Saturday, September 14, 2019

HOWTO use MFA with Fortigate and OneLogin

In this blog post. I will demo a simple but effective Onelogin RADIUS-aaS w/MFA & with a Fortigate firewall and give you a few free API tips

A few items;
  1. username "demosocpuppets"   
  2. a policy was created in OneLogin & with MFA set for the authentication policy and for the user
  3. Radius Server was configured in the  FGT as plain jane radius client
  4. the use username was set in onelogin with  passsword+otp for the password format

Let's 1st peek at the OneLogin configurational items, since most of the work is done here.

1st you need a RADIUS client defined. This is the FGT that would send the radius request




and set the username and password files , by default username==email and password=password





That concludes the radius client configurations. Now it'w best to build the Authenticator  & MFApolicy since you will use that for the radius-client and users. Do it in that order also!

1st we define our Authenticators, we want to use google-auth. So I built mine and selected google-authenticator. Google-Auth is widely accepted and it plain out works & works great. The temporal 6 numeric digits  OTP is pretty much hack proof.





The policy will call up the enablement of MFA and uses google-authenticator for this demo and user.







Okay we are almost done. You only need to apply a user and instructions in that user settings to use the MFA policy.




Make sure to set the user's "username field",  by default it is not required , but our radius cfg and attributes is using that for the username to authenticated and not via the email address




After the above has been done,  and the user has registered. We need to set his  MFA profile in the user portal.

I'm using  AUTHY for my token generators  https://authy.com/









The authentication would be similar to the following;

   Username="username in onelogin ......the user name field"
   Password="password<otp>"


Examples

 demosocpuppets 
 !test1234!435789 

Breaks down to;

   password = !test1234!
   otp= 435789

Here's a diag test from the fortigate  appliance that shows a PAP radius request , and the values sent to our Onelogin Radius Server.


Here's a ssh access being tested for the user demosocpuppets



And finally the boring radius configuration in FortiOS;

{ radius server }


{ group defined }


{User account set for External-Authentication )



OneLogin has a few advantages over Jumpcloud,  but both are equally great platforms.

1st off the logs are great and the format is very simple to read





And 2nd you can login failure times and hold out in the OneLogin Policy




This along with the on appliance lock-on-failure settings and really secure the appliance and users







Onelogin also has some pre-defined reports and better ease of using and assuming a user. The layout in the WebUI is just basically better.

The API interface is pretty awesome and uses a token granted based off your client id and secret. The life of the token is 1hour











Sample API calls using cUrl 

    { request a new token  }

 curl  -H "Authorization: client_id:<fromportal>, client_secret:<fromportal>" -k -H "Content-Type: application/json" -d '{ "grant_type":"client_credentials" }' https://api.us.onelogin.com/auth/oauth2/token



    { check rate limits  }

curl  -k -H "Authorization: bearer:bacf325e9fc62bd8314bb3293f714e8a9a27ebfabffc10b2f492131101e055e2" https://api.us.onelogin.com/auth/rate_limit

    { get a list of users }

 curl  -k -H "Authorization:bearer:bacf325e9fc62bd8314bb3293f714e8a9a27ebfabffc10b2f492131101e055e2" https://api.us.onelogin.com/api/1/users

   { get events }

curl  -k -H "Accept: application/xml"  -H "Authorization: bearer:bacf325e9fc62bd8314bb3293f714e8a9a27ebfabffc10b2f492131101e055e2" https://api.us.onelogin.com/api/1/events/

   { lock a user }

curl -X PUT   -k -d '{ "locked_until":"10" }'  -H "Accept: application/xml"  -H "Authorization: bearer:bacf325e9fc62bd8314bb3293f714e8a9a27ebfabffc10b2f492131101e055e2" https://api.us.onelogin.com/api/1/users/58498736/lock_user

   { change a user password }

curl -X PUT -H "Content-Type: application/json"   -k -d '{ "password":"socpuppets12345678", "password_confirmation":"socpuppets12345678" }'  -H "Accept: application/xml"  -H "Authorization: bearer:da242c58d2c76ef16b6652b163c5c25936f4b0a3a4e9dc841d69e68132c799da" https://api.us.onelogin.com/api/1/users/set_password_clear_text/58498736

    
 If you try something outside of your permission you will get a response similar to top photo vrs the bottom



And on passwords changes, the confirmation will quickly tell you if your a success or not;




All API admin activities are login in the event audit traces




In closing MFA is the method that we all should be using to secure access via  ssh, webgui, ipsec-dialup, and sslvpn.Onelogin can secure all aspect of the Firewall Access. You can read more at one of my earlier post;


I've been securing Fortigates and Fortimail with MFA authentication for over 6 years now. These same configuration apply to other vendor products ( JNPR, PANW etc...)






NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \



No comments:

Post a Comment