Authentication servers

Leave a reply

Settings when Type is RADIUS Single Sign On Agent

Use RADIUS Shared Secret

Enable

Shared Secret          Enter the RADIUS server shared secret.

Send RADIUS Responses

Enable.

 

RSA ACE (SecurID) servers

SecurID is a two-factor system that uses one-time password (OTP) authentication. It is produced by the company RSA. This system includes portable tokens carried by users, an RSA ACE/Server, and an Agent Host. In our configuration, the FortiGate unit is the Agent Host.

 

Components

When using SecurID, users carry a small device or “token” that generates and displays a pseudo-random password. According to RSA, each SecurID authenticator token has a unique 64-bit symmetric key that is combined with a powerful algorithm to generate a new code every 60 seconds. The token is time-synchronized with the SecurID RSA ACE/Server.

The RSA ACE/Server is the management component of the SecurID system. It stores and validates the information about the SecurID tokens allowed on your network. Alternately the server could be an RSA SecurID 130 Appliance.

The Agent Host is the server on your network, in this case it is the FortiGate unit, that intercepts user logon attempts. The Agent Host gathers the user ID and password entered from their SecurID token, and sends that information to the RSA ACE/Server to be validated. If valid, a reply comes back indicating it is a valid logon and the FortiGate unit allows the user access to the network resources specified in the associated security policy.

 

Configuring the SecurID system

To use SecurID with a FortiGate unit, you need:

  • to configure the RSA server and the RADIUS server to work with each other (see RSA server documentation)
  • to configure the RSA SecurID 130 Appliance

or

  • to configure the FortiGate unit as an Agent Host on the RSA ACE/Server
  • to configure the FortiGate unit to use the RADIUS server
  • to create a SecurID user group
  • to configure a security policy with SecurID authentication

The following instructions are based on RSA ACE/Server version 5.1, or RSA SecurID 130 Appliance, and assume that you have successfully completed all the external RSA and RADIUS server configuration steps listed above.

For this example, the RSA server is on the internal network, with an IP address of 192.128.100.100. The FortiGate unit internal interface address is 192.168.100.3, RADIUS shared secret is fortinet123, RADIUS server is at IP address 192.168.100.102.

To configure the RSA SecurID 130 Appliance

1. Go to the IMS Console for SecurID and logon.

2. Go to RADIUS > RADIUS Clients, and select Add New.

3. Enter the following information to configure your FortiGate as a SecurID Client, and select Save.

RADIUS Client Basics

Client Name                               FortiGate

Associated RSA Agent             FortiGate

 

RADIUS Client Settings
IP Address                                 192.168.100.3

 

The IP address of the FortiGate unit internal interface.
Make / Model                             Select Standard Radius
Shared Secret                            fortinet123

 

The RADIUS shared secret.
Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
This entry was posted in FortiOS 5.4 Handbook on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.