FortiToken Mobile Push SSL VPN with RADIUS on a FortiAuthenticator

Facebooktwittergoogle_pluslinkedinFacebooktwittergoogle_pluslinkedin

In this recipe, you will set up FortiAuthenticator to function as a RADIUS server to authenticate SSL VPN users using FortiToken Mobile Push two-factor authentication. With Push notifications enabled, the user can easily accept or deny the authentication request.

For this configuration, you will:

  • Create a user on the FortiAuthenticator.
  • Assign a FortiToken Mobile license to the user.
  • Create the RADIUS client (FortiGate) on the FortiAuthenticator, and enable FortiToken Mobile Push notifications.
  • Connect the FortiGate to the RADIUS server (FortiAuthenticator).
  • Create an SSL VPN on the FortiGate, allowing internal access for remote users.

The following names and IP addresses are used:

  • Username: gthreepwood
  • User group: RemoteFTMGroup
  • RADIUS server: OfficeRADIUS
  • RADIUS client: OfficeServer
  • SSL VPN user group: SSLVPNGroup
  • FortiAuthenticator: 172.25.176.141
  • FortiGate:  172.25.176.92

For the purposes of this recipe, a FortiToken Mobile free trial token is used. This recipe also assumes that the user has already installed the FortiToken Mobile application on their smartphone. You can install the application for Android and iOS:

1. Adding FortiToken Mobile to FortiAuthenticator

On the FortiAuthenticator, go to Authentication > User Management > FortiTokens, and select Create New.

Set Token type is set to FortiToken Mobile, and enter the FortiToken Activation codes in the field provided.

2. Adding the FortiToken Mobile user to FortiAuthenticator

On the FortiAuthenticator, go to Authentication > User Management > Local Users, and select Create New.

Enter a Username (gthreepwood) and enter and confirm the user’s password.

Enable Allow RADIUS authentication, and select OK to access additional settings.

Enable Token-based authentication and select to deliver the token code by FortiToken. Select the FortiToken added earlier from the FortiToken Mobile dropdown menu.

Set Delivery method to Email. This will automatically open the User Information section where you can enter the user’s email address in the field provided.

Next, go to Authentication > User Management > User Groups, and select Create New.

Enter a Name (RemoteFTMUsers) and add gthreepwood to the group by moving the user from Available users to Selected users.

The FortiAuthenticator sends the FortiToken Mobile activation to the user’s email address. If the email does not appear in the inbox, check the spam folder.

The user activates their FortiToken Mobile through the FortiToken Mobile application by either entering the activation code provided or by scanning the QR code attached.

For more information, see the FortiToken Mobile user instructions.

3. Creating the RADIUS client on FortiAuthenticator

On the FortiAuthenticator, go to Authentication > RADIUS Service > Clients, and select Create New to add the FortiGate as a RADIUS client.

Enter a Name (OfficeServer), the IP address of the FortiGate, and set a Secret. The secret is a pre-shared secure password that the FortiGate will use to authenticate to the FortiAuthenticator.

Set Authentication method to Enforce two-factor authentication and check the Enable FortiToken Mobile push notifications authentication checkbox.

Set Realms to local | Local users, and add RemoteFTMUsers to the Groups filter.

Note the Username input format. This is the format that the user must use to enter their username in the web portal, made up of their username and realm. In this example, the full username for gthreepwood will be “gthreepwood@local“.

4. Connecting the FortiGate to the RADIUS server

On the FortiGate, go to User & Device > RADIUS Servers, and select Create New to connect to the RADIUS server (FortiAuthenticator).

Enter a Name (OfficeRADIUS), the IP address of the FortiAuthenticator, and enter the Secret created before.

Select Test Connectivity to be sure you can connect to the RADIUS server. Then select Test User Credentials and enter the credentials for gthreepwood.

Because the user has been assigned a FortiToken, the test should come stating that More validation is required.

The FortiGate can now connect to the FortiAuthenticator as the RADIUS client configured earlier.

Then go to User & Device > User Groups, and select Create New to map authenticated remote users to a user group on the FortiGate.

Enter a Name (SSLVPNGroup) and select Add under Remote Groups.

Select OfficeRADIUS under the Remote Server dropdown menu, and leave the Groups field blank.

5. Configuring the SSL VPN on FortiGate

On the FortiGate, go to VPN > SSL-VPN Portals, and edit the full-access portal.

Toggle Enable Split Tunneling so that it is disabled.

Then go to VPN > SSL-VPN Settings.

Under Connection Settings set Listen on Interface(s) to wan1 and Listen on Port to 10443.

Under Tunnel Mode Client Settings, select Specify custom IP ranges. The IP Ranges should be set to SSLVPN_TUNNEL_ADDR1 and the IPv6 version by default.

Under Authentication/Portal Mapping, select Create New.

Set the SSLVPNGroup user group to the full-access portal, and assign All Other Users/Groups to web-access — this will grant all other users access to the web portal only.

Go to Policy & Objects > IPv4 Policy and create a new SSL VPN policy.

Set Incoming Interface to the SSL-VPN tunnel interface and set Outgoing Interface to the Internet-facing interface (in this case, wan1).

Set Source to the SSLVPNGroup user group and the all address.

Set Destination Address to allSchedule to alwaysService to ALL, and enable NAT.

6. Results

From a remote device, open a web browser and navigate to the SSL VPN web portal (https://<fortigate-ip>:10443).

Enter gthreepwood‘s credentials and select Login.

Note that the username has to be entered in the correct format (in this case, username@realm), as per the client configuration on the FortiAuthenticator.

The FortiAuthenticator will then push a login request notification through the FortiToken Mobile application. Select Approve.

Upon approving the authentication, gthreepwood is successfully log into the SSL VPN portal.

On the FortiGate, go to Monitor > SSL-VPN Monitor to confirm the user’s connection.

Facebooktwittergoogle_pluslinkedinFacebooktwittergoogle_pluslinkedin
Note that the token can only be registered to one device.