Fortinet black logo

Azure Administration Guide

Configuring FortiClient VPN with multifactor authentication

Copy Link
Copy Doc ID a1b148db-687a-11ea-9384-00505692583a:517582
Download PDF

Configuring FortiClient VPN with multifactor authentication

This guide outlines how to integrate Azure multifactor authentication (MFA) to existing on-premise and cloud-based user authentication and VPN infrastructure.

This setup consists of the following components:

  • On-premise Windows Servers acting as Active Directory (AD) domain controllers with domain name "qa-labs.ca" configured
  • Two domain-joined network policy servers (NPS) for RADIUS service
  • Cloud-deployed FortiGate-VM spoke nodes with AD VPN connection to the FortiGate-VM hub node for centralized network service accessibility

When a remote VPN user starts FortiClient for VPN connection to any spoke node, the on-premise RADIUS service verifies the user credentials. Integrating Azure MFA to the existing on-premise NPS adds the following MFA methods to the legacy username and password pairs for user authentication:

  • Call to phone (wireless or landline phone numbers)
  • Text message to phone
  • Mobile app token
  • Mobile app notification

When the on-premise AD is synced to the Microsoft Entra ID (formerly known as Azure AD) and NPS extension for Azure is integrated with the NPS, FortiClient VPN authentication flow results, as follows:

  1. FortiClient initiates a VPN connection request to the FortiGate-VM with username and password pairs.
  2. The FortiGate-VM sends a RADIUS access request message to NPS servers with several attribute value pairs (AVP) parameters, which includes username and encrypted password.
  3. The NPS server connects to the local AD for primary authentication for the RADIUS request, if all NPS policies are met.
  4. The local AD returns the authentication result to the NPS server. One of the following occurs:
    1. If the credentials are incorrect, the NPS server sends a RADIUS access rejection message to the FortiGate-VM. See step 9.
    2. If the credentials are correct, the NPS server forwards the request to the NPS extension.
  5. The NPS extension triggers a request to Azure MFA for secondary authentication. Azure MFA checks if the user has MFA enabled. One of the following occurs:
    1. If the user does not have MFA enabled, go to step 8.
    2. If the user has MFA enabled, go to step 6.
  6. Azure MFA retrieves the user details from Entra ID and performs the secondary authentication per the user's predefined methods, such as phone call, text message, mobile app notification, or mobile app one-time password. Azure MFA returns the challenge result to the NPS extension.
  7. The NPS server that has the extension installed sends a RADIUS message to the FortiGate-VM. One of the following occurs:
    1. If successful, a RADIUS access accept message is sent. Go to step 8.
    2. If unsuccessful, a RADIUS access reject message is sent. Go to step 9.
  8. The user access is granted and an encrypted VPN tunnel is established.
  9. The VPN connection from FortiClient is disconnected.

This setup requires the following prerequisites:

  • On-premise Windows domain controller and AD
  • On-premise RADIUS service provided by NPS
  • On-premise FortiGate at center, branch offices with Internet connections
  • Azure subscription
  • Azure MFA license
  • FortiGate-VMon the cloud. Spoke 1 and Spoke 2 have VPN connections to Hub 1 and Hub 2
  • Remote VPN users
  • Smartphone with Microsoft Authenticator installed

The following example uses the following settings:

  • FortiClient 6.0.9
  • FortiGate-600D with FortiOS 6.2.2
  • FortiGate-VM pay-as-you-go (PAYG) for Azure with FortiOS 6.2.2
  • Windows Server 2016, domain controller, domain-joined NPS
  • Azure PAYG-DevOps subscription
To configure FortiClient VPN with MFA:
  1. Sign in to the Azure portal as a global administrator for the Entra ID. Add your domain name to the Entra ID as a custom domain name so that your users can keep their sign-in username unchanged.
  2. Sign in to your on-premise domain controller as the domain administrator. Download and install the Entra ID connect tool to sync your domain users to Entra ID.
  3. Download and install the NPS extension to your on-premise NPS server.
  4. Add several usernames to your on-premise domain controller for testing purposes. All users should have dial-in control access through NPS network policy under Network Access Permission. This example adds the following users:
    • Alice Abbott: aliceabbott@qa-labs.ca
    • Bob Baines: bobbaines@qa-labs.ca
    • Carol Cooper: carolcooper@qa-labs.ca

  5. Go to the Azure portal. Click Azure Active Directory > Users > Multi-Factor Authentication. Search and enable MFA for the users you created in step 5.
  6. Install Microsoft Authenticator on your smartphone.
  7. Sign in to aka.ms/MFASetup as each account that you added in step 5. Enable a different MFA method for each user. This example configures the following:
    • Sign in as Alice Abbott and enable text message.
    • Sign in as Bob Baines and enable mobile app token.
    • Sign in as Carol Cooper and enable mobile app notification.
  8. Configure the on-premise NPS:
    1. Add the remote FortiGate-VM as a RADIUS client.

    2. Enable PAP as a RADIUS authentication method.
  9. Configure dialup VPN and the SSL VPN portal on the spoke FortiGate-VM with user authenticated against on-premise RADIUS/NPS.

Azure MFA with the RADIUS NPS extension deployment supports the following password encryption algorithms used between the RADIUS client (VPN, NetScaler server, and so on) and the NPS server:

  • PAP supports all Azure MFA authentication methods in the cloud: phone call, text, message, mobile app notification, and mobile app verification code.
  • CHAPv2 supports phone call and mobile app notifications.
  • This deployment does not support EAP.

When FortiOS authenticates a user against a remote RADIUS server, by default, it selects PAP for SSL VPN and MS-CHAPv2 for IPsec VPN. Users who have mobile app token configured as their MFA method may have trouble connecting to IPsec VPN because the mobile app notification or phone call verification may not reach them.

Select PAP for all RADIUS user authentication in your FortiGate-VM configuration:

  • For IPsec VPN, run set xauthtype pap in your phase1-interface configuration:

    config vpn ipsec phase1-interface

    edit "Dialup_RAS"

    set type dynamic

    set interface "port1"

    set mode aggressive

    set peertype any

    set net-device disable

    set mode-cfg enable

    set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

    set dpd on-idle

    set comments "VPN: Dialup_RAS (Created by VPN wizard)"

    set wizard-type dialup-forticlient

    set xauthtype pap

    set authusrgrp "Azure_MFA_Usergroup"

    set ipv4-start-ip 172.31.6.1

    set ipv4-end-ip 172.31.6.254

    set dns-mode auto

    set ipv4-split-include "Dialup_RAS_split"

    set save-password enable

    set client-auto-negotiate enable

    set client-keep-alive enable

    set psksecret Nobody_Knows

    set dpd-retryinterval 60

    next

    end

  • For RADIUS server settings, run set auth-type pap and set timeout 30:

    config vpn ssl settings

    set servercert "qa-labs.ca"

    set idle-timeout 4800

    set tunnel-ip-pools "SSLVPN_Tunnel_172.31.7.0/24"

    set source-interface "port1"

    set source-address "all"

    set source-address6 "all"

    set default-portal "web-access"

    config authentication-rule

    edit 1

    set groups "Azure_MFA_Usergroup"

    set portal "0595363 SSLVPN Portal"

    next

    end

    end

    config user group

    edit "Azure_MFA_Usergroup"

    set member "on-premises_NPS"

    next

    end

    config user radius

    edit "on-premises_NPS"

    set server "172.31.248.16"

    set secret Nobody_Knows

    set timeout 30

    set nas-ip 10.255.255.1

    set auth-type pap

    set source-ip "10.255.255.1"

    next

    end

To verify that MFA is configured correctly:

diagnose test authserver radius on-premises_NPS pap aliceabbott@qa-labs.ca <password>

Enter Your Microsoft verification code******

authenticate 'aliceabbott@qa-labs.ca' against 'pap' succeeded, server=primary assigned_rad_session_id=1070819755 session_timeout=0 secs idle_timeout=0 secs!

diagnose test authserver radius on-premises_NPS pap bobbaines@qa-labs.ca <password>

authenticate 'bobbaines@qa-labs.ca' against 'pap' succeeded, server=primary assigned_rad_session_id=1070819758 session_timeout=0 secs idle_timeout=0 secs!

Configuring FortiClient VPN with multifactor authentication

This guide outlines how to integrate Azure multifactor authentication (MFA) to existing on-premise and cloud-based user authentication and VPN infrastructure.

This setup consists of the following components:

  • On-premise Windows Servers acting as Active Directory (AD) domain controllers with domain name "qa-labs.ca" configured
  • Two domain-joined network policy servers (NPS) for RADIUS service
  • Cloud-deployed FortiGate-VM spoke nodes with AD VPN connection to the FortiGate-VM hub node for centralized network service accessibility

When a remote VPN user starts FortiClient for VPN connection to any spoke node, the on-premise RADIUS service verifies the user credentials. Integrating Azure MFA to the existing on-premise NPS adds the following MFA methods to the legacy username and password pairs for user authentication:

  • Call to phone (wireless or landline phone numbers)
  • Text message to phone
  • Mobile app token
  • Mobile app notification

When the on-premise AD is synced to the Microsoft Entra ID (formerly known as Azure AD) and NPS extension for Azure is integrated with the NPS, FortiClient VPN authentication flow results, as follows:

  1. FortiClient initiates a VPN connection request to the FortiGate-VM with username and password pairs.
  2. The FortiGate-VM sends a RADIUS access request message to NPS servers with several attribute value pairs (AVP) parameters, which includes username and encrypted password.
  3. The NPS server connects to the local AD for primary authentication for the RADIUS request, if all NPS policies are met.
  4. The local AD returns the authentication result to the NPS server. One of the following occurs:
    1. If the credentials are incorrect, the NPS server sends a RADIUS access rejection message to the FortiGate-VM. See step 9.
    2. If the credentials are correct, the NPS server forwards the request to the NPS extension.
  5. The NPS extension triggers a request to Azure MFA for secondary authentication. Azure MFA checks if the user has MFA enabled. One of the following occurs:
    1. If the user does not have MFA enabled, go to step 8.
    2. If the user has MFA enabled, go to step 6.
  6. Azure MFA retrieves the user details from Entra ID and performs the secondary authentication per the user's predefined methods, such as phone call, text message, mobile app notification, or mobile app one-time password. Azure MFA returns the challenge result to the NPS extension.
  7. The NPS server that has the extension installed sends a RADIUS message to the FortiGate-VM. One of the following occurs:
    1. If successful, a RADIUS access accept message is sent. Go to step 8.
    2. If unsuccessful, a RADIUS access reject message is sent. Go to step 9.
  8. The user access is granted and an encrypted VPN tunnel is established.
  9. The VPN connection from FortiClient is disconnected.

This setup requires the following prerequisites:

  • On-premise Windows domain controller and AD
  • On-premise RADIUS service provided by NPS
  • On-premise FortiGate at center, branch offices with Internet connections
  • Azure subscription
  • Azure MFA license
  • FortiGate-VMon the cloud. Spoke 1 and Spoke 2 have VPN connections to Hub 1 and Hub 2
  • Remote VPN users
  • Smartphone with Microsoft Authenticator installed

The following example uses the following settings:

  • FortiClient 6.0.9
  • FortiGate-600D with FortiOS 6.2.2
  • FortiGate-VM pay-as-you-go (PAYG) for Azure with FortiOS 6.2.2
  • Windows Server 2016, domain controller, domain-joined NPS
  • Azure PAYG-DevOps subscription
To configure FortiClient VPN with MFA:
  1. Sign in to the Azure portal as a global administrator for the Entra ID. Add your domain name to the Entra ID as a custom domain name so that your users can keep their sign-in username unchanged.
  2. Sign in to your on-premise domain controller as the domain administrator. Download and install the Entra ID connect tool to sync your domain users to Entra ID.
  3. Download and install the NPS extension to your on-premise NPS server.
  4. Add several usernames to your on-premise domain controller for testing purposes. All users should have dial-in control access through NPS network policy under Network Access Permission. This example adds the following users:
    • Alice Abbott: aliceabbott@qa-labs.ca
    • Bob Baines: bobbaines@qa-labs.ca
    • Carol Cooper: carolcooper@qa-labs.ca

  5. Go to the Azure portal. Click Azure Active Directory > Users > Multi-Factor Authentication. Search and enable MFA for the users you created in step 5.
  6. Install Microsoft Authenticator on your smartphone.
  7. Sign in to aka.ms/MFASetup as each account that you added in step 5. Enable a different MFA method for each user. This example configures the following:
    • Sign in as Alice Abbott and enable text message.
    • Sign in as Bob Baines and enable mobile app token.
    • Sign in as Carol Cooper and enable mobile app notification.
  8. Configure the on-premise NPS:
    1. Add the remote FortiGate-VM as a RADIUS client.

    2. Enable PAP as a RADIUS authentication method.
  9. Configure dialup VPN and the SSL VPN portal on the spoke FortiGate-VM with user authenticated against on-premise RADIUS/NPS.

Azure MFA with the RADIUS NPS extension deployment supports the following password encryption algorithms used between the RADIUS client (VPN, NetScaler server, and so on) and the NPS server:

  • PAP supports all Azure MFA authentication methods in the cloud: phone call, text, message, mobile app notification, and mobile app verification code.
  • CHAPv2 supports phone call and mobile app notifications.
  • This deployment does not support EAP.

When FortiOS authenticates a user against a remote RADIUS server, by default, it selects PAP for SSL VPN and MS-CHAPv2 for IPsec VPN. Users who have mobile app token configured as their MFA method may have trouble connecting to IPsec VPN because the mobile app notification or phone call verification may not reach them.

Select PAP for all RADIUS user authentication in your FortiGate-VM configuration:

  • For IPsec VPN, run set xauthtype pap in your phase1-interface configuration:

    config vpn ipsec phase1-interface

    edit "Dialup_RAS"

    set type dynamic

    set interface "port1"

    set mode aggressive

    set peertype any

    set net-device disable

    set mode-cfg enable

    set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

    set dpd on-idle

    set comments "VPN: Dialup_RAS (Created by VPN wizard)"

    set wizard-type dialup-forticlient

    set xauthtype pap

    set authusrgrp "Azure_MFA_Usergroup"

    set ipv4-start-ip 172.31.6.1

    set ipv4-end-ip 172.31.6.254

    set dns-mode auto

    set ipv4-split-include "Dialup_RAS_split"

    set save-password enable

    set client-auto-negotiate enable

    set client-keep-alive enable

    set psksecret Nobody_Knows

    set dpd-retryinterval 60

    next

    end

  • For RADIUS server settings, run set auth-type pap and set timeout 30:

    config vpn ssl settings

    set servercert "qa-labs.ca"

    set idle-timeout 4800

    set tunnel-ip-pools "SSLVPN_Tunnel_172.31.7.0/24"

    set source-interface "port1"

    set source-address "all"

    set source-address6 "all"

    set default-portal "web-access"

    config authentication-rule

    edit 1

    set groups "Azure_MFA_Usergroup"

    set portal "0595363 SSLVPN Portal"

    next

    end

    end

    config user group

    edit "Azure_MFA_Usergroup"

    set member "on-premises_NPS"

    next

    end

    config user radius

    edit "on-premises_NPS"

    set server "172.31.248.16"

    set secret Nobody_Knows

    set timeout 30

    set nas-ip 10.255.255.1

    set auth-type pap

    set source-ip "10.255.255.1"

    next

    end

To verify that MFA is configured correctly:

diagnose test authserver radius on-premises_NPS pap aliceabbott@qa-labs.ca <password>

Enter Your Microsoft verification code******

authenticate 'aliceabbott@qa-labs.ca' against 'pap' succeeded, server=primary assigned_rad_session_id=1070819755 session_timeout=0 secs idle_timeout=0 secs!

diagnose test authserver radius on-premises_NPS pap bobbaines@qa-labs.ca <password>

authenticate 'bobbaines@qa-labs.ca' against 'pap' succeeded, server=primary assigned_rad_session_id=1070819758 session_timeout=0 secs idle_timeout=0 secs!