Open mylesagray opened 2 years ago
mylesagray
commented
2 years ago Comment written by JB on 09/08/2016 19:13:14
You said you installed on your DC? How does it work if AD listens on 389 and 636 by default. Service wont even start for me because of port conflicts.
mylesagray
commented
2 years ago Comment written by Myles Gray on 09/08/2016 19:21:53
Because we're using radius_server_auto it does not use 389 or 636 so no port conflict.
You can not install on a DC if you want it to service LDAP obviously.
mylesagray
commented
2 years ago Comment written by JB on 09/08/2016 19:56:33
Thx for this. I always hated having to use the FortiToken app.
mylesagray
commented
2 years ago Comment written by Cat Mucius on 09/13/2016 20:04:55
The limitation I've encountered is that if you need to make authorization decisions on FortiGate according to users' membership in multiple AD groups - you just don't have a way to signal the memberships info to the FortiGate. Neither with ad_client, nor with radius_client (in the latter case, though, you can send name of a single group to FortiGate, in a Vendor-Specific Attribute).
mylesagray
commented
2 years ago Comment written by Myles Gray on 09/13/2016 20:25:19
I had a ticket open with Duo about this, we ended up doing Wireshark traces (as to why we could pass groups to Duo from FG as an LDAP proxy) - FG is passing the auth request in a different way than Duo expect and would need to fix it on there side.
If that is fixed, what you want to do would then be possible. I also wanted to provide RBAC on the FG side as well, but, no dice.
mylesagray
commented
2 years ago Comment written by Cat Mucius on 09/13/2016 21:09:56
As I understand, it's a problem pestering any RADIUS-based authentication solution for FortiGate - not just Duo. FortiGate can read group's name from VSA field in RADIUS reply, but I don't know any RADIUS server that can read user's group list from AD and pack them into VSAs. And I don't know if FortiGate can handle multiple VSAs of the same type.
So the only mechanism FortiGate can get a list of groups from external source is LDAP.
There may be two possible solutions, but each has severe drawbacks, and I haven't checked them in action:
1. Define local user accounts on FortiGate, but check their passwords via RADIUS (https://forum.fortinet.com/.... This way, you can add them to as many groups as you like, but the price is double-management of the accounts (or triple, or more, if you have multiple FortiGates).
2. Duo can also run their own LDAP service, reachable via Internet and SSL-protected. They recommend it for applications other than FortiGate, such as Cisco (https://duo.com/docs/cisco#.... They also can pull the groups membership data from AD, if you sync your AD with them (https://duo.com/docs/syncin....
So I guess you can configure FortiGate just to query their LDAP service for user's credentials, but:
- you can just check the one-time passcode this way, not the AD password,
- you're relying on Duo in your authorization decisions. So they have technical ability to manipulate them, by elevating or downgrading users' access level. Maybe paranoid of me, but I wouldn't trust them that much.
mylesagray
commented
2 years ago Comment written by adeelahmad84 on 02/23/2017 14:30:58
Hi,
how can I configure the RADIUS remoteauth timeout specifically for a VDOM? Our ISP has provided us with a VDOM and they're not willing to make the changes globally as they have other customers on other VDOMs.
Couldn't find anything on the Fortinet website.
Thanks
Adeel
Written on 02/25/2018 12:34:40
URL: https://blah.cloud/security/setting-duo-2fa-fortigate-admin-authentication/