- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Chained token authentication with remote RADIUS se...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Chained token authentication with remote RADIUS server
So, I have a bit of a dilemma, this is the fact that the Fortiauthenticator does a good job in authenticating and all and I am trying to increase the OTP possibilities by introducing the chained authentiaction from the same radius source.
I have a Radius source that I would like to use Chained Auth, but this source is already set up (with ip) doing AD authentication and OTP forced.
If I change the setting to chained authentiaction, the FortiAuthentiactor will require two OTPs, this is not what I want
If I remove the force and set it to apply two factor if available, the user with no Token will get forwarded to the chained auth and all is good. However users that have a token will still get both OTP as a requirement.
So the question quicklty becomes if there is a way to mix these settings?
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, I'm a bit confused.
It seems to me you already have 2FA via OTP (probably on FortiAuthenticator {FAC} and so probably via FortiToken of some sort), and now you want to get rid of 2FA on FAC because you desperately want to use 'chained' authentication to the source which now offer OTP 2FA as well ? Sorry but this make a little sense to me, unless you do not have tokens for all users on FAC, so you would need to acquire (purchase) some, and that other source offer tokens cheaper or for free.
So how about to set that source with secondary IP to be able to define it as possible source for chained auth?
And so how about to distinguish between users who will use 2FA from FAC and those who use the other OTP source, all that via for example group membership filter in RADIUS Client, or via RADIUS Client profiles. Or disable even possible use of 2FA on FAC, even if user has token, and move all the users to that other OTP source and do the chaining for all of them. Or simplify your life by purchasing a bundle of FortiToken Mobile tokens and extend what you already have ready, tested and working. There certainly are possibilities.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The FortiAuthenticator does a good job in AD Authentication, supporting password change over FortiClient and other neat things, the FortiToken Mobile works well and all that goodness.
What it does not do well is supporting third party Tokens (except for Yubikey in TOTP mode) and this would be good to have in my case as there are already a bunch of Token variants present in the Organisation.
I sorted it with different profiles on the Radius Clients, some realms doing chained auth and the others not
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Daniel Could you give an example of your config for chained auth?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We've done it by realm also and used authenticator like Dou
http://socpuppet.blogspot.com/2017/05/fortigate-sslvpn-and-multiple-realms.html
http://socpuppet.blogspot.com/2017/04/securing-fortigate-sslvpn-with-mfa-by.html
We had the same issue until we made everybody Duo, a mix of authenticators in a single Organization. Also what I' seeing now is the need to support 3rd party consultant|contractors who might not be in the MS-AD domain and requires MFA via TOTP.
With realms you can easily support all of these needs for SSLVPN.
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Related Posts
- SSLVPN client certs and radius 20 Views
- Forticlient Radius Authentication Across IPSEC Tunnel 177 Views
- FSSO authentication fallback with flow-based policy 128 Views
- forti tunnel NPS 123 Views
- Fortclient VPN Client Linux - IPSEC... 305 Views
Labels
-
FortiGate
6,461 -
FortiClient
1,290 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
68 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
55 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
High Availability
21 -
FortiConverter
21 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.