I have created a group in AD Firewall_Admins as above to allow users access based on group membership - it’s a pain adding and removing users manually from firewalls so for me centralised RBAC = win. I’m using FortiOS 5.4.1 in my lab so your UI will likely look a little different, but it can be found in the User & Device section - we are going to configure a RADIUS Server with the below settings (note the active/backup radius servers): Now your proxy is listening so it’s time to configure the Fortigate. If for whatever reason it fails to startup, go diving for logs in Event Viewer they are usually helpful and Google-able. Navigate to and open this file with wordpad as administrator (notepad messes with spacing and encoding): Install on your chosen machine (very Next -> Next -> Finish type deal) and now for the actual setup. I’m using AD, so my auth proxy is going to live on Windows for handiness, you can of course run them on linux of you wish as well - either way you can get them here ↗. This protects against app failure, VM failure and host failure (DRS anti-affinity rule).Īs for any 2FA system, have backup keys as well as an unused admin user with a very long and complex password. Next we need to download the proxy, I typically install one on DC1 and another on DC2 with their primary auth methods pointed at themselves, with the other as a backup. Take note of the three credentials at the top Integration Key, Secret Key and API Hostname. I also like to change the username normalisation to Simple as it will accept any of the given formats, which is fine by me. Give it a meaningful name as multiple can be used across multiple sites - I’ve named mine MGIO-Lab-RADIUS-Proxy I find it helps to prepend a site name or domain to the start to make it more obvious in future. We’ll start by creating an application, navigate to the Protect an Application page, the number of apps is pretty overwhelming, but we are looking for RADIUS and then hit Protect this Application: You’ll need to sign up ↗ and add your mobile verification method. The beautiful part is it is completely application agnostic, the only requirement from the app is the ability to query a RADIUS or LDAP server. Helpfully, Duo have an auth proxy ↗ that will sit between the firewall and our actual auth source, check the credential against the primary auth source, then send a push to your mobile device before sending the auth approved message back to the firewall - essentially giving you two factor for any device that can use LDAP/RADIUS as a backend auth mechanism, like below: However, there are a lot of services that don’t offer native integration, Fortigate as a case-in-point are a vendor that only allow their own tokens to be used - however you can have your VPN and firewall admin users auth against LDAP/RADIUS. They have an insane number of application integrations ↗ possible natively. I have been using Duo ↗ recently for a lot of my 2FA accounts, mainly because I really like their “push” 2FA service, no need to type in any timed code, just tap approve on your phone/watch/whatever. (Who wants a hardware token or a paid for token nowadays? no thanks). However, I haven’t protected my publicly accessible firewall with 2FA - mainly because there is no real built in method for using industry standard apps with it. I protect any account I have with two factor auth, at least the ones that support it (this site for example has 2FA for admin logon), it’s not that inconvenient (especially not with Authy/Duo) and greatly increases security of your critical accounts.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |