- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Microsoft Azure MFA Server and Fortigate SSL-VPN
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Microsoft Azure MFA Server and Fortigate SSL-VPN
Hi!
First time posting and really hoping that someone tells me I'm an idiot, and the solution's really simple...
I'm trying to use Microsoft's Azure MFA Server product to add multi-factor authentication to our Fortigate SSL-VPN.
The way I have it set up, is:
LOGIN REQUEST TO FG -> RADIUS TO MFA -> MFA PROXIES REQUEST TO RADIUS SERVER
Which is the way that Microsoft says that I should have it set up.
If I substitute the MS VPN solution in place of the Fortigate, it works fine.
If I take MFA server out of the equation, it works as it should.
However - if I have it set up as I need it to be, the Fortigate denies the login, stating that it can't find the user. Yet the identical username without the MFA server works fine...
I've wireshark'd the RADIUS packets from both the vanilla RADIUS server and from the MFA server, and they're identical sans the individual packet identifiers. I've used the packet sniffer in the Fortigate itself to check that they're arriving intact, which they are. The ONLY thing I can find that's actually wrong, is that the Fortigate seems to just ignore the RADIUS Access-Accept packet. Yet, I can't find any record of that happening.
To stop me further losing my sanity, has anyone else come across this, or does anyone have any ideas at all?
Thank you so much in advance!
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I haven't crossed the Azure waters, yet.
But I have seen quite a few RADIUS backends to FGT.
If I got it correctly then FGT sends RADIUS Access-Request to Azure (it is supposed to be proxied to some other RADIUS server deeper in the structure) and FGT should get Access-Accept (if auth succeeded) or Access-Reject (if failed) or Challenge-Request (if there is something like password change needed or 2FA).
I'd suggest to check on FGT what is the auth content and how it's processed.
Basically any remote auth on FGT should trigger fnbamd daemon which should handle the communication with auth server.
So SSH to CLI and log all output, then ...
# prepare
get sys stat
show user radius
show user group
diag debug reset
diag debug console timestamp enable
diag debug app fnbamd 7
diag debug enable
diag sniff pack any 'port 1812 or 1813' 6 0 a
# test auth
# then after one test Ctrl-C to terminate sniffer, save the output and check that.
What was the result of the fnbamd ?
What was returned RADIUS response (Accept or Reject or Challenge) ?
If it was Accept but you were not allowed through, then there were probably other conditions you haven't met like group match. Debug of fnbamd should tell you more.
Is there group match set in group ?
If so, did Access-Accept received by FGT contain AVP Fortinet-Group-Name ?
If not, that's the fail. If yes, is the content of the AVP exactly matching the string in group match set in firewall user group ?
I'd start with above mentioned basic check.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to say a whole load of words that would 100% trip the profanity filter.
Without a word of a lie, I've worked on this for days - done everything I can think of, and got absolutely nowhere.
I SSH into my test box today, type the diag commands you suggested, and try logging in via SSL VPN.
Only goes and works...
Going to ask our hosted firewall guys nicely to try again their side and will shout profusely at it, should it decide to show me up and b****y work!
Thanks for the help :)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
glad to see it's "auto-magically resolved" :D
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to set a lab up with a similar configuration between FortiGate, Windows NPS, and Azure MFA. Is there a good guide for the Azure MFA interaction with the FortiGate?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nitr0 wrote:I'm trying to set a lab up with a similar configuration between FortiGate, Windows NPS, and Azure MFA. Is there a good guide for the Azure MFA interaction with the FortiGate?
I have SSL VPN authentication with Azure MFA working (2nd factor thru app confirmation). You can use the guide here https://docs.microsoft.com/en-ca/azure/active-directory/authentication/howto-mfa-nps-extension-vpn for the config. It uses the NPS extension for Azure, so no MFA server on-premises is required.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any pointers to the config on Fortigate itself for the above solution?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Related Posts
- Fortigate SSLVPN with DUO MFA -... 39 Views
- Automatically Ban Malicious Inbound IPs using... 201 Views
- FortiClient 7.2 - will not connect... 670 Views
- Trouble Receiving DHCP Packet Over S2S... 280 Views
- Issue on our FortClient EWS MSSQL$FCEMS 350 Views
Labels
-
FortiGate
6,507 -
FortiClient
1,300 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
262 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
71 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiAuthenticator
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.