My boss values the ability to authenticate via MFA with Azure AD, while I prefer the tranquility of using IPsec for Client VPN since it has less vulnerabilities.
As far as i know there is no way to use IPsec VPN with SAML, my boss says maybe we can configure SAML authentication in a Radius server and authenticate the VPN to the Radius server. But i couldn’t find any documentation on this, anyone did this ? is it possible?
I’m also curious about what you guys are using and recommending for VPN with Fortigate.
you are far better off using client certificates for IPSEC dial up auth … with any vendor… you can do AuthZ on the SAN back to LDAP etc as well. Certificate installed on device is your second factor…
Can’t recommend this guide enough. Especially if you have more than one WAN connection for redundancy.
Technical Tip: Create SSL VPN with Azure SAML SSO ... - Fortinet Community
No need for multiple realms if you don’t have a fail over WAN or just want to use the one. We implemented this a while back and have been really happy with the results.
Looks like SAML and IPsec is now supported - requires 7.2.x on the FortiGate, and the newest 7.2.4 FortiClient
SAML and RADIUS are mutually exclusive
The VPN client (FortiClient, Cisco AnyConnect/Secure Client, Palo Alto GlobalProtect, whatever) pops up a window (either a built-in browser or an external OS browser) for the user to go through the SAML IdP login workflow. The browser (internal or external) returns a session token to the 'gate that is cryptographically signed by the IdP certificate.
FortiClient in IPsec mode is not able to use SAML. Other VPN clients can when used with the appropriate head-end - Cisco AnyConnect/Secure Client is one.
I don’t think it is possible, we are implementing saml with entra at customers with sslvpn clients with group matching as described in the cookbook for it.
FCT 7.2.4 support ipsec with SAML
Maybe not what you are looking for but you can use radius → Windows NPS → Azure MFA, with the Microsoft NPS extension
https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-nps-extension
I have just deployed an Azure VPN gateway with AAD auth enabled and deploy the AzureVPN client via intune. Simple easy to manage always on VPN for our users.
I’m an accountant tasked with some IT responsibilities, so please forgive my ignorance. My organization has a mix of Microsoft Basic and Microsoft Standard 365 licenses. Would we be able to avoid buying everyone FortiKeys and just use SAML without any additional cost?
I was just about to say this. I inherited the Azure AD SAML on top of SSL VPN method, which easy to do and works. But Fortinet keeps screaming “get rid of SSL VPN” and the last vulnerability kind of validated their screaming. So I’m migrating to IPSEC VPN and can’t believe how much easier it is. Except for the occasional instance of someone blocking ports which prevents the tunnel from starting. I’ve seen a couple of occurrences now so I doubt I can get rid of SSL VPN completely. But will still minimalize it as much as possible.
Need to put this link in my back pocket when we look to roll out VPN
And as it is a completely fresh feature, everyone should proceed with caution.
Someone just posted this morning here that SAML for IPSEC is now a feature.
I configured it like you mention a couple times and it works fine, but i’m just not fond of SSLVPN over IPsec
This is what my boss proposed, i’ll take a look to the link Thanks !!
its not that SSL is inherently more vulnerable that IPSEC… both to each their own… just google IPSEC main mode attacks of the past and you will see… its just folks tend to not deploy remote access properly and as well typically put VPN on their edge internet box, both operational issues to begin with. As with any technology, its not if they will have a vulnerability, its a matter of when, so you have to build accordingly…
Anyone try to test this? I am having issues with getting this to work in my lab environment
The missing part was FortiClient.
The just-released FortiClient 7.2.4 is the ONLY version of FortiClient that supports this. That’s now new it is.