Fortinet black logo

Administration Guide

RSA ACE (SecurID) servers

RSA ACE (SecurID) servers

SecurID is a two-factor system produced by the company RSA that uses one-time password (OTP) authentication. This system consists of the following:

  • Portable tokens that users carry
  • RSA ACE/Server
  • Agent host (the FortiGate)

When using SecurID, users carry a small device or "token" that generates and displays a pseudo-random password. According to RSA, each SecurID authenticator token has a unique 64-bit symmetric key that is combined with a powerful algorithm to generate a new code every 60 seconds. The token is time-synchronized with the SecurID RSA ACE/Server.

The RSA ACE/Server is the SecurID system's management component. It stores and validates the information about the SecurID tokens allowed on your network. Alternately, the server can be an RSA SecurID 130 appliance.

The agent host is the server on your network. In this case, this is the FortiGate, which intercepts user logon attempts. The agent host gathers the user ID and password entered from the SecurID token and sends the information to the RSA ACE/Server for validation. If valid, the RSA ACE/Server returns a reply indicating that it is a valid logon and FortiOS allows the user access to the network resources specified in the associated security policy.

Configuring SecurID with FortiOS consists of the following:

  1. Configure the RSA and RADIUS servers to work with each other. See RSA server documentation.
  2. Do one of the following:
    1. Configure the RSA SecurID 130 appliance.
    2. Configure the FortiGate as an agent host on the RSA ACE/Server.
  3. Configure the RADIUS server in FortiOS.
  4. Create a SecurID user group.
  5. Create a SecurID user.
  6. Configure authentication with SecurID.

The following instructions are based on RSA ACE/Server 5.1 and RSA SecurID 130 appliance. They assume that you have successfully completed all external RSA and RADIUS server configuration.

In this example, the RSA server is on the internal network and has an IP address of 192.128.100.000. The FortiOS internal interface address is 192.168.100.3. The RADIUS shared secret is fortinet123, and the RADIUS server is at IP address 192.168.100.202.

To configure the RSA SecurID 130 appliance:
  1. Log on to the SecurID IMS console.
  2. Go to RADIUS > RADIUS clients, then select Add New.

    Setting

    Description

    RADIUS Client Basics

    Client Name

    FortiGate

    Associated RSA Agent

    FortiGate

    RADIUS Client Settings

    IP Address

    Enter the FortiOS internal interface. In this example, it is 192.168.100.3.

    Make / Model

    Select Standard Radius.

    Shared Secret

    Enter the RADIUS shared secret. In this example, it is fortinet123.

    Accounting

    Leave unselected.

    Client Status

    Leave unselected.

  3. Configure your FortiGate as a SecurID client:
  4. Click Save.
To configure the FortiGate as an agent host on the RSA ACE/Server:
  1. On the RSA ACE/Server, go to Start > Programs > RSA ACE/Server, then Database Administration - Host Mode.
  2. From the Agent Host menu, select Add Agent Host.
  3. Configure the following:

    Setting

    Description

    Name

    FortiGate

    Network Address

    Enter the FortiOS internal interface. In this example, it is 192.168.100.3.

    Secondary Nodes

    You can optionally enter other IP addresses that resolve to the FortiGate.

For more information, see the RSA ACE/Server documentation.

To configure the RADIUS server in FortiOS:
  1. Go to User & Authentication > RADIUS Servers, then click Create New.
  2. Configure the following:

    Setting

    Description

    Name

    RSA

    Authentication method

    Select Default.

    Primary Server

    IP/Name

    192.168.100.102. You can click Test to ensure the IP address is correct and that FortiOS can contact the RADIUS server.

    Secret

    fortinet123

  3. Click OK.
To create a SecurID user group:
  1. Go to User & Authentication > User Groups. Click Create New.
  2. Configure the following:

    Setting

    Description

    Name

    RSA_group

    Type

    Firewall

  3. In Remote Groups, click Add, then select the RSA server.
  4. Click OK.
To create a SecurID user:
  1. Go to User & Authentication > User Definition. Click Create New.
  2. Configure the following:

    Setting

    Description

    User Type

    Remote RADIUS User

    Type

    wloman

    RADIUS Server

    RSA

    Contact Info

    (Optional) Enter email or SMS information.

    User Group

    RSA_group

  3. Click Create.

You can test the configuration by entering the diagnose test authserver radius RSA auto wloman 111111111 command. The series of 1s is the OTP that your RSA SecurID token generates that you enter for access.

Configuring authentication with SecurID

You can use the SecurID user group in several FortiOS features that authenticate by user group:

Unless stated otherwise, the following examples use default values.

Security policy

The example creates a security policy that allows HTTP, FTP, and POP3 traffic from the internal interface to WAN1. If these interfaces are not available in FortiOS, substitute other similar interfaces.

To configure a security policy with SecurID authentication:
  1. Go to Policy & Objects > Firewall Policy.
  2. Click Create New.
  3. Configure the following:

    Setting

    Description

    Incoming Interface

    internal

    Source Address

    all

    Source User(s)

    RSA_group

    Outgoing Interface

    wan1

    Destination Address

    all

    Schedule

    always

    Service

    HTTP, FTP, POP3

    Action

    ACCEPT

    NAT

    On

    Shared Shaper

    If you want to limit traffic or guarantee minimum bandwidth for traffic that uses the SecurID security policy, enable and use the default shaper, guarantee-100kbps.

    Log Allowed Traffic

    Enable if you want to generate usage reports on traffic that this policy has authenticated.

  4. Click OK.

IPsec VPN XAuth

In VPN > IPsec Wizard, select the SecurID user group on the Authentication page. The SecurID user group members must enter their SecurID code to authenticate.

PPTP VPN

When configuring PPTP in the CLI, set usrgrp to the SecurID user group.

SSL VPN

You must map the SecurID user group to the portal that will serve SecurID users and include the SecurID user group in the security policy's Source User(s) field.

To map the SecurID group to an SSL VPN portal:
  1. Go to VPN > SSL-VPN Settings.
  2. Under Authentication/Portal Mapping, click Create New.
  3. Configure the following:

    Setting

    Description

    Users/Groups

    RSA_group

    Portal

    Select the desired portal.

  4. Click OK.

RSA ACE (SecurID) servers

SecurID is a two-factor system produced by the company RSA that uses one-time password (OTP) authentication. This system consists of the following:

  • Portable tokens that users carry
  • RSA ACE/Server
  • Agent host (the FortiGate)

When using SecurID, users carry a small device or "token" that generates and displays a pseudo-random password. According to RSA, each SecurID authenticator token has a unique 64-bit symmetric key that is combined with a powerful algorithm to generate a new code every 60 seconds. The token is time-synchronized with the SecurID RSA ACE/Server.

The RSA ACE/Server is the SecurID system's management component. It stores and validates the information about the SecurID tokens allowed on your network. Alternately, the server can be an RSA SecurID 130 appliance.

The agent host is the server on your network. In this case, this is the FortiGate, which intercepts user logon attempts. The agent host gathers the user ID and password entered from the SecurID token and sends the information to the RSA ACE/Server for validation. If valid, the RSA ACE/Server returns a reply indicating that it is a valid logon and FortiOS allows the user access to the network resources specified in the associated security policy.

Configuring SecurID with FortiOS consists of the following:

  1. Configure the RSA and RADIUS servers to work with each other. See RSA server documentation.
  2. Do one of the following:
    1. Configure the RSA SecurID 130 appliance.
    2. Configure the FortiGate as an agent host on the RSA ACE/Server.
  3. Configure the RADIUS server in FortiOS.
  4. Create a SecurID user group.
  5. Create a SecurID user.
  6. Configure authentication with SecurID.

The following instructions are based on RSA ACE/Server 5.1 and RSA SecurID 130 appliance. They assume that you have successfully completed all external RSA and RADIUS server configuration.

In this example, the RSA server is on the internal network and has an IP address of 192.128.100.000. The FortiOS internal interface address is 192.168.100.3. The RADIUS shared secret is fortinet123, and the RADIUS server is at IP address 192.168.100.202.

To configure the RSA SecurID 130 appliance:
  1. Log on to the SecurID IMS console.
  2. Go to RADIUS > RADIUS clients, then select Add New.

    Setting

    Description

    RADIUS Client Basics

    Client Name

    FortiGate

    Associated RSA Agent

    FortiGate

    RADIUS Client Settings

    IP Address

    Enter the FortiOS internal interface. In this example, it is 192.168.100.3.

    Make / Model

    Select Standard Radius.

    Shared Secret

    Enter the RADIUS shared secret. In this example, it is fortinet123.

    Accounting

    Leave unselected.

    Client Status

    Leave unselected.

  3. Configure your FortiGate as a SecurID client:
  4. Click Save.
To configure the FortiGate as an agent host on the RSA ACE/Server:
  1. On the RSA ACE/Server, go to Start > Programs > RSA ACE/Server, then Database Administration - Host Mode.
  2. From the Agent Host menu, select Add Agent Host.
  3. Configure the following:

    Setting

    Description

    Name

    FortiGate

    Network Address

    Enter the FortiOS internal interface. In this example, it is 192.168.100.3.

    Secondary Nodes

    You can optionally enter other IP addresses that resolve to the FortiGate.

For more information, see the RSA ACE/Server documentation.

To configure the RADIUS server in FortiOS:
  1. Go to User & Authentication > RADIUS Servers, then click Create New.
  2. Configure the following:

    Setting

    Description

    Name

    RSA

    Authentication method

    Select Default.

    Primary Server

    IP/Name

    192.168.100.102. You can click Test to ensure the IP address is correct and that FortiOS can contact the RADIUS server.

    Secret

    fortinet123

  3. Click OK.
To create a SecurID user group:
  1. Go to User & Authentication > User Groups. Click Create New.
  2. Configure the following:

    Setting

    Description

    Name

    RSA_group

    Type

    Firewall

  3. In Remote Groups, click Add, then select the RSA server.
  4. Click OK.
To create a SecurID user:
  1. Go to User & Authentication > User Definition. Click Create New.
  2. Configure the following:

    Setting

    Description

    User Type

    Remote RADIUS User

    Type

    wloman

    RADIUS Server

    RSA

    Contact Info

    (Optional) Enter email or SMS information.

    User Group

    RSA_group

  3. Click Create.

You can test the configuration by entering the diagnose test authserver radius RSA auto wloman 111111111 command. The series of 1s is the OTP that your RSA SecurID token generates that you enter for access.

Configuring authentication with SecurID

You can use the SecurID user group in several FortiOS features that authenticate by user group:

Unless stated otherwise, the following examples use default values.

Security policy

The example creates a security policy that allows HTTP, FTP, and POP3 traffic from the internal interface to WAN1. If these interfaces are not available in FortiOS, substitute other similar interfaces.

To configure a security policy with SecurID authentication:
  1. Go to Policy & Objects > Firewall Policy.
  2. Click Create New.
  3. Configure the following:

    Setting

    Description

    Incoming Interface

    internal

    Source Address

    all

    Source User(s)

    RSA_group

    Outgoing Interface

    wan1

    Destination Address

    all

    Schedule

    always

    Service

    HTTP, FTP, POP3

    Action

    ACCEPT

    NAT

    On

    Shared Shaper

    If you want to limit traffic or guarantee minimum bandwidth for traffic that uses the SecurID security policy, enable and use the default shaper, guarantee-100kbps.

    Log Allowed Traffic

    Enable if you want to generate usage reports on traffic that this policy has authenticated.

  4. Click OK.

IPsec VPN XAuth

In VPN > IPsec Wizard, select the SecurID user group on the Authentication page. The SecurID user group members must enter their SecurID code to authenticate.

PPTP VPN

When configuring PPTP in the CLI, set usrgrp to the SecurID user group.

SSL VPN

You must map the SecurID user group to the portal that will serve SecurID users and include the SecurID user group in the security policy's Source User(s) field.

To map the SecurID group to an SSL VPN portal:
  1. Go to VPN > SSL-VPN Settings.
  2. Under Authentication/Portal Mapping, click Create New.
  3. Configure the following:

    Setting

    Description

    Users/Groups

    RSA_group

    Portal

    Select the desired portal.

  4. Click OK.