Re: Microsoft Azure MFA Server and Fortigate SSL-VPN
I haven't crossed the Azure waters, yet.
But I have seen quite a few RADIUS backends to FGT.
If I got it correctly then FGT sends RADIUS Access-Request to Azure (it is supposed to be proxied to some other RADIUS server deeper in the structure) and FGT should get Access-Accept (if auth succeeded) or Access-Reject (if failed) or Challenge-Request (if there is something like password change needed or 2FA).
I'd suggest to check on FGT what is the auth content and how it's processed.
Basically any remote auth on FGT should trigger fnbamd daemon which should handle the communication with auth server.
So SSH to CLI and log all output, then ...
get sys stat
show user radius
show user group
diag debug reset
diag debug console timestamp enable
diag debug app fnbamd 7
diag debug enable
diag sniff pack any 'port 1812 or 1813' 6 0 a
# test auth
# then after one test Ctrl-C to terminate sniffer, save the output and check that.
What was the result of the fnbamd ?
What was returned RADIUS response (Accept or Reject or Challenge) ?
If it was Accept but you were not allowed through, then there were probably other conditions you haven't met like group match. Debug of fnbamd should tell you more.
Is there group match set in group ?
If so, did Access-Accept received by FGT contain AVP Fortinet-Group-Name ?
If not, that's the fail. If yes, is the content of the AVP exactly matching the string in group match set in firewall user group ?
I'd start with above mentioned basic check.
Tom xSilver, planet Earth, over and out!