Hot!Microsoft Azure MFA Server and Fortigate SSL-VPN

Author
gareth@IQ
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/07/11 03:57:12
  • Status: offline
2018/07/11 05:05:19 (permalink)
0

Microsoft Azure MFA Server and Fortigate SSL-VPN

Hi! 
 
First time posting and really hoping that someone tells me I'm an idiot, and the solution's really simple... 
 
I'm trying to use Microsoft's Azure MFA Server product to add multi-factor authentication to our Fortigate SSL-VPN. 
 
The way I have it set up, is:
LOGIN REQUEST TO FG -> RADIUS TO MFA -> MFA PROXIES REQUEST TO RADIUS SERVER 
Which is the way that Microsoft says that I should have it set up. 
 
If I substitute the MS VPN solution in place of the Fortigate, it works fine. 
If I take MFA server out of the equation, it works as it should. 
 
However - if I have it set up as I need it to be, the Fortigate denies the login, stating that it can't find the user. Yet the identical username without the MFA server works fine... 
 
I've wireshark'd the RADIUS packets from both the vanilla RADIUS server and from the MFA server, and they're identical sans the individual packet identifiers. I've used the packet sniffer in the Fortigate itself to check that they're arriving intact, which they are. The ONLY thing I can find that's actually wrong, is that the Fortigate seems to just ignore the RADIUS Access-Accept packet. Yet, I can't find any record of that happening. 
 
To stop me further losing my sanity, has anyone else come across this, or does anyone have any ideas at all? 
 
Thank you so much in advance!
#1

5 Replies Related Threads

    xsilver
    Expert Member
    • Total Posts : 449
    • Scores: 103
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Location: EMEA
    • Status: offline
    Re: Microsoft Azure MFA Server and Fortigate SSL-VPN 2018/07/18 07:18:05 (permalink)
    0
    Hi,
    I haven't crossed the Azure waters, yet.
    But I have seen quite a few RADIUS backends to FGT.
     
    If I got it correctly then FGT sends RADIUS Access-Request to Azure (it is supposed to be proxied to some other RADIUS server deeper in the structure) and FGT should get Access-Accept (if auth succeeded) or Access-Reject (if failed) or Challenge-Request (if there is something like password change needed or 2FA).
     
    I'd suggest to check on FGT what is the auth content and how it's processed.
    Basically any remote auth on FGT should trigger fnbamd daemon which should handle the communication with auth server.
    So SSH to CLI and log all output, then ... 
     
    # prepare
    get sys stat
    show user radius
    show user group
     
    diag debug reset
    diag debug console timestamp enable
    diag debug app fnbamd 7
    diag debug enable
     
    diag sniff pack any 'port 1812 or 1813' 6 0 a
     
    # test auth
    # then after one test Ctrl-C to terminate sniffer, save the output and check that.
     
    What was the result of the fnbamd ?
    What was returned RADIUS response (Accept or Reject or Challenge) ?
    If it was Accept but you were not allowed through, then there were probably other conditions you haven't met like group match. Debug of fnbamd should tell you more.
    Is there group match set in group ?
    If so, did Access-Accept received by FGT contain AVP Fortinet-Group-Name ?
    If not, that's the fail. If yes, is the content of the AVP exactly matching the string in group match set in firewall user group ?
     
    I'd start with above mentioned basic check.
     

    Kind Regards,
    Tomas
    #2
    gareth@IQ
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/07/11 03:57:12
    • Status: offline
    Re: Microsoft Azure MFA Server and Fortigate SSL-VPN 2018/07/18 08:59:54 (permalink)
    0
    I want to say a whole load of words that would 100% trip the profanity filter. 
    Without a word of a lie, I've worked on this for days - done everything I can think of, and got absolutely nowhere. 
     
    I SSH into my test box today, type the diag commands you suggested, and try logging in via SSL VPN. 
     
    Only goes and works... 
     
    Going to ask our hosted firewall guys nicely to try again their side and will shout profusely at it, should it decide to show me up and b****y work! 
     
    Thanks for the help :) 
    post edited by Admin_FTNT - 2018/07/18 09:02:15
    #3
    xsilver
    Expert Member
    • Total Posts : 449
    • Scores: 103
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Location: EMEA
    • Status: offline
    Re: Microsoft Azure MFA Server and Fortigate SSL-VPN 2018/07/19 05:22:59 (permalink)
    0
    glad to see it's "auto-magically resolved" :-D

    Kind Regards,
    Tomas
    #4
    Nitr0
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/05/01 19:03:17
    • Status: offline
    Re: Microsoft Azure MFA Server and Fortigate SSL-VPN 2019/05/01 19:05:44 (permalink)
    0
    I'm trying to set a lab up with a similar configuration between FortiGate, Windows NPS, and Azure MFA.  Is there a good guide for the Azure MFA interaction with the FortiGate?
    #5
    msaraiva
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2012/08/09 09:31:57
    • Status: offline
    Re: Microsoft Azure MFA Server and Fortigate SSL-VPN 2019/05/29 11:52:38 (permalink)
    0
    Nitr0
    I'm trying to set a lab up with a similar configuration between FortiGate, Windows NPS, and Azure MFA.  Is there a good guide for the Azure MFA interaction with the FortiGate?




    I have SSL VPN authentication with Azure MFA working (2nd factor thru app confirmation). You can use the guide here https://docs.microsoft.com/en-ca/azure/active-directory/authentication/howto-mfa-nps-extension-vpn for the config. It uses the NPS extension for Azure, so no MFA server on-premises is required. 
     
     
    #6
    Jump to:
    © 2019 APG vNext Commercial Version 5.5