Hello,
We have a customer currently using IPSEC VPN using a pre shared key and they would like to start using Microsoft MFA to authenticate the VPN. The user accounts are currently in an on-prem active directory environment and Microsoft 365 for email accounts, what would be the best solution to achieve what the customer is requesting?
The traditional solution with third-party 2FA is RADIUS, where the RADIUS server would handle the 2FA prompting (either via Access-Challenge, or out-of-band).
This would usually be IKEv1 + XAUTH (lets you do PSK + username&password + 2FA).
With IKEv2 you’d have to drop the PSK and swith end-users to EAP (each side can authenticate itself with one of PSK / plain certificate-auth / EAP, exclusively), then let the endpoint talk EAP with the RADIUS server.
A modern and very recently implemented solution would be to use SAML. This is implemented on top of IKEv2 only, as a customized EAP exchange + magic dust. FortiClient required, as this is not a standardized solution.
This sounds like a can of worms. I’d sort out their tenant and get the environment hybrid joined if possible for the best experience. This’ll enable a nice end user experience and only require the end user to use Microsoft authenticator as the laptop becomes an auth method.
Once you get it squared away, google ‘Fortigate EntraID IPSEC VPN’ and follow the guide, should be able to get it squared away in a couple hours if no issues. Not sure if they updated the docs, but you can check my comment history for some issues/corrections I had with the documentation a few months back.
I implemented this in my home lab and it works like a charm
The SAML route was what i was looking at. Just wondering would i need to setup Microsoft AD connect to sync to on-prem accounts into 365 before testing this or will it work with the users 365 email accounts?
What if I was to do away with the IPSEC VPN and move them onto SSL VPN would there be a need for hybrid joining devices?
With IPSEC?
We use Azure autologin with the VPNSSL. I’d like to move to IPSEC but that adds an overhead of management for third party suppliers that connect.
Do you really have separate accounts for Entra ID and Office 365?
Either way, you need accounts in Entra ID.
Got this to work in a lab a while back, you can just use the o365 accounts. However, if you have users you would like to sync from from AD only for the purpose of SAML login, you can also use them as well. However the login name has to be [email protected]. You can also look at conditional access to force use of authenticator for those on premises users
It’s the same concept it uses the same enterprise app for SAML, the configuration is pretty much the same you just target the SSL VPN.
The question I’d have to ask is why you’d want to use an SSL VPN if you could use IPSEC? There are constant new exploits with SSL VPNs and not just Fortigate, other vendors as well. Why stress about that when you can deploy a much more secure alternative in the IPSEC dial up VPN with the same end user experience?
Btw, you don’t NEED to hybrid join or clean up your EntraID environment like I suggested, but it will provide for the best end user experience. If you don’t have syncing and password writeback between cloud and on prem, it’s one more credential your end user has to manage.
Not sure if you’d get the full SSO experience without being hybrid joined either as I’ve only ever tested this in an either fully EntraID or hybrid environment.
If you have any questions feel free to lmk, I’ve done this a number of times and happy to help.
Yes IPSec VPN with SAML but I used FAC. It was either that or do emergency patches every time there was a new 0-day SSL VPN vulnerability
Hey, thanks for this. There is a conversation with the customer about setting up AD Connect and hybrid joining the devices, I will push for that before setting this up.