Howdy,
We are setup with DUO using the proxy for AD (on-prem) logins. Looking to enable DUO with our SSL VPN as well. Looking through the guides I can find it seems the NPS function on Windows Server is needed. Is that true?
We would prefer to not use NPS if possible.
NPS isn’t needed, the Duo Auth Proxy can do password validation against AD via LDAP before doing the MFA validation with the cloud.
No but what we use. Fortigate points to Duo proxy that forwards request to NPS. You could use AD lookups instead on the Duo Proxy server if you don’t want NPS. We use NPS for other things too, like with AAD compliance checks.
In theory you can integrate DUO with Azure AD as a custom control and then integrate Forti remote access with Azure AD via SAML IDP. Here is the demo https://youtu.be/nDH2wvveLrI
Do you know of a guide for this particular setup? We already have FGT pointed at LDAP and the DUO Proxy for PC logins on the LDAP server.
No, nothing beyond Duo’s own documentation https://duo.com/docs/fortinet. I thought it was pretty trivial. You ditch the Fortigate LDAP configuration in favor of a RADIUS config talking to the Duo Auth Proxy
We just moved over to NPS to get us more flexibility with different different groups for different users.
Our previous setup had the FortiGate user group pointed at a server that had DUO running on it. The DUO config used LDAP to check a single group membership for VPN users and if the user was in that AD group 2FA succeeded.
It sounds like you have the DUO side set up but on the FG, create a RADIUS server that is the server running DUO, create a user group and add the RADIUS server as a remote server in that group, then on the SSL settings page you tie the user group to a realm/portal.