RSA ACE (SecurID) servers

SecurID is a two-factor system produced by the company RSA that uses one-time password (OTP) authentication. This system consists of the following:

  • Portable tokens that users carry
  • RSA ACE/Server
  • Agent host (the FortiGate)

When using SecurID, users carry a small device or "token" that generates and displays a pseudo-random password. According to RSA, each SecurID authenticator token has a unique 64-bit symmetric key that is combined with a powerful algorithm to generate a new code every 60 seconds. The token is time-synchronized with the SecurID RSA ACE/Server.

The RSA ACE/Server is the SecurID system's management component. It stores and validates the information about the SecurID tokens allowed on your network. Alternately, the server can be an RSA SecurID 130 appliance.

The agent host is the server on your network. In this case, this is the FortiGate, which intercepts user logon attempts. The agent host gathers the user ID and password entered from the SecurID token and sends the information to the RSA ACE/Server for validation. If valid, the RSA ACE/Server returns a reply indicating that it is a valid logon and FortiOS allows the user access to the network resources specified in the associated security policy.

Configuring SecurID with FortiOS consists of the following:

  1. Configure the RSA and RADIUS servers to work with each other. See RSA server documentation.

  2. Do one of the following:

    1. Configure the RSA SecurID 130 appliance.

    2. Configure the FortiGate as an agent host on the RSA ACE/Server.

  3. Configure the RADIUS server in FortiOS.

  4. Create a SecurID user group.

  5. Create a SecurID user.

  6. Configure authentication with SecurID.

The following instructions are based on RSA ACE/Server 5.1 and RSA SecurID 130 appliance. They assume that you have successfully completed all external RSA and RADIUS server configuration.

In this example, the RSA server is on the internal network and has an IP address of The FortiOS internal interface address is The RADIUS shared secret is fortinet123, and the RADIUS server is at IP address

To configure the RSA SecurID 130 appliance:
  1. Log on to the SecurID IMS console.

  2. Go to RADIUS > RADIUS clients, then select Add New.

    RADIUS Client Basics


    Client Name



    Associated RSA Agent


    RADIUS Client Settings


    IP Address

    Enter the FortiOS internal interface. In this example, it is


    Make / Model

    Select Standard Radius.


    Shared Secret

    Enter the RADIUS shared secret. In this example, it is fortinet123.



    Leave unselected.


    Client Status

    Leave unselected.

  3. Configure your FortiGate as a SecurID client:

  4. Click Save.

To configure the FortiGate as an agent host on the RSA ACE/Server:
  1. On the RSA ACE/Server, go to Start > Programs > RSA ACE/Server, then Database Administration - Host Mode.

  2. From the Agent Host menu, select Add Agent Host.

  3. Configure the following:



    Network Address

    Enter the FortiOS internal interface. In this example, it is

    Secondary Nodes

    You can optionally enter other IP addresses that resolve to the FortiGate.

For more information, see the RSA ACE/Server documentation.

To configure the RADIUS server in FortiOS:
  1. Go to User & Authentication > RADIUS Servers, then click Create New.

  2. Configure the following:



    Authentication method

    Select Default.

    Primary Server


    IP/Name You can click Test to ensure the IP address is correct and that FortiOS can contact the RADIUS server.




  3. Click OK.

To create a SecurID user group:
  1. Go to User & Authentication > User Groups. Click Create New.

  2. Configure the following:





  3. In Remote Groups, click Add, then select the RSA server.

  4. Click OK.

To create a SecurID user:
  1. Go to User & Authentication > User Definition. Click Create New.

  2. Configure the following:

    User Type

    Remote RADIUS User



    RADIUS Server


    Contact Info

    (Optional) Enter email or SMS information.

    User Group


  3. Click Create.

You can test the configuration by entering the diagnose test authserver radius RSA auto wloman 111111111 command. The series of 1s is the OTP that your RSA SecurID token generates that you enter for access.

Configuring authentication with SecurID

You can use the SecurID user group in several FortiOS features that authenticate by user group:

Unless stated otherwise, the following examples use default values.

Security policy

The example creates a security policy that allows HTTP, FTP, and POP3 traffic from the internal interface to WAN1. If these interfaces are not available in FortiOS, substitute other similar interfaces.

To configure a security policy with SecurID authentication:
  1. Go to Policy & Objects > Firewall Policy.

  2. Click Create New.

  3. Configure the following:

    Incoming Interface


    Source Address


    Source User(s)


    Outgoing Interface


    Destination Address










    Shared Shaper

    If you want to limit traffic or guarantee minimum bandwidth for traffic that uses the SecurID security policy, enable and use the default shaper, guarantee-100kbps.

    Log Allowed Traffic

    Enable if you want to generate usage reports on traffic that this policy has authenticated.

  4. Click OK.

IPsec VPN XAuth

In VPN > IPsec Wizard, select the SecurID user group on the Authentication page. The SecurID user group members must enter their SecurID code to authenticate.


When configuring PPTP in the CLI, set usrgrp to the SecurID user group.


You must map the SecurID user group to the portal that will serve SecurID users and include the SecurID user group in the security policy's Source User(s) field.

To map the SecurID group to an SSL VPN portal:
  1. Go to VPN > SSL-VPN Settings.

  2. Under Authentication/Portal Mapping, click Create New.

  3. Configure the following:




    Select the desired portal.

  4. Click OK.