Hot!Chained token authentication with remote RADIUS server

Author
Daniel _
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/03/30 11:26:33
  • Status: offline
2018/09/19 06:48:19 (permalink)
0

Chained token authentication with remote RADIUS server

 
So, I have a bit of a dilemma, this is the fact that the Fortiauthenticator does a good job in authenticating and all and I am trying to increase the OTP possibilities by introducing the chained authentiaction from the same radius source.
 
I have a Radius source that I would like to use Chained Auth, but this source is already set up (with ip) doing AD authentication and OTP forced. 
 
If I change the setting to chained authentiaction, the FortiAuthentiactor will require two OTPs, this is not what I want
If I remove the force and set it to apply two factor if available, the user with no Token will get forwarded to the chained auth and all is good. However users that have a token will still get both OTP as a requirement.
 
So the question quicklty becomes if there is a way to mix these settings?
 
#1

4 Replies Related Threads

    xsilver_FTNT
    Expert Member
    • Total Posts : 437
    • Scores: 93
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Status: offline
    Re: Chained token authentication with remote RADIUS server 2018/09/19 07:47:37 (permalink)
    0
    Well, I'm a bit confused.
    It seems to me you already have 2FA via OTP (probably on FortiAuthenticator {FAC} and so probably via FortiToken of some sort), and now you want to get rid of 2FA on FAC because you desperately want to use 'chained' authentication to the source which now offer OTP 2FA as well ?
    Sorry but this make a little sense to me, unless you do not have tokens for all users on FAC, so you would need to acquire (purchase) some, and that other source offer tokens cheaper or for free.
     
    So how about to set that source with secondary IP to be able to define it as possible source for chained auth?
    And so how about to distinguish between users who will use 2FA from FAC and those who use the other OTP source, all that via for example group membership filter in RADIUS Client, or via RADIUS Client profiles.
    Or disable even possible use of 2FA on FAC, even if user has token, and move all the users to that other OTP source and do the chaining for all of them.
    Or simplify your life by purchasing a bundle of FortiToken Mobile tokens and extend what you already have ready, tested and working.
    There certainly are possibilities.

    Kind Regards,
    Tomas
    #2
    Daniel _
    New Member
    • Total Posts : 7
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/03/30 11:26:33
    • Status: offline
    Re: Chained token authentication with remote RADIUS server 2018/09/20 00:23:44 (permalink)
    0
    The FortiAuthenticator does a good job in AD Authentication, supporting password change over FortiClient and other neat things, the FortiToken Mobile works well and all that goodness.
     
    What it does not do well is supporting third party Tokens (except for Yubikey in TOTP mode) and this would be good to have in my case as there are already a bunch of Token variants present in the Organisation. 
     
    I sorted it with different profiles on the Radius Clients, some realms doing chained auth and the others not
    #3
    rpedrica
    New Member
    • Total Posts : 18
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/07/28 02:18:44
    • Status: offline
    Re: Chained token authentication with remote RADIUS server 2019/07/27 00:38:59 (permalink)
    0
    @Daniel Could you give an example of your config for chained auth?
    #4
    emnoc
    Expert Member
    • Total Posts : 5255
    • Scores: 347
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: online
    Re: Chained token authentication with remote RADIUS server 2019/07/27 00:47:56 (permalink)
    0
    We've done it by realm also and used authenticator like Dou 
     
    http://socpuppet.blogspot.com/2017/05/fortigate-sslvpn-and-multiple-realms.html
    http://socpuppet.blogspot.com/2017/04/securing-fortigate-sslvpn-with-mfa-by.html
    https://duo.com/docs/fortinet
     
    We had the same issue until we made everybody Duo, a mix of authenticators in a single Organization. Also what I' seeing now is the need to support 3rd party consultant|contractors who might not be in the MS-AD domain  and requires MFA via TOTP.
     
    With realms you can easily support all of these needs for SSLVPN.
     
    Ken Felix

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #5
    Jump to:
    © 2019 APG vNext Commercial Version 5.5