The fortigate device will TALK to the Duo on the front-end and Duo talks to JumpCloud on the backend. Think of the DuoProxy as front-end and the JumpCloud is the backend. The secrete I defined here would be the same RADIUS secret we will use on the DuoRADIUS_PROXY_CFGĭO NOT CONFUSE THE RADIUS PROXY and the JumpCloud RADIUS-aaS configuration. I'm using not-wellKnownPort # of udp:1822 for RADIUS-AUTH in this example. I ve covered this in previous recent post and fortinet has cookbooks out for how to configure radius-auth It could be local or in the cloud, but the device must have a secret_define and RADIUS_PORT#. The Server will be the actual device you have the RADIUS_PROXY configured on. On the fortigate it's simple but you need a radius server configuration. So save this information off somewhere you can always review it late via the admin access and the DuoPortal. These informational pieces are very critical you will the need the iKEY and SEC-KEY and target later on for any firewall rules. UserC VPN & Citrix & DropBox & SystemAccess via MFA Once you have user(s) in Duo that's activated, each user could be tied to groups and policies based on that "application", this key since you can grant unique access requirements and policies. So I'm not going to go into details on enrollment. This follow inline with almost all other TOTP solution from Goog-Authenticator, YubiKey, EntrustIdGuard,Solidpass, Authy, etc. They have the means for a bulk deployment if you have quite a few users to enroll at one give time.Ī default or custom enrollment email will be sent to the user via email and after a few quick checks and picture of a QRcode you will be enrolled and active. You only need the username and email address of the end-users. So the enrollment process is very simple, the Duo Admin will craft a user in the DuoPortal. I believe blackberry is not supported at this time They both rely on the Duo-RADIUS-PROXY application.įrom the end-user he/she will need a mobile device and the Duo IOS/Android app installed on a mobile phone and actively enrolled. The 2nd factor is via the Duo Push notification services & to a registered end-user. The 1st factor is strictly ALL JumpCloud, & by using the RADIUS-aaS service. So within both DuoSecurity and JumpCloud, we will use MFA for simple 1st-factor & 2nd-factor authentication. They look at each "service" as securing an "application" Duo can be used from anything from Citrix, Mail, VPn, DropBox and other systems. $$$ But the fortitoken approach can not be used to MFA other applications. $$$ Fortitoken are about on part with Duo cost per-seat and others. Pls refer to my previous post on fortitoken and Macosx and how the fortitoken works. The general fortinet community has been mislead to believe that you need a overprice forti-authenticator and a fortitokens solutions which does work & works good btw, but comes at a higher price from a CAPEX. In this blog I will demo a simple deployment for MFA & with fortigate SSLVPN service.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |