FortiClient to FortiGate SSL-VPN using SMS 2FA via Azure MFA - group match not supported
I'm hoping someone will be able to advise me on a work around, or an alternative solution, to avoid the following limitations with Microsoft NPS Extension for Azure MFA (without having to implement a completely different solution!): https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/36647266-mfa-nps-ext-support-for-network-policies-via-rad
For context, our customer originally had a FortiClient to FortiGate SSL VPN that utilized LDAP authentication, allowing different levels of network access depending on AD user group membership.
Our customer subsequently moved their AD into Azure cloud and introduced Azure MFA.
Our customer now wants to integrate the existing SSL VPN to with their Azure MFA for 2-factor authentication.
We followed the following Cookbook document to successfully implement this: https://docs.fortinet.com/document/fortigate/6.2.0/azure-cookbook/517582/configuring-forticlient-vpn-with-multifactor-authentication
For the existing network access based on AD user group membership to work, the NPS server (RADIUS) had to send RADIUS attributes for group membership back to the FortiGate with the Access-Accept. This was achieved using Network Access Policies on the NPS server.
This works exactly how we want when using Push Notification or Phone Call 2FA methods (via Microsoft Authenticator App).
Unfortunately our customer has tried to use the SMS and passcode (MS Authenticator App) methods and reported it didn't work. After looking into it and doing much debugging/testing:
1) The user authentication with 2FA part works as the NPS server returns an Access-Challenge to the FortiGate, which opens a 2FA prompt in FortiClient, then an Access-Accept response when the 2FA authentication is successful.
2) Because the NPS server doesn't return any RADIUS attributes, the SSL VPN connection fails as there is no group matched to the one configured on the FortiGate.
As it stands we will need to go back to our customer and advise them to use only Push/Phone 2FA methods. However, it would be great if we could provide an acceptable workaround or alternative.
I have no experience using FortiAuthenticator, but was wondering if this can be integrated with Azure MFA as an alternative to using the NPS server/extension?
Sorry for the long post and many thanks in advance for any help.