Hello everyone, I’m seeking some advice and insights regarding the configuration of Fortigate SSL VPN with two-factor authentication. I’m relatively new to this area and would appreciate some guidance on how to set it up effectively. Here’s the situation:
I have a Fortigate firewall and want to enable SSL VPN access for remote users. In order to enhance security, I would like to implement two-factor authentication to ensure that only authorized individuals can connect to the VPN.
My goal is to configure the Fortigate SSL VPN to require both a username/password combination and a second factor of authentication, such as a one-time password (OTP) generated by a mobile app or a hardware token.
I have already configured the basic SSL VPN settings on the Fortigate firewall, allowing users to establish a secure connection using their username and password. However, I’m unsure how to integrate the second factor of authentication into the setup.
I’m facing challenges in understanding the available options for implementing two-factor authentication with Fortigate SSL VPN. I’m also unsure about the compatibility of various authentication methods and how to properly configure them within the Fortigate firewall.
If any of you have experience with configuring Fortigate SSL VPN with two-factor authentication, I would greatly appreciate your guidance. I’m specifically looking for recommendations on suitable second-factor authentication methods, step-by-step configuration instructions, and any best practices or considerations to keep in mind.
Feel free to share your knowledge, personal experiences, or any resources that could help me in successfully setting up two-factor authentication for Fortigate SSL VPN. Thank you in advance for your assistance!
Seeking advice on configuring Fortigate SSL VPN with two-factor authentication. Need guidance on compatible authentication methods, configuration steps, and best practices for a secure setup.
I just set up 2FA using SAML with azure Active Directory for my organization. I definitely think it’s one of the more seamless user experience options. Depends on size of your organization but if you already use O365 licensing or an Microsoft E3 or E5 or whatever than it’s a pretty straightforward integration.
You can buy additional FortiTokens for your FortiGate but those are limited to individual FortiGates and if you replace the Gate you will need TAC support to move the tokens over too.
Do you currently have Azure Active Directory or Google Workspace? If you do set up SAML authentication and leverage Single Sign On within your organisation. The same login deatils for their email will work for their VPN and will use MFA you have set up for your emails.
If you still have an on prem AD and Email, you might have to look into FortiAuthenticator to act as a radius server to allow MFA and use your AD logins.
Have a conditional access policy for mfa within your Microsoft 365/ Azure AD tenet with something like DUO. Then just do saml auth with Azure AD for your ssl vpn and users will be prompted for mfa.
Our Org utilizes a Fortigate and its SSL VPN. We went with DUO for the MFA provider and DUO has step by step setup documentation for integration with Fortigate’s SSL VPN. It’s also super easy to manage.
i’m lookin into the freeradius together with the google MFA. We do have a locad and Azure ad. But no o365 licences for that special group of vpn users, they are AD users without any configured mail.
Either use Fortitokens directly, or a 3rd party solution like Duo.
I am using both scenarios, and have customers succeessfully using both scenarios. It is pretty easy to setup if you Google “fortinet DUO VPN MFA” or “fortinet fortitoken VPN MFA”
Duo is awesome (8ish years using it for lots of apps at dozens of clients), but is unnecessary for SSL-VPN and overly complicates things… not to mention one more piece to support. All of our new deployments simply use Azure AD/SAML. That said we aren’t ripping Duo out anywhere… just not deploying it anymore.
I had the exact same thought halfway through. Looks like his first language is german, but this is so oddly written that he must have used AI for assistance.
Yep, if you have Microsoft 365 and Azure AD Setup, then this is the way to go. I have set this up for many clients.
If you don’t, then the cost of FortiToken is one time and perpetual.
Last option is 3rd party like DUO. I really don’t recommend that as it adds another hop in the check chain. If you use multiple SaaS and they don’t allow SAML or App from Microsoft, then it is a good alternative.
Most of the paragraphs could be replaced by a sentence: “I need 2FA for SSL-VPN, help me please”. The only actually useful information is the fourth paragraph (already has basic SSL-VPN), and maybe the fifth (asking specifically about available methods and compatibility). It’s like a copywriter/student trying to satisfy text length quota.
Not a fan of DUO with radius unless you are using a DUO auth proxy via ldap… Correct me if i’m wrong, but duo does not support the fortinet radius VSA to return a group attribute, thus it can only return “allow” or “deny” which limits you on the fortigate to assign different access rules for different groups.