FortiGate L2TP Duo 2FA

Protecting Applications forum VPN
#1

Hello!
Duo Authentication Proxy 5.7.2.
I already have Duo 2FA working with FortiGate SSL VPN. Now I am trying to make it work with our L2TP but so far no luck.
I have setup Radius server on Fortigate and I have tried both Pap and MS-CHAPV2 options.
From FortiGate test user crenedial option. If I enter username/password part of security group that is connected via radius server then it worked or it works for any AD user and I get a a Duo Pop and when I approve it then I get success message.
So when I try to use L2TP I get Authentication failed error. I dont get any messages on Duo log so that means FortiGate is not sending any thing to Duo in this case. This is when I have enabled PAP.
FortiGate ----pap ---- Duo Proxy server.
If I try changing the authentication method to MS-CHAP-v2 and try to test the user credentials then I get error
AVP: l=22 t=Vendor-Specific(26) v=Microsoft(311)
VSA: l=16 t=MS-CHAP-Error(2)
Value: ‘<00>E=691 R=0 V=3’
AVP: l=14 t=Reply-Message(18)
Value: ‘No password.’

Does anyone know if this is possible. I can open ticket with support as well. I was under impression that this should work in 5.7.2 as it does support MS-Chap-v2. Fortigate by default use chap authentication.
In my config file I have
Following section
[ad_client]
[cloud]
[radius_server_auto]
I am not sure if i have to add radius_client for this setup or not.

Anyone suggest something?

Thanks

#2

Hi MS_Mum,

Welcome to the Duo community!

You may need to use a [radius_client] section in the Duo Authentication Proxy configuration file for an application that will not work as expected with [ad_client]. For example, applications that need to pass group memberships via RADIUS.

To authenticate from the Duo Proxy to Active Directory as a RADIUS client, you can deploy Microsoft’s Network Policy Server (NPS) as a RADIUS server or a RADIUS server from another vendor between Active Directory and the Duo Authentication Proxy, and add the Duo Proxy server as a client of the NPS server.

Please find this article that is a guide to configuring the Duo Authentication Proxy as a RADIUS client in NPS.

Hope this helps.

If you have any problem with the Duo portion of this configuration, or with the overall concept, I recommend you reach out to support@duosecurity.com for assistance.

#3

Hi Hiro!

Thanks. I have Cisco ISE and I was pointed by support team to Duo Two-Factor Authentication for Cisco ISE | Duo Security
I am going through the documentation to check if this is valid for my scenario.