RSA ACE (SecurID) servers

SecurID is a two-factor system that uses one-time password (OTP) authentication. It is produced by the company RSA. This system includes portable tokens carried by users, an RSA ACE/Server, and an Agent Host. In our configuration, the FortiGate unit is the Agent Host.

Components

When using SecurID, users carry a small device or “token” that generates and displays a pseudo-random password. According to RSA, each SecurID authenticator token has a unique 64-bit symmetric key that is combined with a powerful algorithm to generate a new code every 60 seconds. The token is time-synchronized with the SecurID RSA ACE/Server.

The RSA ACE/Server is the management component of the SecurID system. It stores and validates the information about the SecurID tokens allowed on your network. Alternately the server could be an RSA SecurID 130 Appliance.

The Agent Host is the server on your network, in this case it is the FortiGate unit, that intercepts user logon attempts. The Agent Host gathers the user ID and password entered from their SecurID token, and sends that information to the RSA ACE/Server to be validated. If valid, a reply comes back indicating it is a valid logon and the FortiGate unit allows the user access to the network resources specified in the associated security policy.

Configuring the SecurID system

To use SecurID with a FortiGate unit, you need:

RSA ACE (SecurID) servers

  • to configure the RSA server and the RADIUS server to work with each other (see RSA server documentation) l to configure the RSA SecurID 130 Appliance or
  • to configure the FortiGate unit as an Agent Host on the RSA ACE/Server l to configure the FortiGate unit to use the RADIUS server l to create a SecurID user group
  • to configure a security policy with SecurID authentication

The following instructions are based on RSA ACE/Server version 5.1, or RSA SecurID 130 Appliance, and assume that you have successfully completed all the external RSA and RADIUS server configuration steps listed above.

For this example, the RSA server is on the internal network, with an IP address of 192.128.100.100. The FortiGate unit internal interface address is 192.168.100.3, RADIUS shared secret is fortinet123, RADIUS server is at IP address 192.168.100.102.

To configure the RSA SecurID 130 Appliance

  1. Go to the IMS Console for SecurID and logon.
  2. Go to RADIUS > RADIUS Clients, and select Add New.
  3. Enter the following information to configure your FortiGate as a SecurID Client, and select Save.
RADIUS Client Basics
Client Name FortiGate
Associated RSA Agent FortiGate
RADIUS Client Settings
IP Address 192.168.100.3

The IP address of the FortiGate unit internal interface.

Make / Model Select Standard Radius
Shared Secret fortinet123

The RADIUS shared secret.

Accounting Leave unselected
Client Status Leave unselected

To configure the FortiGate unit as an Agent Host on the RSA ACE/Server

  1. On the RSA ACE/Server computer, go to Start > Programs > RSA ACE/Server, and then Database Administration – Host Mode.
  2. On the Agent Host menu, select Add Agent Host.
  3. Enter and save the following information.
Name FortiGate
Network Address 192.168.100.3

The IP address of the FortiGate unit.

Secondary Nodes Optionally enter other IP addresses that resolve to the FortiGate unit.

If needed, refer to the RSA ACE/Server documentation for more information.

To configure the FortiGate unit to use the RADIUS server

  1. Go to User & Device > RADIUS Servers and select Create New.
  2. Enter the following information, and select OK.
Name RSA
Primary Server IP/Name 192.168.100.102

Optionally select Test to ensure the IP address is correct and the FortiGate can contact the RADIUS server.

Primary Server Secret fortinet123
Authentication Scheme Select Use Default Authentication Scheme.

To create a SecurID user group

  1. Go to User & Device > User Groups, and select Create New.
  2. Enter the following information.
Name RSA_group
Type Firewall
  1. In Remote Groups, select Add, then select the RSA server.
  2. Select OK.

To create a SecurID user:

  1. Go to User & Device > User Definition, and select Create New.
  2. Use the wizard to enter the following information, and then select Create.
User Type Remote RADIUS User
User Name wloman
RADIUS Server RSA
Contact Info (optional) Enter Email or SMS information
User Group RSA_group

RSA ACE (SecurID) servers

To test this configuration, on your FortiGate unit use the CLI command:

diagnose test authserver radius RSA auto wloman 111111111

The series of 1s is the one time password that your RSA SecurID token generates and you enter.

Using the SecurID user group for authentication

You can use the SecurID user group in several FortiOS features that authenticate by user group including l Security policy l IPsec VPN XAuth l PPTP VPN l SSL VPN

The following sections assume the SecurID user group is called securIDgrp and has already been configured. Unless otherwise states, default values are used.

Security policy

To use SecurID in a security policy, you must include the SecurID user group in a security policy. This procedure will create a security policy that allows HTTP, FTP, and POP3 traffic from the internal interface to wan1. If these interfaces are not available on your FortiGate unit, substitute other similar interfaces.

To configure a security policy with SecurID authentication

  1. Go to Policy & Objects > IPv4 Policy.
  2. Select Create New.
  3. Enter:
Incoming Interface internal
Source Address all
Source User(s) securIDgrp
Outgoing Interface wan1
Destination Address all
Schedule always
Services HTTP, FTP, POP3
Action ACCEPT
NAT On
Shared Shaper On, if you want to either limit traffic or guarantee minimum bandwidth for traffic that uses the SecurID security policy. Use the default shaper guarantee-100kbps.
Log Allowed Traffic On, if you want to generate usage reports on traffic authenticated with this policy.
  1. Select OK.

The SecurID security policy is configured.

For more detail on configuring security policies, see the FortiOS Handbook FortiGate Fundamentals guide.

IPsec VPN XAuth

Extended Authentication (XAuth) increases security by requiring user authentication in addition to the preshared key.

When creating an IPsec VPN using the wizard, under VPN > IPsec Wizard, select the SecurID User Group on the Authentication page. Members of the SecurID group are required to enter their SecureID code to authenticate.

For more on XAuth, see Configuring XAuth authentication on page 96

PPTP VPN

PPTP VPN is configured in the CLI. In the PPTP configuration (config vpn pptp), set usrgrp to the SecurID user group.

SSL VPN

You need to map the SecurID user group to the portal that will serve SecurID users and include the SecurID user group in the Source User(s) field in the security policy.

To map the SecurID group to an SSL VPN portal:

  1. Go to VPN > SSL-VPN Settings.
  2. In Authentication/Portal Mapping, select Create New.
  3. Enter
Users/Groups securIDgrp
Portal Choose the portal.
  1. Select OK.

 

This entry was posted in FortiGate, FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.