Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 5.4.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Comprehensive Guide

    Home FortiToken Comprehensive Guide
    5.4.0
    8.0.0
    5.4.0
    5.3.0
    5.2.0
    5.1.0
    5.0.0
    4.7.0
    4.6.0

    Example: FortiToken two-factor authentication with RADIUS on a FortiAuthenticator

    Example: FortiToken two-factor authentication with RADIUS on a FortiAuthenticator

    In this scenario, you will set up FortiAuthenticator to function as a RADIUS server to allow SSL VPN users to authenticate with a FortiToken 210 device.

    This scenario assumes that you have already added the FortiToken, assigned it to the user, and added the user to a group for FortiToken users on FortiAuthenticator.

    You will configure a user, FortiToken 210, the RADIUS client on FortiAuthenticator, and FortiGate to use FortiAuthenticator as a RADIUS server. You will then create the SSL VPN tunnel.

    You can view a video of this configuration here.

    1. Add FortiToken to FortiAuthenticator:

      1. In FortiAuthenticator, go to Authentication > User Management > FortiTokens, and click Create New.

      2. Set Token type to FortiToken Hardware and enter the FortiToken serial number into the Serial numbers field. The serial number, located on the back of the FortiToken device, is case sensitive. Note that the token can only be registered to one device.

    2. 2. Add the FortiToken user to FortiAuthenticator:

      1. In FortiAuthenticator, go to Authentication > User Management > Local Users and click Create New.

      2. Enter a Username (gthreepwood), enter and confirm a password, and enable Allow RADIUS authentication.

      3. Click OK to access additional settings.

      4. Enable One-Time Password (OTP) authentication, set Deliver token codes from to FortiAuthenticator, set Deliver token code by to FortiToken, select the FortiToken added earlier from the Token field, and then click OK to save.

      5. Go to Authentication > User Management > User Groups, create a user group (RemoteFortiTokenUsers), and add gthreepwood to the group.

    3. 3. Create the RADIUS Client on FortiAuthenticator:

      1. In FortiAuthenticator, go to Authentication > RADIUS Service > Clients and click Create New.

      2. Enter a name (OfficeServer), set Client address to IP/Hostname and enter the IP address of the FortiGate, and enter a Secret. The secret is a pre-shared, secure password that FortiGate will use to authenticate with FortiAuthenticator.

      3. Go to Authentication > RADIUS Service > Policies and click Create New.

      4. Enter a Policy name and choose the FortiGate client in the RADIUS clients field. Click Next to continue.

      5. In the RADIUS attribute criteria section, click Next to continue.

      6. In Authentication Type, select Password/OTP authentication.

      7. In Realms, set Realm to local | Local users and enable Filter. Note the Username input format. This is the format that the user must use to enter their username in the web portal.

      8. Edit the filter, choose the user group created earlier, click OK, then click Next to continue.

      9. Click Next and then click Save and exit to save the policy.

    4. 4. Connect FortiGate to the RADIUS Server:

      1. In FortiGate, go to User & Authentication > RADIUS Servers, and click Create New.

      2. Enter a Name (OfficeRADIUS), set Primary Server > IP/Name to the IP of the FortiAuthenticator, and enter the Secret created earlier.

        Use the Test Connectivity and Test User Credentials buttons to verify the connection. Click OK to save the RADIUS server.

        The FortiGate can now log into the RADIUS client added earlier in FortiAuthenticator.

      3. Go to User & Authentication > User Groups, and click Create New.

      4. Enter a Name (SSLVPNGroup), set Type to RADIUS Single Sign-On (RSSO), enter the RADIUS user group name (RemoteFortiTokenUsers) in the RADIUS Attribute Value field, then click OK.

    5. 5. Configure the SSL VPN on FortiGate:

      1. In FortiGate, go to VPN > SSL-VPN Portals, and edit the full-access portal. Set Split Tunneling to Disabled.

      2. Go to VPN > SSL-VPN Settings.

      3. In Connection Settings, set Listen on Port to 10443.

      4. In Tunnel Mode Client Settings, select Specify custom IP ranges and set it to SSLVPN_TUNNEL_ADDR1.

      5. In Authentication/Portal Mapping, click Create New. In Users/Groups, select the SSLVPNGroup, in Portal, select full-access, and click OK.

      6. In Authentication/Portal Mapping, select All Other Users/Groups and click Edit. Set Portal to web-access and click OK. This grants all other users access to the web portal only.

      7. Go to Policy & Objects > Firewall Policy and click Create New.

      8. Set Incoming Interface to SSL-VPN tunnel interface and set Outgoing Interface to the internet-facing interface.

      9. Set Source to the SSLVPNGroup user group and set Destination to all.

      10. Set Schedule to always, Service to ALL, and enable NAT.

      11. Click OK to save the new policy.

    6. 6. Check your results:

      1. From a remote device, open a web browser and navigate to the SSL-VPN web portal (https://FortiGate-IP:10443).Enter the user's credentials and click Login. Note that the username has to be entered in the format realm\username, as per the client configuration in FortiAuthenticator (in this example, local\gthreepwood).

      2. The user is prompted to enter their FortiToken code.

      3. Once the code is successfully entered, gthreepwood is successfully logged in to the SSL-VPN portal.

      4. In FortiGate, go to Monitor > SSL-VPN Monitor to confirm the user's connection.

    Previous
    Next

    Example: FortiToken two-factor authentication with RADIUS on a FortiAuthenticator

    Example: FortiToken two-factor authentication with RADIUS on a FortiAuthenticator

    In this scenario, you will set up FortiAuthenticator to function as a RADIUS server to allow SSL VPN users to authenticate with a FortiToken 210 device.

    This scenario assumes that you have already added the FortiToken, assigned it to the user, and added the user to a group for FortiToken users on FortiAuthenticator.

    You will configure a user, FortiToken 210, the RADIUS client on FortiAuthenticator, and FortiGate to use FortiAuthenticator as a RADIUS server. You will then create the SSL VPN tunnel.

    You can view a video of this configuration here.

    1. Add FortiToken to FortiAuthenticator:

      1. In FortiAuthenticator, go to Authentication > User Management > FortiTokens, and click Create New.

      2. Set Token type to FortiToken Hardware and enter the FortiToken serial number into the Serial numbers field. The serial number, located on the back of the FortiToken device, is case sensitive. Note that the token can only be registered to one device.

    2. 2. Add the FortiToken user to FortiAuthenticator:

      1. In FortiAuthenticator, go to Authentication > User Management > Local Users and click Create New.

      2. Enter a Username (gthreepwood), enter and confirm a password, and enable Allow RADIUS authentication.

      3. Click OK to access additional settings.

      4. Enable One-Time Password (OTP) authentication, set Deliver token codes from to FortiAuthenticator, set Deliver token code by to FortiToken, select the FortiToken added earlier from the Token field, and then click OK to save.

      5. Go to Authentication > User Management > User Groups, create a user group (RemoteFortiTokenUsers), and add gthreepwood to the group.

    3. 3. Create the RADIUS Client on FortiAuthenticator:

      1. In FortiAuthenticator, go to Authentication > RADIUS Service > Clients and click Create New.

      2. Enter a name (OfficeServer), set Client address to IP/Hostname and enter the IP address of the FortiGate, and enter a Secret. The secret is a pre-shared, secure password that FortiGate will use to authenticate with FortiAuthenticator.

      3. Go to Authentication > RADIUS Service > Policies and click Create New.

      4. Enter a Policy name and choose the FortiGate client in the RADIUS clients field. Click Next to continue.

      5. In the RADIUS attribute criteria section, click Next to continue.

      6. In Authentication Type, select Password/OTP authentication.

      7. In Realms, set Realm to local | Local users and enable Filter. Note the Username input format. This is the format that the user must use to enter their username in the web portal.

      8. Edit the filter, choose the user group created earlier, click OK, then click Next to continue.

      9. Click Next and then click Save and exit to save the policy.

    4. 4. Connect FortiGate to the RADIUS Server:

      1. In FortiGate, go to User & Authentication > RADIUS Servers, and click Create New.

      2. Enter a Name (OfficeRADIUS), set Primary Server > IP/Name to the IP of the FortiAuthenticator, and enter the Secret created earlier.

        Use the Test Connectivity and Test User Credentials buttons to verify the connection. Click OK to save the RADIUS server.

        The FortiGate can now log into the RADIUS client added earlier in FortiAuthenticator.

      3. Go to User & Authentication > User Groups, and click Create New.

      4. Enter a Name (SSLVPNGroup), set Type to RADIUS Single Sign-On (RSSO), enter the RADIUS user group name (RemoteFortiTokenUsers) in the RADIUS Attribute Value field, then click OK.

    5. 5. Configure the SSL VPN on FortiGate:

      1. In FortiGate, go to VPN > SSL-VPN Portals, and edit the full-access portal. Set Split Tunneling to Disabled.

      2. Go to VPN > SSL-VPN Settings.

      3. In Connection Settings, set Listen on Port to 10443.

      4. In Tunnel Mode Client Settings, select Specify custom IP ranges and set it to SSLVPN_TUNNEL_ADDR1.

      5. In Authentication/Portal Mapping, click Create New. In Users/Groups, select the SSLVPNGroup, in Portal, select full-access, and click OK.

      6. In Authentication/Portal Mapping, select All Other Users/Groups and click Edit. Set Portal to web-access and click OK. This grants all other users access to the web portal only.

      7. Go to Policy & Objects > Firewall Policy and click Create New.

      8. Set Incoming Interface to SSL-VPN tunnel interface and set Outgoing Interface to the internet-facing interface.

      9. Set Source to the SSLVPNGroup user group and set Destination to all.

      10. Set Schedule to always, Service to ALL, and enable NAT.

      11. Click OK to save the new policy.

    6. 6. Check your results:

      1. From a remote device, open a web browser and navigate to the SSL-VPN web portal (https://FortiGate-IP:10443).Enter the user's credentials and click Login. Note that the username has to be entered in the format realm\username, as per the client configuration in FortiAuthenticator (in this example, local\gthreepwood).

      2. The user is prompted to enter their FortiToken code.

      3. Once the code is successfully entered, gthreepwood is successfully logged in to the SSL-VPN portal.

      4. In FortiGate, go to Monitor > SSL-VPN Monitor to confirm the user's connection.

    Previous
    Next