SSL VPN 2FA/MFA without requiring an app?

Author
zeronet
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/11/27 19:24:38
  • Status: offline
2020/01/13 08:27:03 (permalink)
0

SSL VPN 2FA/MFA without requiring an app?

While researching, I see there's a few different ways to achieve this but ideally, I don't want the user to need an app on their phone.
 
I also want to utilize AD users and not create 'local' users.
 
Is it possible to do this by specifying the user's phone # in AD, or is creating the 'local' user a companion to the AD record?
 
Currently, I assign VPN access based on a Security Group in Active Directory.
#1

3 Replies Related Threads

    emnoc
    Expert Member
    • Total Posts : 5457
    • Scores: 357
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: SSL VPN 2FA/MFA without requiring an app? 2020/01/13 09:00:20 (permalink)
    0
    SMS or  even EMAIL MFA comes in hand, but still need a phone tho ;)
     
    https://cookbook.fortinet.com/sms-two-factor-authentication-ssl-vpn/
     
    About the AD and assignment of phone#, that would need further investigation but you can test the above with a local account just to get a feel of it and then look at going to MSAD if you can figure it out or develop a solution. The other option would be by using  open radius platform ( i.e freeradius )  where you can you authenticate and use a OTP for the login. Again no app.
     
    Why are you against an tokengenerator app? It's probably 10x better than let's say email or SMS and does not increase any concerns on email or data or sms usage charges?
     
     
    Ken Felix

    PCNSE 
    NSE 
    StrongSwan  
    #2
    Kenundrum
    Gold Member
    • Total Posts : 155
    • Scores: 19
    • Reward points: 0
    • Joined: 2008/05/15 10:25:50
    • Location: Rhode Island, US
    • Status: offline
    Re: SSL VPN 2FA/MFA without requiring an app? 2020/01/13 09:00:39 (permalink)
    5 (1)
    Onboard the fortigate you have 3 native ways of doing multi-factor authentication. They used to all be available in the GUI, but have moved to CLI only. TLDR- the best method for MFA is generally regarded as token/app based as the others can be intercepted.
    You have the fortitoken which can be a hard token or an app on the phone. There is also the option for email and SMS. The SMS can be using Fortinet's built in SMS gateway which is an extra license add-on or via manual SMS gateway entries.
     
    You can set local or remote (LDAP, RADIUS, etc) users up with MFA using this method. Example CLI is below
    config user local
    edit "testuser"
    set type password <-- this is where you could change to LDAP or RADIUS
    set two-factor email  <-- or set two-factor sms, or fortitoken
    set email-to "testuser@whatever.com"
     
    You would set up the carrier SMS gateways using "config system sms-server". For example if your email to SMS address is 8005551234@sms.carrier.com then you would create a new entry in sms-server for Carrier with an address of sms.carrier.com. The fortigate would send an email to that address which would arrive as a text message to the user.
     
    However- in general, it is best to use a token based MFA solution where the information is not directly transmitted from the source to the user. Determined attackers have demonstrated methods to intercept MFA messages sent in this way. Many third party MFA providers like Duo and Okta provide methods to integrate with various devices including fortigates in a more secure manner that also makes the user experience better than what the fortigate can provide on its own. 

    NSE4
    Some FGT500Es, 500Ds, 60Ds at work
    FWF60E, FWF80CM at home
    #3
    emnoc
    Expert Member
    • Total Posts : 5457
    • Scores: 357
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: SSL VPN 2FA/MFA without requiring an app? 2020/01/13 09:08:20 (permalink)
    0

    config user local
    edit "testuser"
    set type password <-- this is where you could change to LDAP or RADIUS
    set two-factor email  <-- or set two-factor sms, or fortitoken
    set email-to "testuser@whatever.com"

     
    Do you know if its possible to do this without adding local users to the fortigate? And defining the MFA type? Here's an example a big org with 200+ users in a vpngroup, you probably do not want to add 200+ local accounts. I do agree using SMS/EMAIL in this day of age is no wise or prudent, imho
     
    Ken Felix
     

    PCNSE 
    NSE 
    StrongSwan  
    #4
    Jump to:
    © 2020 APG vNext Commercial Version 5.5