AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Duo mfa fortigate11/11/2023 ![]() you can map that Fortinet-Group-Name to multiple user groups on FortiGate > make sure that when users authenticate, the Access-Accept contains a 'Fortinet-Group-Name' attribute based on AD group membership use a FortiAuthenticator (or different RADIUS server) with one authentication policy You could also do a setup something like this: > you can use SSLVPN realms on FortiGate to force particular URLs (and portals and groups) for users > You can set up FortiAuthenticator to apply different RADIUS policies based on the NAS IP identifier FortiGate can send I can't really speak about Duo side, I have no experience with that, but you could leverage FortiAuthenticator and SSLVPN realms. I don't know of any that would check for membership in one of several groups based on some parameter you pass like NAS IP, or some other VSA. The MFA solutions I've worked with all work pretty much the same as DUO, where either a proxy or cloud hosted radius server is configured to check membership in just one AD group, or list of groups. So users from ACME can only authenticate to , and not , or even just ĭoes anyone know of any MFA solutions which would allow this? I have not worked extensively with FortiToken, but I don't believe this would be supported for that either as I don't see a way to configure multiple policies each with it's own group membership. The only other option would be to have a different DUO proxy server for each vendor group, and we have over 12 vendors currently with expectations to grow that to 20-40 or more.ĭoes anyone know of a way with Duo to have each login attempt to each SSL-VPN portal be authenticated against group membership specific to that portal, which scales and doesn't require a different Duo proxy for each group of SSL-VPN users. So I would have to put all the Vendor AD accounts into the same group, which would allow them to log into any VPN portal we have defined, even our internal one, which would give them full access to our internal network. ![]() Duo was already choosen (by other groups and for other uses), but the problem is (as far as I know) that the Duo portal only supports AD group membership to one AD group per Duo proxy. Now we need to add MFA for the vendors to access our SSL-VPN. Hence a given vendor can only log into their portal. The Radius request then hits our Microsoft NPS server, and I have a differnt policy for each NAS IP that matches a given AD user group for that vendor to the correct NAS IP. The Radius server definitions are all the same target Radius server (IP), but the NAS IP line is different in each Radius server definition on the Fortigate. I have this working by setting up a different Radius server on our Fortigates, for each VPN portal and using a different NAS IP configured on each Radius server defined on the Fortigate. We need to limit each Vendor to only be able to access the Vlan(s) to which they provide support. We have a number of vendors who require remote access to Vlans on our network to provide support for gear hosted on those Vlans.
0 Comments
Read More
Leave a Reply. |