Thanks M02@rt37, a related question beacuse Fortigate SSL VPN Protection can use as authentication source RADIUS instead of AD, can i use the same DUO Authentication Proxy as RADIUS Server?

@Luis Perez,

This ?

https://duo.com/docs/fortinet

M02@rt37  i was referring that specific doc, but im a little confused, just to clarify my question.

Duo Auth Proxy config needs a client section (AD or RADIUS) to refer the primary authentication method, so my question here is if it is mandatory because doc saids: "o integrate Duo with your Fortinet FortiGate SSL VPN, you will need to install a local Duo proxy service on a machine within your network. This Duo proxy server will receive incoming RADIUS requests from your Fortinet FortiGate SSL VPN, contact your existing local LDAP/AD or RADIUS server to perform primary authentication if necessary, and then contact Duo's cloud service for secondary authentication."  

Also if i cant avoid that primary authentication that radius server can be the same Duo Auth Proxy? 

Thanks in advance

Hello Luis!

You are correct that using our RADIUS integration requires an Active Directory or a RADIUS server for primary authentication.

If you are instead looking to use a SAML IdP, as M02@rt37 suggested, you can instead use our SAML integration with Duo Single Sign-On. Information on this integration can be found here.

If you have additional questions, please don't hesitate to reach out to Duo Support!

Best regards,
Noor

Thanks @NoorM,.

Actually i understand that for G Suite integration, DUO SSO is required and i cant use the same Google account as SAML IdP so if we dont have AD for that SSO config we have to use some SAML IdP as M02@rt37 suggested.

For the Fortigate SSL VPN i found a proxy config option called radius-duo-only (Duo Two-Factor Authentication with RADIUS Duo-Only Secondary Authentication | Duo Security) in that case we dont need to configure AD or RADIUS on Auth Proxy but we need Fortinet firewall supports chained authenticatior capabilities, meaning that the device can support separate primary and secondary authentication configurations in sequence for user login. Using local user dabatase for primary authentication.

Could you confirm if Im correct, and also if someone knows if Fortinet support chained authenticator capabilities?

@Luis Perez

Your understanding is correct. Using a [radius_duo_only] section or [duo_only_client] allows you to use the Duo Authentication Proxy only for secondary authentication. Whether or not this configuration is supported depends on the firewall being protected.

However, FortiGate SSL VPN, in particular, cannot chain authentication sources, so [radius_duo_only] and [duo_only_client] are not supported with it. This information can also be confirmed here.

Best regards,
Noor

Hey, @DuoKristina i havent seen that guide.

I understand that using this method can also apply for SSL VPN access to Fortigate (configured in a different way here Duo Fortinet SSL VPN 2FA, RADIUS Automatic Push | Duo Security), not only to Fortigate access. But in this specific case to setup the Duo SSO we need an AD or external SAML IdP first, is that correct?

Yes, correct. I just mentioned it to make you aware that RADIUS was not the only option. They can use Google Workspace as a SAML IdP for Duo SSO. They will not be able to then also protect that Google Workspace account with Duo SSO, because authentication would go into a redirect loop ffrom Google back to Google, but Duo SSO using Google as the authentication source could be used to protect FortiGate SAML login or any other SAML or OIDC app with SSO.