Post

Cisco Duo with Fortigate VPN

Posted
By Sena Perdiana 1 min read

FortiGate Remote Access VPN with Cisco Duo MFA works by integrating Duo’s two-factor authentication into the VPN login flow. When a user connects through SSL-VPN or IPsec VPN on the FortiGate, they first authenticate with their primary credentials, then Duo pushes a second-factor challenge before granting access. This ensures only verified users can establish a secure VPN session.

x


Enabling Duo MFA

Here we have a working Fortigate IPSec Remote Access VPN using local users to log in

x


To enable Duo, we’ll pretty much follow a similar implementation as this one, first we make sure the user is present on Duo with same username as the one on AD

x


Then we add a Protected Application, Duo already provides a template for Fortigate SSL VPN so lets use that, even though actually we use IPSec but the authentication process is the same

x


Copy all the necessary credentials

x


And configure it on the Duo Proxy Server

x


Next on the Fortigate, create a new Radius Server pointing to the Duo Proxy Server

x


We can also test the MFA right from this menu

x


Then add the newly created Radius Object to the VPN User Group thats used on the VPN configuration

x


And we also increase the radius timeout to give users time to approve the MFA prompt

x


And now if we connect to VPN using AD users, we’ll be prompted a Duo MFA

x

x

x


We can still connect to VPN using local users with no MFA because we still allow this user on the VPN Group

x

Security, Cisco Duo
Fortinet Duo
This post is licensed under CC BY 4.0 by the author.