SMS two-factor authentication for SSL VPN

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this recipe, you will create an SSL VPN with two-factor authentication consisting of a username/password and an SMS token. The SMS token is generated by FortiAuthenticator using the FortiGuard Messaging Service.

When a user attempts to connect to this SSL VPN, they are prompted to enter their username and password. After successfully entering their credentials, they receive an SMS message on their mobile phone containing a 6-digit number (called the FortiToken Code). They must also enter this number to get access to the internal network and the Internet.
 
Although this recipe uses the FortiGuard Messaging Service, it will also work with any compatible SMS service you configure as an SMS Gateway.

1. Creating an SMS user and user group on the FortiAuthenticator

On the FortiAuthenticator, go to Authentication > User Management > Local Users and add/modify a user to include SMS Token-based authentication and a Mobile number using the preferred SMS gateway as shown.

The Mobile number must be in the format:
+[international_number].

Enable Allow RADIUS authentication.

Go to Authentication > User Management > User Groups and add the above user to a new SMS user group (in the example, ‘SMSgroup‘).

2. Configuring the FortiAuthenticator RADIUS client

Go to Authentication > RADIUS Service > Clients and create a new RADIUS client.

Enter a Name for the RADIUS client (the FortiGate) and enter its IP address (in the example, 172.20.121.56).

Enter the pre-shared Secret and set the Authentication method. The FortiGate will use this secret key in its RADIUS configuration.

  

Choose to Enforce two-factor authentication and add the SMS user group to the Realms group filter as shown.

Select Save and then OK.

3. Configuring the FortiGate authentication settings

On the FortiGate, go to User & Device > Authentication > RADIUS Servers and create the connection to the FortiAuthenticator RADIUS server, using its IP address and pre-shared secret.

Use the Test Connectivity button to make sure that the FortiGate can communicate with the FortiAuthenticator.

Next, go to User & Device > User > User Groups and create a RADIUS user group called RADIUSgroup.

Set the Type to Firewall and add the RADIUS server to the Remote groups table.

4. Configuring the SSL VPN

Go to VPN > SSL > Settings.

Under Connection Settings, set Listen on Port to 10443 and set IP Ranges to the SSL VPN tunnel address range.

Under Authentication/Portal Mapping, select Create New.

Assign the RADIUSgroup user group to the full-access portal, and assign All Other Users/Groups to the desired portal.

5. Creating the security policy for VPN access to the Internet

Go to Policy & Objects > Policy > IPv4 and create an ssl.root – wan1 policy.

Set Source User(s) to the RADIUSgroup user group.

Set Outgoing Interface to wan1 and Destination Address to all.

Set Service to ALL and ensure that you enable NAT.

6. Results

In this example, we will use the web portal to access the SSL VPN and test the two-factor authentication. 

Open a browser and navigate to the SSL VPN web portal, in this case https://172.20.121.56:10443.

Enter a valid username and password and select Login. You should be prompted to enter a FortiToken Code.

The FortiToken Code should have been sent to your mobile phone as a text message containing a 6-digit number.

Enter the number into the SSL VPN login portal and select Login.

You should now have access to the SSL VPN tunnel.
To verify that the user has connected to the tunnel, go to VPN > Monitor > SSL-VPN Monitor.
Keith Leroux

Keith Leroux

Technical Writer at Fortinet
Keith Leroux is a writer on the FortiOS 'techdocs' team in Ottawa, Ontario. He obtained a Bachelor's degree from Queen's University in English Language and Literature, and a graduate certificate in Technical Writing from Algonquin College. He spent a year teaching ESL in South Korea. Annyeong!
Keith Leroux
  • Was this helpful?
  • Yes   No
  • Hassaan Mustafa

    hi, thanks for the wonderful guide. I just want to ask is it possible to do them steps for wifi users as well ?

    • Adam Bristow

      Hello Hassaan,

      Thank you for your comment!

      While the steps aren’t exactly the same, the following recipe shows how to setup WiFi authentication using the FortiAuthenticator as the RADIUS server:

      http://cookbook.fortinet.com/wifi-with-external-radius-authentication-54/

      If you’d like to configure WiFi in a different way, here’s our full list of WiFi recipes, including video tutorials:

      http://cookbook.fortinet.com/wifi/

      Best regards,

      Adam

      • Hassaan Mustafa

        Thanks Adam, I am looking into these links. I have a unique senario to deploy Forti devices for which you have already shared links. Hopefully to reach milestone shortly.

        once again. Thanks 🙂