Is anyone using Forticlient VPN with Microsoft MFA?

Forums › IT Pro and developers › Is anyone using Forticlient VPN with Microsoft MFA?

Paul1977

5171 posts

Uber Geek
+1 received by user: 2192

#303673 27-Feb-2023 10:48

I have this configured to VPN into on-prem network with Fortigate talking to RADIUS, which in turn talks to Azure. It works perfectly for push notifications to the Authenticator app, you just approve them and you're away.

However, it's not working if the default sign-in method for MFA is not a notification (i.e. if the user is configured to use a one-time code or text message code). If the user is set up for text message codes, they receive the text message and are prompted to enter the code into the FortiClient software, but the connection then just times out. If the user is set up to use the one-time code from the app, they are again prompted but then it just times out after entering it.

I have a bit if a niche case for one particular user who we need to authenticate via text message, so it would be great if anyone has this working who could point me in the right direction. Google isn't helping.

Thanks

Paul1977

5171 posts

Uber Geek
+1 received by user: 2192

#3042602 27-Feb-2023 10:56

Actually, I just found a couple of things that I missed on previous searches that might help me. I'll update if they solve the issue. But I'd still be keen to hear from anyone who might already have this working.

BarTender

3629 posts

Uber Geek
+1 received by user: 2572

ID Verified

Trusted

Lifetime subscriber

#3042620 27-Feb-2023 11:31

Depending on your Radius Server and Fortigate/Forticlient all play together it should support doing a Challenge via Radius.
But experience has shown me the best two ways to achieve corporate VPN is either pure username/password pointing to onprem AD or bypassing MFA challenge. Or issue a user certificate to the managed device and use that to auth to VPN with the associated PIN / Smart card challenge locally and back end CRL/OCSP checking to make sure the certificate hasn’t been revoked.

gbwelly

1263 posts

Uber Geek
+1 received by user: 776

#3042769 27-Feb-2023 13:05

Paul1977:

I have a bit if a niche case for one particular user who we need to authenticate via text message, so it would be great if anyone has this working who could point me in the right direction. Google isn't helping.

Thanks

Configured this a few years ago with Azure MFA extensions for NPS. Same conclusion as you, ended up offering only App approval or phone call as MFA methods for this very reason. Not helpful I know, but at the time there was no way to get an interface prompt to enter a code. I'm not aware of this changing since, so would be interested to hear if you do crack the puzzle.

Paul1977

5171 posts

Uber Geek
+1 received by user: 2192

#3042778 27-Feb-2023 13:35

...if your MFA method is text-based (SMS, mobile app verification code, or OATH hardware token) and requires the user to enter a code or text in the VPN client UI input field, the authentication might succeed. But any RADIUS attributes that are configured in the Network Access Policy are not forwarded to the RADIUS client (the Network Access Device, like the VPN gateway). As a result, the VPN client might have more access than you want it to have, or less access or no access.

So just plain doesn't work if you want to specify different access levels via AD attributes (which we do) when using SMS authentication.

@gbwelly phone call for MFA isn't ideal, but may be acceptable. I might be missing something, but when I add a phone as a sign-in method I only have the option of selecting SMS, there is no phone call option?

deadlyllama

1283 posts

Uber Geek
+1 received by user: 476

Trusted

#3042779 27-Feb-2023 13:39

I occasionally deal with a Forticlient VPN that has the same issue. MS Authenticator "phone pop up" method works fine, anything involving typing an OTP code in does not.

Decal

222 posts

Master Geek
+1 received by user: 26

ID Verified

#3042784 27-Feb-2023 13:47

What about using saml? Then the users are presented the azure login page and can authenticate with all the methods.

https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/fortigate-ssl-vpn-tutorial

Dyson

Shop now for Dyson appliances (affiliate link).

gbwelly

1263 posts

Uber Geek
+1 received by user: 776

#3042792 27-Feb-2023 14:00

Paul1977:

@gbwelly phone call for MFA isn't ideal, but may be acceptable. I might be missing something, but when I add a phone as a sign-in method I only have the option of selecting SMS, there is no phone call option?

I don't have an Azure AD instance to work out where to go to configure it at the moment. From memory there is the admin screen where you dictate the approved MFA methods, and then that method can be enabled for the user. If it's disabled at the admin side the user is unable to add it as a MFA method.

cisconz

cisconz
1348 posts

Uber Geek
+1 received by user: 179

ID Verified

Trusted

Lifetime subscriber

#3042988 28-Feb-2023 08:32

Decal:

What about using saml? Then the users are presented the azure login page and can authenticate with all the methods.

https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/fortigate-ssl-vpn-tutorial

I concur - https://docs.fortinet.com/document/fortigate-public-cloud/7.0.0/azure-administration-guide/584456/configuring-saml-sso-login-for-ssl-vpn-web-mode-with-azure-ad-acting-as-saml-idp

Hmmmm

cisconz

cisconz
1348 posts

Uber Geek
+1 received by user: 179

ID Verified

Trusted

Lifetime subscriber

#3042991 28-Feb-2023 08:34

Paul1977:

@gbwelly phone call for MFA isn't ideal, but may be acceptable. I might be missing something, but when I add a phone as a sign-in method I only have the option of selecting SMS, there is no phone call option?

That is in the master MFA settings of Azure AD - https://account.activedirectory.windowsazure.com/UserManagement/MfaSettings.aspx?BrandContextID=O365 and https://portal.azure.com/?feature.msaljs=false#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/AdminAuthMethods

Hmmmm

Andib

1396 posts

Uber Geek
+1 received by user: 974

ID Verified

Trusted

#3043076 28-Feb-2023 10:00

+1 for using Azure AD SAML as your authentication (if you're licenced for it). We're using it without issue for our several thousand users, the Fortigates are on 6.4.11, the VPN client is v7 as we found the 6.5 client wouldn't remember users sign-ins.
When we first piloted the radius plugin it felt very much like an after thought on Microsofts part that was hacked in for compliance reasons for big orgs that couldn't quickly move to SAML.

<#
.DISCLAIMER
Anything I post is my own and not the views of my past/present/future employer.
#>

Paul1977

5171 posts

Uber Geek
+1 received by user: 2192

#3043573 1-Mar-2023 13:40

cisconz:

Paul1977:

@gbwelly phone call for MFA isn't ideal, but may be acceptable. I might be missing something, but when I add a phone as a sign-in method I only have the option of selecting SMS, there is no phone call option?

That is in the master MFA settings of Azure AD - https://account.activedirectory.windowsazure.com/UserManagement/MfaSettings.aspx?BrandContextID=O365 and https://portal.azure.com/?feature.msaljs=false#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/AdminAuthMethods

Yeah, I found that thanks.

Lenovo

Shop now for Lenovo laptops and other devices (affiliate link).

Paul1977

5171 posts

Uber Geek
+1 received by user: 2192

#3043578 1-Mar-2023 13:50

Decal:

What about using saml? Then the users are presented the azure login page and can authenticate with all the methods.

https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/fortigate-ssl-vpn-tutorial

Thanks, I'll have a look at that as a long term replacement if it's more suitable. But I don't particularly want to change the whole setup right now just to accommodate one fringe case since it's working well for everyone else.

It's a user who doesn't require a work phone, and their personal phone is a Huawei which doesn't have access to the Google Play store (I gave up attempting getting the Authenticator app onto it via other means as it proved problematic). SMS had been fine for everything else for them, but now that they require VPN access I've just told them that, for now, they'll need to authenticate via phone call instead.