Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
asapHO
New Contributor

Has anyone implemented TwoFactor SSL-VPN Portal with RADIUS/ActiveDirectory?

Hi community,

 

I'm unable to configure a working two factor authentication with my fortigate unit. I have a working SSL-VPN Portal using either Windows Active Directory authentication (LDAP; username & password) or RADIUS OTP Token authentication (using SafeNet Authentication Manager 8.2; username and one time passcode). Right now I want to implement the Portal using both - LDAP Authentication AND OTP (the same time) so that a username and password combination cannot be cracked (that easy) using brute force attacks.

 

Has anyone done this or something like this before?

 

Thanks for your Feedback,

 

best regards

14 REPLIES 14
Jim_FH
New Contributor III

I have multi-factor authentication working with Microsoft's Multifactor app and 2012 Network Policy Servers, but no your specific combination.  The fundamentals may be the same tho.

 

We specify the MS MFA server as the RADIUS server in the Fortigate, and set up the NPS servers as RADIUS targets of the MS MFA server.  Seems to work pretty well.  

gsarica

We have it similar to Jim, basically:

 

Fortigate VPN portal -> Duo (RADIUS) Server -> AD Security Group -> Duo Notification -> Login

 

If you can point your Token server to use your AD server then you only need to point the Fortigate to the Token server.

emnoc
Esteemed Contributor III

Yes many times but with   LDAP  with  sms and|or Email   and   or just fortiToken. The fortitoken is ideal since you don't have to worrying about SMS and Email relays or delays within the delivery of the OTP or even failures in the delivery of the OTP

 

just my acts

 

 

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
boneyard
Valued Contributor

gsarica wrote:

If you can point your Token server to use your AD server then you only need to point the Fortigate to the Token server.

in my opinion this is the important part. you can't combine two auth servers on the fortigate (one for username/password, one for username/token) do do this.

 

it will only work if your authentication server can deal with handling both in one go. so you send the token added to the password (or username) and the authentication server separates these and checks if both are valid. or your radius authentication server can do a radius challenge after checking username/password thereby getting the fortigate to show a new field for the token.

 

 

flexyz
New Contributor

I am also using Duo Security and it works very well :)

 

Felix

ashmite
New Contributor

I have this working.  We Duo Security integrated for 2FA.  Our RADIUS server also hosts the Duo Authentication Proxy.  You create a RADIUS server entry, and add that to a user group and specify it on the VPN page.  The user group gets added to the web portal/ssl authentication.  And the group is also added to the policy rule for the VPN/Portal access.  << This is key.

 

The RADIUS server determines if the user can authenticate (we use AD groups to allow/disallow remote access).

I'll see if I can dig out the relevant config sections

 

flexyz
New Contributor

I have the same setup with Duo Proxy on a server with a LDAP group entry, but I don't understand what you mean with "And the group is also added to the policy rule for the VPN/Portal access.  << This is key."

 

I have another thread where I want to have different AD groups for access to different servers, but have not yet solve that

 

 

ashmite
New Contributor

Here is our policy for SSL VPNs. 

 

config user radius     edit "Duo Server         set server <snip>         set secret ENC <snip>         set timeout 240         set radius-port 1812         set auth-type pap         set source-ip <snip>     next end

 

config user group

    edit "Duo SSL VPN"         set member "Duo Server     next

end

config firewall policy

    edit 28         set name "SSL to Internal"         set uuid c074da74-a129-51e6-7534-ba952eec26a4         set srcintf "ssl.root"         set dstintf "any"         set srcaddr "all"         set dstaddr "Internal" "Site1 Legacy" "Site2 External" "Site2 Legacy"         set action accept         set schedule "always"         set service "ALL"         set groups "Duo SSL VPN"     next

end

 

 

flexyz
New Contributor

With the GUI I can't see the "groups" definition, only from CLI - is this normal?

 

But great I will try that :)

 

 

 

Labels
Top Kudoed Authors