a specific string as match, then FortiGate expects to receive that string in the RADIUS server response (as Fortinet-Group-Name attribute by default)
-> you can find more details here: Technical Tip: How FortiGate determines group memberships from RADIUS responses
-> the NPS should return each group in an individual instance of the Fortinet-Group-Name (or Class or FilterID) attribute; so if a user is member of multiple groups, the NPS should send back an Access-Accept message with multiple occurrences of the Fortinet-Group-Name or Class or FilterID attribute
-> FortiGate can parse them, and match the user to multiple groups then
-> each group attribute sent by NPS needs an equivalent group object on FortiGate with the correct matching condition
--> if there is no corresponding group object on FortiGate, FortiGate simply ignores the attribute
Please let us know if you still have any questions!
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
- « Previous
-
- 1
- 2
- Next »
11 REPLIES 11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Mate, one more question: is it "normal" logic by design that the FG works with MS_NPS expecting the whole list of VSA group attributes? Also from the https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-FortiGate-and-Microsoft-NPS-Ra... there is a line "If the user is not a member of at least one group, authentication fails." But in the enterprise world it's more than ok when a user is member of just several groups from of a list. Or fortinet follows the logic like "it's a 3rd party radius and we work with just any answer that's received from the radius" ? Can this list can be dynamic from the MS side? It looks like it's 2 different logic when you work with LDAP and Radius. Is it possible that the NPS (radius) is used for Auth process only and the group list from AD is used via LDAP? Will the FG be able to match a radius authenticated user with LDAP's groups for ALCs ?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Ivan,
- on FortiGate, if you create a group and add a remote RADIUS, you can define a match
- if this is configured, FortiGate will only consider any authenticating user a member if the response from RADIUS server contains that same matching string in the group attribute (no matter if NPS or FortiAuthenticator or Duo or whatever)
- you can also leave the match blank
-> then FortiGate does not care what attributes the RADIUS server sends, only that authentication is successful; if successful, the user is considered a member of the group
- the FortiGate does not need to receive EVERY group membership as an attribute
- but it does need to receive the attributes to ensure the user matches into the groups configured on FortiGate
- what attributes (group info) you need NPS to send depends entirely on the groups you have configured on FortiGate and where and how you use them
- in general, it's sufficient for FortiGate is the user is member of ANY relevant group (any of the groups set in policy/VPN configuration/etc), and it's not required for a user to be member of ALL
--> essentially: if you want a user to match a specific policy that requires a specific group membership, make sure that group info is included in RADIUS response as well. Do this for EVERY policy you want the user to potentially match to know what group memberships the FortiGate needs to learn about
- regarding your question on using AD for group information instead: No, you can't mix them. FortiGate relies on the authentication server that verified the user credentials to also provide group information
(you could technically get around this by importing the user to FortiGate, that is, creating a local user of type 'remote RADIUS', and adding that local user to whatever groups on FortiGate, then group info from RADIUS is irrelevant, but that scales very badly in large environments)
Hope this helps!
Cheers,
Deborah
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
- « Previous
-
- 1
- 2
- Next »
Labels
-
FortiGate
10,532 -
FortiClient
2,141 -
FortiManager
886 -
5.2
687 -
FortiAnalyzer
675 -
5.4
638 -
FortiSwitch
581 -
FortiAP
558 -
FortiClient EMS
553 -
6.0
416 -
IPsec
414 -
SSL-VPN
373 -
FortiMail
371 -
5.6
362 -
FortiNAC
278 -
FortiWeb
252 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
191 -
FortiAuthenticator
169 -
FortiGuard
159 -
5.0
152 -
Firewall policy
142 -
6.4
128 -
FortiGate-VM
127 -
FortiCloud Products
116 -
FortiSIEM
113 -
FortiGateCloud
112 -
FortiToken
111 -
Wireless Controller
95 -
Customer Service
88 -
High Availability
83 -
FortiProxy
77 -
ZTNA
75 -
Routing
74 -
SAML
71 -
DNS
71 -
Fortivoice
70 -
VLAN
70 -
FortiEDR
68 -
FortiADC
68 -
BGP
67 -
Authentication
66 -
Certificate
64 -
RADIUS
59 -
LDAP
58 -
SSO
54 -
fortilink
54 -
FortiSandbox
53 -
NAT
52 -
FortiExtender
51 -
4.0MR3
49 -
VDOM
44 -
Application control
44 -
FortiDNS
43 -
Interface
43 -
Logging
40 -
Virtual IP
39 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
35 -
SSL SSH inspection
35 -
Web profile
35 -
FortiConnect
34 -
Automation
32 -
FortiWAN
31 -
FortiConverter
30 -
FortiGate v5.2
27 -
Traffic shaping
26 -
SNMP
25 -
SSID
25 -
Static route
25 -
API
24 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
FortiGate Cloud
23 -
System settings
22 -
OSPF
20 -
WAN optimization
20 -
FortiMonitor
19 -
Security profile
19 -
Web application firewall profile
18 -
IP address management - IPAM
18 -
FortiSoar
17 -
Web rating
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
FortiAP profile
16 -
Explicit proxy
15 -
Admin
15 -
Proxy policy
15 -
FortiCASB
14 -
IPS signature
14 -
Intrusion prevention
14 -
FortiManager v4.0
13 -
DNS filter
13 -
FortiManager v5.0
12 -
NAC policy
12 -
users
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
Port policy
12 -
FortiRecorder
11 -
FortiDeceptor
10 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
FortiBridge
10 -
Trunk
10 -
Traffic shaping profile
10 -
Authentication rule and scheme
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
Application signature
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiCarrier
5 -
FortiNDR
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiInsight
2 -
FortiAI
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
Lacework
2 -
FortiEdge Cloud
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2561 | |
| 1357 | |
| 796 | |
| 650 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.