Azure MFA is not working with Fortinet VPN client

Rakesh Kumar 461 Reputation points
2022-01-03T10:52:52.533+00:00

Hi,

Does anyone configure the MFA for Fortinate VPN client. i'm following below link to configure it but user authentication fails at 80% directly. There is no entry at Radius(NPS) in the log-file so NPS even doesn't try to authenticate any user there. Is there any one has configured and it worked as expected? If yes can you please guide me on this.

https://docs.fortinet.com/document/fortigate-public-cloud/6.2.0/azure-administration-guide/517582/configuring-forticlient-vpn-with-multifactor-authentication.

Configuration details -

  1. fortinate firewall with VPN
  2. Client connect at public IP
  3. fortinate VPN transfer package using internal IP(10.10.xx.xx) to NPS server
  4. NPS server is windows 2019 running on VM
Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes

1 answer

Sort by: Most helpful
  1. Rakesh Kumar 461 Reputation points
    2022-02-09T09:03:15.91+00:00

    @JamesTran-MSFT ,

    Issue has been solved now after doing lots of troubleshooting. below are the action taken to solve the issue. below are the action taken.

    1. Disabled the NPS extension for MFA by removing entry from registry(HKLM\System\currentcontrolset\services\Authsrv\Parameters)
    2. disabled all default connection and network policy from NPS
    3. Changed Type of network access server from "Remote Access server(VPN-Dial up" to "Unspecified"
    4. on Fortinet VPN server enabled the primary authentication from NPS server and ensure group matching is configured correctly

    Above steps helped us to solve and ensure that primary authentication works properly. once confirmed the primary authentication then restored the registry setting for NPS extension and rerun the .\AzureMfaNPsExtnConfigsetup.pas1. then after retest the VPN access and MFA. and finaly it worked with all MFA option available.

    Please note that Fortinet VPN uses PAP as authentication protocol.

    2 people found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.