Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1554
Views
0
Helpful
2
Replies

FortiGate L2TP Duo 2FA

MS_Mum
Level 1
Level 1

‎12-21-2022 11:32 AM

Hello!
Duo Authentication Proxy 5.7.2.
I already have Duo 2FA working with FortiGate SSL VPN. Now I am trying to make it work with our L2TP but so far no luck.
I have setup Radius server on Fortigate and I have tried both Pap and MS-CHAPV2 options.
From FortiGate test user crenedial option. If I enter username/password part of security group that is connected via radius server then it worked or it works for any AD user and I get a a Duo Pop and when I approve it then I get success message.
So when I try to use L2TP I get Authentication failed error. I dont get any messages on Duo log so that means FortiGate is not sending any thing to Duo in this case. This is when I have enabled PAP.
FortiGate ----pap ---- Duo Proxy server.
If I try changing the authentication method to MS-CHAP-v2 and try to test the user credentials then I get error
AVP: l=22 t=Vendor-Specific(26) v=Microsoft(311)
VSA: l=16 t=MS-CHAP-Error(2)
Value: ‘<00>E=691 R=0 V=3’
AVP: l=14 t=Reply-Message(18)
Value: ‘No password.’

Does anyone know if this is possible. I can open ticket with support as well. I was under impression that this should work in 5.7.2 as it does support MS-Chap-v2. Fortigate by default use chap authentication.
In my config file I have
Following section
[ad_client]
[cloud]
[radius_server_auto]
I am not sure if i have to add radius_client for this setup or not.

Anyone suggest something?

Thanks

Labels:
0 Helpful
2 Replies 2

Hiro_Nakano
Level 1
Level 1

‎12-25-2022 02:59 PM

Hi MS_Mum,

Welcome to the Duo community!

You may need to use a [radius_client] section in the Duo Authentication Proxy configuration file for an application that will not work as expected with [ad_client]. For example, applications that need to pass group memberships via RADIUS.

To authenticate from the Duo Proxy to Active Directory as a RADIUS client, you can deploy Microsoft’s Network Policy Server (NPS) as a RADIUS server or a RADIUS server from another vendor between Active Directory and the Duo Authentication Proxy, and add the Duo Proxy server as a client of the NPS server.

Please find this article that is a guide to configuring the Duo Authentication Proxy as a RADIUS client in NPS.

Hope this helps.

If you have any problem with the Duo portion of this configuration, or with the overall concept, I recommend you reach out to support@duosecurity.com for assistance.

0 Helpful

MS_Mum
Level 1
Level 1
In response to Hiro_Nakano

‎01-11-2023 04:28 AM

Hi Hiro!

Thanks. I have Cisco ISE and I was pointed by support team to Duo Two-Factor Authentication for Cisco ISE | Duo Security
I am going through the documentation to check if this is valid for my scenario.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents