Device health app with FortiClient VPN


I have a customer with a Fortigate, users connect through Forticlient VPN for SSL-VPN, currently using Duo 2FA, sending push to user’s phone to grant access.

Customer is looking to see if the Device health verification app option under duo beyond subscription is compatible with Forclient VPN?

I tried testing it on his environment with a trial account with no success, once I attach the enforce policy to an application (in this case I se it up as an LDAP proxy, local DAP is the LDAP server on the Fortigate Side)

The connection would not establish and no push notification would be send, as well as the prompt to install the app? or am i missing something here?

Thank you,

Device Health checks/policy only works when the Duo interactive prompt is shown in a browser. This isn’t possible for Fortigate with Duo added by RADIUS or LDAP.

If a given VPN client app supports passive browser login via federation/SSO, you can use Duo Single Sign-On + the Generic SAML application to add Duo to the VPN logins via SAML 2.0. Duo SSO shows a Duo prompt in the browser so it can also do Device Health checks.

Looks like it’s possible for FortiClient as of v6.4.