Fortinet black logo

Handbook

Two-factor authentication

Two-factor authentication

Normally, you are required to use your user name and password to log into your account on a system or network. In this single-factor authentication, your password is the only piece of information you need to access your account. In this case, you are presenting to the system or network a shared secret, which is your password, to authenticate your identity. Had a hacker obtained or figured out your password, your password would be compromised.

Two-factor authentication is a means for authenticating a user's identity using two different pieces of information or factors. The primary advantage of two-factor authentication is that it provides a greater level of security than single-factor authentication does. Generally, the two factors are something you must know (password) and something you must have (e.g., a token). This makes it harder for a hacker to gain access to your account because the hacker would have to have both your password and the security token.

FortiADC works in tandem with FortiAuthenticator to provide two-factor authentication. With this integration, you are required to provide your password and the security token generated by FortiAuthenticator and delivered to a specified email address to gain access to FortiADC.

To take advantage of this feature, you must

  • On FortiAuthenticator, create an administrator user account, a user group, and set FortiADC as a RADIUS client.
  • On FortiADC, set FortiAuthenticator as the RADIUS server.

You do not have to perform these two tasks in any specific order, but you do need to have administrator access to both FortiADC and FortiAuthenticator, which allow you to carry out the configurations.

Note: Keep in mind that, for the current release, two-factor authentication works with RADIUS server (FortiAuthenticator) only; it does not work with any other remote server.

Configuring FortiAuthenticator for two-factor authentication

FortiADC uses FortiAuthenticator as the remote authentication server, which provides the security token needed for two-factor authentication on FortiADC. If you wanted to require that all FortiADC users of your organization use two-factor authentication to log into the appliance, you must first configuring FortiAuthenticator, which involves the following tasks:

  1. Creating user accounts
  2. Create a user group and add users to it.
  3. Designate FortiADC as a RADIUS service client

Note: The following instructions assume that you have FortiAuthenticator installed on your network and you have administrator access to it.

Creating user accounts on FortiAuthenticator

To create a user account on FortiAuthenticator:

  1. From the menu bar on the left, select Authentication > User Management > Local User.
  2. Click Create New to open the Create New Local User page.
  3. Make all the required entries or selections as highlighted in FortiAuthenticator configuration.
  4. Click OK when done.
  5. Repeat Steps 1 through 4 to create as many user accounts as needed.

FortiAuthenticator configuration

Configuring FortiADC a user group

Once you have created all the local user accounts, you need to create a user group and add the users to it.

To configure a user group:

  1. From the menu bar on the left, select Authentication > User Management > User Groups.
  2. Click Create New to open the Create New User Group page.
  3. Specify a unique name for the user group.
  4. Make sure the Local radio button is selected.
  5. Add all the users to the user group.
  6. Click OK when done.

Set FortiADC as a RADIUS Service client

As a remote authentication server, FortiAuthenticator serves as a RADIUS server, whereas FortiADC functions as a RADIUS client. Therefore, upon setting up the user group, the next thing you need to do is to set your FortiADC appliance as the RADIUS service client, and link the user group to it.

To set your FortiADC as a RADIUS service client:

  1. From the menu bar on the left, select Authentication > RADIUS Service > Clients.
  2. Click Create New to open the Add RADIUS Client page.
  3. In the Name field, specify a unique name for the RADIUS Service Client configuration.
  4. For Client Address, select the IP/Hostname radio button, and enter your FortiADC appliance's IP address or hostname.
  5. For Secret, enter the shared secret between FortiAuthenticator and FortiADC, making sure that it matches the Shared Secret you specify when configuring the RADIUS server on your FortiADC appliance.
  6. For Authentication method, select Enforce two-factor authentication.
  7. For User input format, select realm\username.
  8. In the Realm column, click the down arrow in the Realm column and select Local | Local users.
  9. In the Groups column, check the Filter check box and select the user group you have configured earlier.
  10. Click Save.
  11. Click OK when done.

Note: Figure xxx highlights the required fields for configuring RADIUS service client.

Configuring FortiADC for two-factor authentication

In the preceding section, we've stated that, in the two-factor authentication process, FortiAuthenticator serves as the RADIUS server that provides services to FortiADC. We discussed, among other things, how to set FortiADC as

a client of FortiAuthenticator.

In this section, we talk about how to configure FortiADC as FortiAuthenticator's client, which involves the following tasks:

  1. Create RADIUS server configuration using FortiAuthenticator.
  2. Create admin user accounts with RADIUS authentication.

The following instructions assume you have administrator access to FortiADC.

Creating a RADIUS server configuration using FortiAuthenticator

In order to let FortiAuthenticator provide authentication services for FortiADC, you need to choose FortiAuthenticator as the remote server from the FortiADC side.

To configure a RADIUS configuration using FortiAuthenticator:

  1. On FortiADC's main navigation bar, click User Authentication > Remote Server.
  2. Select the RADIUS Server tab.
  3. Click Create New to open the RADIUS dialog box.
  4. In the Name field, specify a unique name for the RADIUS server configuration.
  5. In the Server field, enter the IP address of the FortiAuthenticator that you've configured earlier.
  6. In the Port field, accept the default port number, which is 1812.
  7. In the Shared Secret field, enter the secret key that you specified when configuring FortiAuthenticator.
  8. In the Authentication Protocol field, accept the default value or click the down arrow to select another option from the list menu.
  9. Click Save when done.

Adding admin user accounts with RADIUS authentication

Once you have set FortiAuthenticator as the RADIUS server to provide authentication service to FortiADC, you must then associate FortiADC user accounts with FortiAuthenticator.

It is important to note that the user names you choose on FortiADC must match those that you have added on FortiAuthenticator. Otherwise, the two-factor authentication will not work.

To add admin user using RADIUS authentication:

  1. On FortiADC's main navigation bar, click System > Administrator.
  2. Click Create New to open the Admin dialog box.
  3. In the Name field, specify the user name of the admin account, making sure that it matches one the users names you specified on FortiAuthenticator.
  4. In the Trusted Hosts filed, leave it as is or specify the IP address of a specific host. (Note: If left as is, a user can manage FortiADCvia this admin account from any host; if the IP address of a specific host is specified, then a user can manage FortiADC via this admin account from that host only.)
  5. In the Global Admin field, accept the default (No) or select Yes. (Note: If left as is, you must select Profile and the VDOM or VDOMs that the admin account can manage; If Yes is selected, then this admin account becomes a global administrator and can manage all VDOMs on this FortiADC appliance.)
  6. In the Authentication Type field, be sure to select RADIUS.
  7. In the RADIUS Server field, select the RADIUS server configuration you've created on FortiADC, as discussed in the preceding paragraph.
  8. In the Wildcard field, leave as is (OFF) or turn it ON. (Note: Once the Wildcard feature is enabled, in addition to the admin user configured on FortiADC, any users configured on the RADIUS server (i.e., FortiAuthenticator) can log into FortiADC and still be mapped to the specific admin profile.)
  9. Click Save when done.
  10. Repeat the above steps to create as many admin user accounts as needed.

Two-factor authentication in action

In the preceding two sections, we talked about how to configure FortiAuthenticator and FortiADC for two-factor authentication. The following shows the general work flow in which two-factor authentication works when you are trying to log into FortiADC:

  1. On FortiADC's login page, you enter your username and password, and click Log In.
  2. FortiADC presents your login credentials to FortiAuthenticator.
  3. After verifying your user name and password, FortiAuthenticator generates a security token and sends it to the email address that you specified when setting up your account on FortiAuthenticator. At the same time, the Token field pops up on FortiADC's login page, right below the password field.
  4. You retrieve the token from your email, copy and paste it into the Token field on FortiADC's login page, and click Log In.
  5. FortiADC sends your login information, along with the token, to FortiAuthenticator for authentication.
  6. After verifying that the your have the correct token, FortiAuthenticator lets you log into FortiADC.

Two-factor authentication

Two-factor authentication

Normally, you are required to use your user name and password to log into your account on a system or network. In this single-factor authentication, your password is the only piece of information you need to access your account. In this case, you are presenting to the system or network a shared secret, which is your password, to authenticate your identity. Had a hacker obtained or figured out your password, your password would be compromised.

Two-factor authentication is a means for authenticating a user's identity using two different pieces of information or factors. The primary advantage of two-factor authentication is that it provides a greater level of security than single-factor authentication does. Generally, the two factors are something you must know (password) and something you must have (e.g., a token). This makes it harder for a hacker to gain access to your account because the hacker would have to have both your password and the security token.

FortiADC works in tandem with FortiAuthenticator to provide two-factor authentication. With this integration, you are required to provide your password and the security token generated by FortiAuthenticator and delivered to a specified email address to gain access to FortiADC.

To take advantage of this feature, you must

  • On FortiAuthenticator, create an administrator user account, a user group, and set FortiADC as a RADIUS client.
  • On FortiADC, set FortiAuthenticator as the RADIUS server.

You do not have to perform these two tasks in any specific order, but you do need to have administrator access to both FortiADC and FortiAuthenticator, which allow you to carry out the configurations.

Note: Keep in mind that, for the current release, two-factor authentication works with RADIUS server (FortiAuthenticator) only; it does not work with any other remote server.

Configuring FortiAuthenticator for two-factor authentication

FortiADC uses FortiAuthenticator as the remote authentication server, which provides the security token needed for two-factor authentication on FortiADC. If you wanted to require that all FortiADC users of your organization use two-factor authentication to log into the appliance, you must first configuring FortiAuthenticator, which involves the following tasks:

  1. Creating user accounts
  2. Create a user group and add users to it.
  3. Designate FortiADC as a RADIUS service client

Note: The following instructions assume that you have FortiAuthenticator installed on your network and you have administrator access to it.

Creating user accounts on FortiAuthenticator

To create a user account on FortiAuthenticator:

  1. From the menu bar on the left, select Authentication > User Management > Local User.
  2. Click Create New to open the Create New Local User page.
  3. Make all the required entries or selections as highlighted in FortiAuthenticator configuration.
  4. Click OK when done.
  5. Repeat Steps 1 through 4 to create as many user accounts as needed.

FortiAuthenticator configuration

Configuring FortiADC a user group

Once you have created all the local user accounts, you need to create a user group and add the users to it.

To configure a user group:

  1. From the menu bar on the left, select Authentication > User Management > User Groups.
  2. Click Create New to open the Create New User Group page.
  3. Specify a unique name for the user group.
  4. Make sure the Local radio button is selected.
  5. Add all the users to the user group.
  6. Click OK when done.

Set FortiADC as a RADIUS Service client

As a remote authentication server, FortiAuthenticator serves as a RADIUS server, whereas FortiADC functions as a RADIUS client. Therefore, upon setting up the user group, the next thing you need to do is to set your FortiADC appliance as the RADIUS service client, and link the user group to it.

To set your FortiADC as a RADIUS service client:

  1. From the menu bar on the left, select Authentication > RADIUS Service > Clients.
  2. Click Create New to open the Add RADIUS Client page.
  3. In the Name field, specify a unique name for the RADIUS Service Client configuration.
  4. For Client Address, select the IP/Hostname radio button, and enter your FortiADC appliance's IP address or hostname.
  5. For Secret, enter the shared secret between FortiAuthenticator and FortiADC, making sure that it matches the Shared Secret you specify when configuring the RADIUS server on your FortiADC appliance.
  6. For Authentication method, select Enforce two-factor authentication.
  7. For User input format, select realm\username.
  8. In the Realm column, click the down arrow in the Realm column and select Local | Local users.
  9. In the Groups column, check the Filter check box and select the user group you have configured earlier.
  10. Click Save.
  11. Click OK when done.

Note: Figure xxx highlights the required fields for configuring RADIUS service client.

Configuring FortiADC for two-factor authentication

In the preceding section, we've stated that, in the two-factor authentication process, FortiAuthenticator serves as the RADIUS server that provides services to FortiADC. We discussed, among other things, how to set FortiADC as

a client of FortiAuthenticator.

In this section, we talk about how to configure FortiADC as FortiAuthenticator's client, which involves the following tasks:

  1. Create RADIUS server configuration using FortiAuthenticator.
  2. Create admin user accounts with RADIUS authentication.

The following instructions assume you have administrator access to FortiADC.

Creating a RADIUS server configuration using FortiAuthenticator

In order to let FortiAuthenticator provide authentication services for FortiADC, you need to choose FortiAuthenticator as the remote server from the FortiADC side.

To configure a RADIUS configuration using FortiAuthenticator:

  1. On FortiADC's main navigation bar, click User Authentication > Remote Server.
  2. Select the RADIUS Server tab.
  3. Click Create New to open the RADIUS dialog box.
  4. In the Name field, specify a unique name for the RADIUS server configuration.
  5. In the Server field, enter the IP address of the FortiAuthenticator that you've configured earlier.
  6. In the Port field, accept the default port number, which is 1812.
  7. In the Shared Secret field, enter the secret key that you specified when configuring FortiAuthenticator.
  8. In the Authentication Protocol field, accept the default value or click the down arrow to select another option from the list menu.
  9. Click Save when done.

Adding admin user accounts with RADIUS authentication

Once you have set FortiAuthenticator as the RADIUS server to provide authentication service to FortiADC, you must then associate FortiADC user accounts with FortiAuthenticator.

It is important to note that the user names you choose on FortiADC must match those that you have added on FortiAuthenticator. Otherwise, the two-factor authentication will not work.

To add admin user using RADIUS authentication:

  1. On FortiADC's main navigation bar, click System > Administrator.
  2. Click Create New to open the Admin dialog box.
  3. In the Name field, specify the user name of the admin account, making sure that it matches one the users names you specified on FortiAuthenticator.
  4. In the Trusted Hosts filed, leave it as is or specify the IP address of a specific host. (Note: If left as is, a user can manage FortiADCvia this admin account from any host; if the IP address of a specific host is specified, then a user can manage FortiADC via this admin account from that host only.)
  5. In the Global Admin field, accept the default (No) or select Yes. (Note: If left as is, you must select Profile and the VDOM or VDOMs that the admin account can manage; If Yes is selected, then this admin account becomes a global administrator and can manage all VDOMs on this FortiADC appliance.)
  6. In the Authentication Type field, be sure to select RADIUS.
  7. In the RADIUS Server field, select the RADIUS server configuration you've created on FortiADC, as discussed in the preceding paragraph.
  8. In the Wildcard field, leave as is (OFF) or turn it ON. (Note: Once the Wildcard feature is enabled, in addition to the admin user configured on FortiADC, any users configured on the RADIUS server (i.e., FortiAuthenticator) can log into FortiADC and still be mapped to the specific admin profile.)
  9. Click Save when done.
  10. Repeat the above steps to create as many admin user accounts as needed.

Two-factor authentication in action

In the preceding two sections, we talked about how to configure FortiAuthenticator and FortiADC for two-factor authentication. The following shows the general work flow in which two-factor authentication works when you are trying to log into FortiADC:

  1. On FortiADC's login page, you enter your username and password, and click Log In.
  2. FortiADC presents your login credentials to FortiAuthenticator.
  3. After verifying your user name and password, FortiAuthenticator generates a security token and sends it to the email address that you specified when setting up your account on FortiAuthenticator. At the same time, the Token field pops up on FortiADC's login page, right below the password field.
  4. You retrieve the token from your email, copy and paste it into the Token field on FortiADC's login page, and click Log In.
  5. FortiADC sends your login information, along with the token, to FortiAuthenticator for authentication.
  6. After verifying that the your have the correct token, FortiAuthenticator lets you log into FortiADC.