Duo MFA

timur-rj · ‎05-17-2024

hi, I am trying to use DUO MFA with fortigate SSL VPN. i configured it as per the instructions. proxy manager is up, AD is synced with the DUO cloud.

When i try to sign in to VPN i do get the push notification on my phone app but regardless of what i do with the push notification (accept, deny, ignore) VPN still logs in. I am guessing this means the radius server is not authenticating correctly but i can't figure out the issue. anyone here knows where to look or what the issue could be? thanks)

Ken Stieers · ‎05-17-2024

Proxy manager? Or Authentication Proxy?

What does that config look like?

timur-rj · ‎05-18-2024

Hi,
Duo Authentication Proxy manager is installed on a machine (windows) on the same network as the AD
below is the template the config is based on:

host=1.2.3.4
service_account_username=duoservice
service_account_password=password1
search_dn=cn=Users,dc=example,dc=com

# This is the Cisco VPN in the Michigan office
[radius_server_auto]
ikey=DIXXXXXXXXXXXXXXXXXX
skey=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
api_host=api-XXXXXXXX.duosecurity.com
radius_ip_1=5.6.7.8
radius_secret_1=thisisaradiussecret
failmode=secure
client=ad_client
port=1812

ikey=DIABCDEFGHIJKLMNOPQR
skey=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
api_host=api-12345678.duosecurity.com

With this config i have synced the AD to Duo Admin cloud and i am able to import users. Radius server is also added to fortigate and the user group on fortigate.

When i login to the VPN i do get the push notification and it shows on the cloud portal as well but VPN is connected regardless of what i do with the push notification. it doesn't wait for the response and directly connects. based on my setup is there anything i am missing or doing wrong? appreciate the help

timur-rj · ‎05-18-2024

hi, i figured it out) it was because of how the user was created on Fortigate. thanks

Ken Stieers · ‎05-18-2024

Happy to help! ;D