Thursday, April 27, 2017

Securing Fortigate SSLVPN with MFA by using Duo and JumpCloud

In this blog I will demo a simple deployment for MFA & with fortigate SSLVPN service.

MFA  means "Multi Factor Authentication"

The general  fortinet community has been mislead to believe that you need a overprice forti-authenticator and a fortitokens solutions which does work & works good btw,   but comes at a higher price from a CAPEX.

Pls  refer to my  previous   post on fortitoken and Macosx and how the fortitoken works.

$$$  Fortitoken are about on part with Duo cost per-seat and others. $$$ But   the fortitoken approach can not be used to  MFA other applications. Duo can be used from anything from  Citrix , Mail, VPn, DropBox and other systems. They look at each "service" as securing an "application"

So within both  DuoSecurity and JumpCloud,  we will use  MFA for simple 1st-factor &  2nd-factor authentication. The 1st factor is strictly ALL  JumpCloud, &  by using the RADIUS-aaS service.

The 2nd factor is via the Duo Push notification services &  to a registered end-user .  They both rely on the Duo-RADIUS-PROXY application.

From the end-user he/she will need  a mobile device and the Duo IOS/Android app installed on a mobile phone and actively enrolled.

I believe blackberry is not supported at this time

So the enrollment process is  very simple,  the  Duo Admin will craft a user in the DuoPortal. You only need the username and email address of the end-users. They  have the means for a bulk deployment if you have quite a few users to enroll at one give time.

A default or custom  enrollment email will be sent to the user via email and after a few quick checks and picture of a QRcode you will be enrolled and active.

This follow inline with almost all other TOTP  solution from  Goog-Authenticator , YubiKey, EntrustIdGuard,Solidpass, Authy, etc..... So I'm not going to go into details on enrollment.

Once you have user(s) in Duo that's activated,  each user could be tied to groups and policies based on that "application", this key since you can grant   unique access requirements and policies.

userA  VPN  & CITRIX access  secured MFA
userB  VPN-only  via MFA
userC  VPN & Citrix  & DropBox &  SystemAccess  via MFA
userD  VPN & RDP acces via MFA

 Think of  securing each applications uniquely,  and for that specific user or  user-groups.

Now when you 1st setup Duo,   your DUO admin access will be challenge every time and you can select the identification methods / Push / Text Call

e.g ( DUO admin   access )

Within the  portal you will toggle down and craft your Duo users as required and  the system with send the default or custom enrollment  email that  explains that  the user he is pending a enrollment in companyXYZ MFA solution.

e.g ( here's user:socpuppets being setup for enrollment  , take note of the SSLVPN group I've craft earlier, I will explain that later )

NOTE: I didn't want to  go into many details on  user enrollment that process is simple and mean video/kb exist from Duo and others on enrollment. If you can't manage a simple enrollment-process everything else here would be to complex for you ;)

Now that we have went briefly over enrollment process let's look at the key  Duo items that we will need  for configuration of the  Duo-Radius-Proxy on our windows or linux  host. I will demo the RADIUS cfg  file for a DEBIAN based host running in GOOG CLOUD COMPUTE

1st let's  review our topology;

  in google  at my  GCPinstance  I  had port  udp:1812 tied to another radius applicaton ( FREERADIUS ) so I choose a new port# just  for  the  Duo-RADIUS-PROXY udp:1822

The fortliclient  users will be authenticate,  by the fortigate  during the SSLVPN connection and based on the RADIUS-Accept/Reject will  gain access.

So the deployment steps are simple

1: gather your Duo Portal API details ( available  in your  portal login for the admin )

2: configure the GCP debian host for Duo RADIUS PROXY

3: gather your jumpCloud  RADIUS-aaS details ( ipv4 address, secret ,etc......)

4: hook all of it together

5: start the  Duo RADIUS-PROXY and  be happy ;)

So if you paid  any attention in  the Duo Admin setup you where presented a screen with these details
similar to the following;

These  informational pieces are  very critical you will the need the iKEY and SEC-KEY and target later on for any firewall rules. So save this information off  somewhere you can always review it late via the admin access and the DuoPortal.

On the fortigate it's simple but you need a radius server configuration. The Server will be the actual  device you have the  RADIUS_PROXY configured on. It could be local or in the cloud , but the device  must have a secret_define and RADIUS_PORT# . I ve covered this in previous recent post and  fortinet has cookbooks out for  how to configure radius-auth


   I'm using not-wellKnownPort # of udp:1822 for RADIUS-AUTH in this example. The secrete I defined here would be the same RADIUS secret we will use on the DuoRADIUS_PROXY_CFG

DO NOT CONFUSE THE  RADIUS PROXY and the JumpCloud RADIUS-aaS configuration. Think of the  DuoProxy as front-end and the JumpCloud is the backend. The fortigate device will TALK to the  Duo on the front-end and  Duo talks to JumpCloud on the backend.

Now we will setup the Duo-RADIUS-proxy server we will stroke this in the cloud.

The duo-proxy setup can be follow from a simple  HOWTO that's available on Duo website

My cfg looked  similar to the following  on my debian instance

  I redacted critical details from this screenshot

After you have the  instance  up,  you can plumb firewall rules in GCP to allow traffic to the RADIUS_PROXY.

By using tcpdump , you can diagnose  fortigates ( clients )  that are not able  to AUTHENTICATE to RADIUS_PROXY.

sample  fw_rule

GCP firewall  with udp:1822 set

Okay now that you have all this configured,   you can  validate function by authenticating a user from  the  fortigate. If all was correctly configured & working;

FORTIGATE ( radius client )

Than the end users that's enrolled and part of the Duo SSLVPNGroup would get a challenge in the fashion of a push to his/her  mobile device that  they used to enroll.

Here you can  Accept or Deny via a simple push notification ( no 6 digit passcode )

  Duo allows you to craft "specific text for  the push message" so you  know what your accepting. Most other systems just blindly send you a  notification but for what application, is never known. This is helpful if you use Duo to secure multiple  application and what a custom notification message for each application.

Now groups,

Groups in Duo is the key to all things. For  the SSLVPN fortigate you can have many groups allow users in just that group. These groups could be inherit into Duo for simplistic matching.  So group at the company fortigate(s) could tie back to the same group in  DuoSecurity.

In this demo, I have a group name   sslvpn for the fortigate SSLVPN solution.

Let's explore some reporting & logs ;

locally the  radiusproxy logs are stored at the directory on my linux instance;


It provides MFA related messages for 1st and 2nd factor. Here's example of "chap" login failure from the radius_client and latter  a pap login request that was successful.

From  fail_auth you can get lockout alerts and run reports from DuoSecurity portal. One cool thing on lockouts, you can lockout and require MFA-admins to re-active


Set lockdown thresholds and holdout,  and after the holdout timer has expired, the account will be re-activated automatically

Image result for Cool


Authentication logs within the DuoSecurity portal are very detail and helpful in  determining if a request ever made it to Duo and by what applications.

e.g  ( csv log-format )

e.g  ( json format  user enrollment )

So within  the Duo portal you can determine with ease the  success and failures , and enrollment status for a user. So that's all that it takes.

Enjoy  Duo  and  JumpCloud for your SSLVPN fortigate solutions that need MFA.

Meep .........Meep, I got to run.

Ken Felix
Security Engineer

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
        /  \

No comments:

Post a Comment