Thursday, September 12, 2019

HOWTO use MFA with Fortigate and Jumpcloud

In this post we have a simple MFA deployment using the Jumpcloud RADIUS-aaS and a Fortiagte Firewall. The configuration for MFA from the radius-client ( FGT ) is no different than the a non-MFA radius deployment.

In this example we have a username=smcldap which  been enrolled in the Jumpcloud for google-auth. The Jumpcloud radius client has been enforced to use MFA for it's users.






User enablement for MFA is done in the Jumpcloud portal for each user






The Fortigate is done as a typical radius setup with the populate radius configuration




I 've set my nas-ip and source-ip in this example to ensure the address will be seen and matched by the cloud radius server-instance @ 18.204.0.31

The login for MFA is done in this fashion (userpassword,<OTP>)  see this diag test output where my 6digit OTP  is include after my password


MFA with Jump cloud is only via PAP for the obviously reason that the challenge and changing OTP would not work. So if you send anything other than PAP, the client will fail or timeout.




So here's a simple screenshot of me doing  a login from a webUI. I add-on the format of the password and otp that I would insert ine "web form password input "

e.g    'mypassword,123456'





MFA is the method that we should be using to secure ssh, webgui, ipsec-dialup, and sslvpn.





NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \




No comments:

Post a Comment