RSA ACE (SecurID) servers

SecurID is a two-factor system produced by the company RSA that uses one-time password (OTP) authentication. This system consists of the following:

  • Portable tokens that users carry
  • RSA ACE/Server
  • Agent host (the FortiGate)

When using SecurID, users carry a small device or "token" that generates and displays a pseudo-random password. According to RSA, each SecurID authenticator token has a unique 64-bit symmetric key that is combined with a powerful algorithm to generate a new code every 60 seconds. The token is time-synchronized with the SecurID RSA ACE/Server.

The RSA ACE/Server is the SecurID system's management component. It stores and validates the information about the SecurID tokens allowed on your network. Alternately, the server can be an RSA SecurID 130 appliance.

The agent host is the server on your network. In this case, this is the FortiGate, which intercepts user logon attempts. The agent host gathers the user ID and password entered from the SecurID token and sends the information to the RSA ACE/Server for validation. If valid, the RSA ACE/Server returns a reply indicating that it is a valid logon and FortiOS allows the user access to the network resources specified in the associated security policy.

Configuring SecurID with FortiOS consists of the following:

  1. Configure the RSA and RADIUS servers to work with each other. See RSA server documentation.

  2. Do one of the following:

    1. Configure the RSA SecurID 130 appliance.

    2. Configure the FortiGate as an agent host on the RSA ACE/Server.

  3. Configure the RADIUS server in FortiOS.

  4. Create a SecurID user group.

  5. Create a SecurID user.

  6. Configure authentication with SecurID.

The following instructions are based on RSA ACE/Server 5.1 and RSA SecurID 130 appliance. They assume that you have successfully completed all external RSA and RADIUS server configuration.

In this example, the RSA server is on the internal network and has an IP address of The FortiOS internal interface address is The RADIUS shared secret is fortinet123, and the RADIUS server is at IP address

To configure the RSA SecurID 130 appliance:
  1. Log on to the SecurID IMS console.

  2. Go to RADIUS > RADIUS clients, then select Add New.

    RADIUS Client Basics


    Client Name



    Associated RSA Agent


    RADIUS Client Settings


    IP Address

    Enter the FortiOS internal interface. In this example, it is


    Make / Model

    Select Standard Radius.


    Shared Secret

    Enter the RADIUS shared secret. In this example, it is fortinet123.



    Leave unselected.


    Client Status

    Leave unselected.

  3. Configure your FortiGate as a SecurID client:

  4. Click Save.

To configure the FortiGate as an agent host on the RSA ACE/Server:
  1. On the RSA ACE/Server, go to Start > Programs > RSA ACE/Server, then Database Administration - Host Mode.

  2. From the Agent Host menu, select Add Agent Host.

  3. Configure the following:



    Network Address

    Enter the FortiOS internal interface. In this example, it is

    Secondary Nodes

    You can optionally enter other IP addresses that resolve to the FortiGate.

For more information, see the RSA ACE/Server documentation.

To configure the RADIUS server in FortiOS:
  1. Go to User & Authentication > RADIUS Servers, then click Create New.

  2. Configure the following: