Tresco Integrations Blog

How to Set Up MFA or FortiClient VPN using Duo: A Step-by-Step Guide – Part 2/4

by

Chris Tresco

Integration of Fortigate as an Application in Duo and Configuring Forticlient

In part 2 of the 4 part series, we’ll configure Duo as the IdP for Fortigate while also configuing Fortigate SSO as well as Forticlient. Parts 1 and 2 provide a complete picture for using Duo as the IdP, considered Option 1. Parts 3 and 4 will show Microsoft taking IdP responsibilities while calling Duo to provide just the push.

Option 1:

Duo SSO taking the lead, “proxying” u/p to Entra via API for the First Factor

My Environment:

  • DUO Premier Trial Account
  • Fortinet Fully Featured Demo Keys
  • Windows 11 Client Computer with FortiClient
  • Microsoft Azure Entra ID licensed with E3

The FortiClient is set up for Remote Access.

References:

Duo Single Sign-On for Fortinet FortiGate VPN

Technical Tip: SSL VPN with DUO as SAML IdP using Azure AD as Authentication Source

Steps:
  1. Log into the Duo Console, click on Duo Single Sign-On on the left side, then choose to “Protect an Application” at the top of the screen.

  2. Click on “Fortigate Fortinet” in the list of available integrations. This will add the Fortinet entry in Duo SSO and bring up a page showing various options for the new entry. While here, let’s download the certificate as we’ll need to add it to the Fortigate infrastructure. Click the button to do that. Note by the left menu we are now under “Applications” which happened when we clicked the button to connect the application.

  3. Log into the Fortinet FortiGate GUI for your Fortinet FortiGate SP appliance.
  4. In the left menu sidebar, click System and then click Certificates.
  5. At the top of the page, click Create/Import and then select Remote Certificate. The “Upload Remote Certificate” window opens.
  6. Click Upload. Open the certificate file you downloaded earlier and then click OK. Now we should see a new certificate named REMOTE_Cert_1, we’ll reference this below.

  7. Reference the Duo SSO page currently showing the Fortigate application we just added.  We’ll need these for the next bit at the CLI.

  8. As of FortiOS 7.2 the SSO bits of Fortigate can be configured in GUI. Since it isn’t fully functional, well configure it in the CLI. Click to open the CLI.

  9. Here we’ll create an IdP named tc_forticlient_saml.

  10. In the above, I am giving the entity an Address, in my case I’m using vpn.trescointegrations.com:4433 to match the port SSL VPN is running on along with the rest of the URL. If you now close the CLI after entering your information and go into the Single Sign-On section of GUI, we can use it to copy the information we’ll need for the DUO configuration. The URLs showing the Duo addresses can be found in the Duo Application we already created above.


    In the illustration above, note the Service Provider Configuration pieces, we’ll need those to enter into our Application in the Duo console along with that “Attribute use to identify groups” at the very bottom.
  11. Go back to the Duo console and click on Groups on the left side. We need to create a group that corresponds to the Fortigate settings. I am creating a group called duo_fortigate_vpn_access.

  12. One we add the group, go back into the group we just created and add a user to the group. For me, I’m adding ctresco@trescointegrations.com.
  13. Now wander back to the Application in the Duo Console. We can finish editing these bits. Note the picture below. We will enter the information from the Fortinet GUI from a URL perspective here. We will also create a group mapping so our Fortinet group we create below will be mapped to the Duo group. Finally, note how the custom attributes are configured. Click to save.

  14. Go back to the Fortigate console. Click on User Groups. Click Create New at the top. Make a group that matches the name you entered in the Duo screen above, for me “fortigate_duo_vpn_access” is used. Choose “Firewall” as the type. Don’t add any members. Click “Add” under Remote Groups and select the saml entry you created earlier, for me tc_forticlient_saml. Once selected, choose “Any” as the group. Click OK when finished.

  15. Now that our SSO options are configured, we just need to tell the Fortigate to use SSO for the SSL VPN. Creating an SSL VPN is not in scope for this document. We’ll edit a pre-existing SSL VPN to use SAML. Go to the VPN menu, then SSL-VPN Settings. Looking at the settings here, all we have to do is to add the group to the SSL-VPN settings with the SSO/SAML connection we created earlier. See the illustration below.

  16. Once we click “Apply” we’ve configured the VPN for SSO/SAML access. Now we just have to tell Forticlient to use SSO. Note the settings below in Forticlient. All we have to do is tell it to use SSO credentials. On connection, it will pop up a browser window to log into your session.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *