Configuring FortiClient VPN with multifactor authentication
This guide outlines how to integrate Azure multifactor authentication (MFA) to existing on-premise and cloud-based user authentication and VPN infrastructure.
This setup consists of the following components:
- On-premise Windows Servers acting as Active Directory (AD) domain controllers with domain name "qa-labs.ca" configured
- Two domain-joined network policy servers (NPS) for RADIUS service
- Cloud-deployed FortiGate-VM spoke nodes with AD VPN connection to the FortiGate-VM hub node for centralized network service accessibility
When a remote VPN user starts FortiClient for VPN connection to any spoke node, the on-premise RADIUS service verifies the user credentials. Integrating Azure MFA to the existing on-premise NPS adds the following MFA methods to the legacy username and password pairs for user authentication:
- Call to phone (wireless or landline phone numbers)
- Text message to phone
- Mobile app token
- Mobile app notification
When the on-premise AD is synced to the Microsoft Entra ID (formerly known as Azure AD) and NPS extension for Azure is integrated with the NPS, FortiClient VPN authentication flow results, as follows:
- FortiClient initiates a VPN connection request to the FortiGate-VM with username and password pairs.
- The FortiGate-VM sends a RADIUS access request message to NPS servers with several attribute value pairs (AVP) parameters, which includes username and encrypted password.
- The NPS server connects to the local AD for primary authentication for the RADIUS request, if all NPS policies are met.
- The local AD returns the authentication result to the NPS server. One of the following occurs:
- If the credentials are incorrect, the NPS server sends a RADIUS access rejection message to the FortiGate-VM. See step 9.
- If the credentials are correct, the NPS server forwards the request to the NPS extension.
- The NPS extension triggers a request to Azure MFA for secondary authentication. Azure MFA checks if the user has MFA enabled. One of the following occurs:
- If the user does not have MFA enabled, go to step 8.
- If the user has MFA enabled, go to step 6.
- Azure MFA retrieves the user details from Entra ID and performs the secondary authentication per the user's predefined methods, such as phone call, text message, mobile app notification, or mobile app one-time password. Azure MFA returns the challenge result to the NPS extension.
- The NPS server that has the extension installed sends a RADIUS message to the FortiGate-VM. One of the following occurs:
- If successful, a RADIUS access accept message is sent. Go to step 8.
- If unsuccessful, a RADIUS access reject message is sent. Go to step 9.
- The user access is granted and an encrypted VPN tunnel is established.
- The VPN connection from FortiClient is disconnected.
This setup requires the following prerequisites:
- On-premise Windows domain controller and AD
- On-premise RADIUS service provided by NPS
- On-premise FortiGate at center, branch offices with Internet connections
- Azure subscription
- Azure MFA license
- FortiGate-VMon the cloud. Spoke 1 and Spoke 2 have VPN connections to Hub 1 and Hub 2
- Remote VPN users
- Smartphone with Microsoft Authenticator installed
The following example uses the following settings:
- FortiClient 6.0.9
- FortiGate-600D with FortiOS 6.2.2
- FortiGate-VM pay-as-you-go (PAYG) for Azure with FortiOS 6.2.2
- Windows Server 2016, domain controller, domain-joined NPS
- Azure PAYG-DevOps subscription
To configure FortiClient VPN with MFA:
- Sign in to the Azure portal as a global administrator for the Entra ID. Add your domain name to the Entra ID as a custom domain name so that your users can keep their sign-in username unchanged.
- Sign in to your on-premise domain controller as the domain administrator. Download and install the Entra ID connect tool to sync your domain users to Entra ID.
- Download and install the NPS extension to your on-premise NPS server.
- Add several usernames to your on-premise domain controller for testing purposes. All users should have dial-in control access through NPS network policy under Network Access Permission. This example adds the following users:
- Alice Abbott: aliceabbott@qa-labs.ca
- Bob Baines: bobbaines@qa-labs.ca
- Carol Cooper: carolcooper@qa-labs.ca
- Go to the Azure portal. Click Azure Active Directory > Users > Multi-Factor Authentication. Search and enable MFA for the users you created in step 5.
- Install Microsoft Authenticator on your smartphone.
- Sign in to aka.ms/MFASetup as each account that you added in step 5. Enable a different MFA method for each user. This example configures the following:
- Sign in as Alice Abbott and enable text message.
- Sign in as Bob Baines and enable mobile app token.
- Sign in as Carol Cooper and enable mobile app notification.
- Configure the on-premise NPS:
- Add the remote FortiGate-VM as a RADIUS client.
- Enable PAP as a RADIUS authentication method.
- Add the remote FortiGate-VM as a RADIUS client.
- Configure dialup VPN and the SSL VPN portal on the spoke FortiGate-VM with user authenticated against on-premise RADIUS/NPS.
Azure MFA with the RADIUS NPS extension deployment supports the following password encryption algorithms used between the RADIUS client (VPN, NetScaler server, and so on) and the NPS server:
- PAP supports all Azure MFA authentication methods in the cloud: phone call, text, message, mobile app notification, and mobile app verification code.
- CHAPv2 supports phone call and mobile app notifications.
- This deployment does not support EAP.
When FortiOS authenticates a user against a remote RADIUS server, by default, it selects PAP for SSL VPN and MS-CHAPv2 for IPsec VPN. Users who have mobile app token configured as their MFA method may have trouble connecting to IPsec VPN because the mobile app notification or phone call verification may not reach them.
Select PAP for all RADIUS user authentication in your FortiGate-VM configuration:
- For IPsec VPN, run
set xauthtype papin your phase1-interface configuration:config vpn ipsec phase1-interface
edit "Dialup_RAS"
set type dynamic
set interface "port1"
set mode aggressive
set peertype any
set net-device disable
set mode-cfg enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set dpd on-idle
set comments "VPN: Dialup_RAS (Created by VPN wizard)"
set wizard-type dialup-forticlient
set xauthtype pap
set authusrgrp "Azure_MFA_Usergroup"
set ipv4-start-ip 172.31.6.1
set ipv4-end-ip 172.31.6.254
set dns-mode auto
set ipv4-split-include "Dialup_RAS_split"
set save-password enable
set client-auto-negotiate enable
set client-keep-alive enable
set psksecret Nobody_Knows
set dpd-retryinterval 60
next
end
- For RADIUS server settings, run
set auth-type papandset timeout 30:config vpn ssl settings
set servercert "qa-labs.ca"
set idle-timeout 4800
set tunnel-ip-pools "SSLVPN_Tunnel_172.31.7.0/24"
set source-interface "port1"
set source-address "all"
set source-address6 "all"
set default-portal "web-access"
config authentication-rule
edit 1
set groups "Azure_MFA_Usergroup"
set portal "0595363 SSLVPN Portal"
next
end
end
config user group
edit "Azure_MFA_Usergroup"
set member "on-premises_NPS"
next
end
config user radius
edit "on-premises_NPS"
set server "172.31.248.16"
set secret Nobody_Knows
set timeout 30
set nas-ip 10.255.255.1
set auth-type pap
set source-ip "10.255.255.1"
next
end
To verify that MFA is configured correctly:
diagnose test authserver radius on-premises_NPS pap aliceabbott@qa-labs.ca <password>
Enter Your Microsoft verification code******
authenticate 'aliceabbott@qa-labs.ca' against 'pap' succeeded, server=primary assigned_rad_session_id=1070819755 session_timeout=0 secs idle_timeout=0 secs!
diagnose test authserver radius on-premises_NPS pap bobbaines@qa-labs.ca <password>
authenticate 'bobbaines@qa-labs.ca' against 'pap' succeeded, server=primary assigned_rad_session_id=1070819758 session_timeout=0 secs idle_timeout=0 secs!