RSA ACE (SecurID) servers
SecurID is a two-factor system that uses one-time password (OTP) authentication. It is produced by the company RSA. This system includes portable tokens carried by users, an RSA ACE/Server, and an Agent Host. In our configuration, the FortiGate unit is the Agent Host.
Components
When using SecurID, users carry a small device or “token” that generates and displays a pseudo-random password. According to RSA, each SecurID authenticator token has a unique 64-bit symmetric key that is combined with a powerful algorithm to generate a new code every 60 seconds. The token is time-synchronized with the SecurID RSA ACE/Server.
The RSA ACE/Server is the management component of the SecurID system. It stores and validates the information about the SecurID tokens allowed on your network. Alternately the server could be an RSA SecurID 130 Appliance.
The Agent Host is the server on your network, in this case it is the FortiGate unit, that intercepts user logon attempts. The Agent Host gathers the user ID and password entered from their SecurID token, and sends that information to the RSA ACE/Server to be validated. If valid, a reply comes back indicating it is a valid logon and the FortiGate unit allows the user access to the network resources specified in the associated security policy.
Configuring the SecurID system
To use SecurID with a FortiGate unit, you need:
RSA ACE (SecurID) servers
- to configure the RSA server and the RADIUS server to work with each other (see RSA server documentation) l to configure the RSA SecurID 130 Appliance or
- to configure the FortiGate unit as an Agent Host on the RSA ACE/Server l to configure the FortiGate unit to use the RADIUS server l to create a SecurID user group
- to configure a security policy with SecurID authentication
The following instructions are based on RSA ACE/Server version 5.1, or RSA SecurID 130 Appliance, and assume that you have successfully completed all the external RSA and RADIUS server configuration steps listed above.
For this example, the RSA server is on the internal network, with an IP address of 192.128.100.100. The FortiGate unit internal interface address is 192.168.100.3, RADIUS shared secret is fortinet123, RADIUS server is at IP address 192.168.100.102.
To configure the RSA SecurID 130 Appliance
- Go to the IMS Console for SecurID and logon.
- Go to RADIUS > RADIUS Clients, and select Add New.
- Enter the following information to configure your FortiGate as a SecurID Client, and select Save.
RADIUS Client Basics | |
Client Name | FortiGate |
Associated RSA Agent | FortiGate |
RADIUS Client Settings | |
IP Address | 192.168.100.3
The IP address of the FortiGate unit internal interface. |
Make / Model | Select Standard Radius |
Shared Secret | fortinet123
The RADIUS shared secret. |
Accounting | Leave unselected |
Client Status | Leave unselected |
To configure the FortiGate unit as an Agent Host on the RSA ACE/Server
- On the RSA ACE/Server computer, go to Start > Programs > RSA ACE/Server, and then Database Administration – Host Mode.
- On the Agent Host menu, select Add Agent Host.
- Enter and save the following information.
Name | FortiGate |
Network Address | 192.168.100.3
The IP address of the FortiGate unit. |
Secondary Nodes | Optionally enter other IP addresses that resolve to the FortiGate unit. |
If needed, refer to the RSA ACE/Server documentation for more information.
To configure the FortiGate unit to use the RADIUS server
- Go to User & Device > RADIUS Servers and select Create New.
- Enter the following information, and select OK.
Name | RSA |
Primary Server IP/Name | 192.168.100.102
Optionally select Test to ensure the IP address is correct and the FortiGate can contact the RADIUS server. |
Primary Server Secret | fortinet123 |
Authentication Scheme | Select Use Default Authentication Scheme. |
To create a SecurID user group
- Go to User & Device > User Groups, and select Create New.
- Enter the following information.
Name | RSA_group |
Type | Firewall |
- In Remote Groups, select Add, then select the RSA server.
- Select OK.
To create a SecurID user:
- Go to User & Device > User Definition, and select Create New.
- Use the wizard to enter the following information, and then select Create.
User Type | Remote RADIUS User |
User Name | wloman |
RADIUS Server | RSA |
Contact Info | (optional) Enter Email or SMS information |
User Group | RSA_group |
RSA ACE (SecurID) servers
To test this configuration, on your FortiGate unit use the CLI command:
diagnose test authserver radius RSA auto wloman 111111111
The series of 1s is the one time password that your RSA SecurID token generates and you enter.
Using the SecurID user group for authentication
You can use the SecurID user group in several FortiOS features that authenticate by user group including l Security policy l IPsec VPN XAuth l PPTP VPN l SSL VPN
The following sections assume the SecurID user group is called securIDgrp and has already been configured. Unless otherwise states, default values are used.
Security policy
To use SecurID in a security policy, you must include the SecurID user group in a security policy. This procedure will create a security policy that allows HTTP, FTP, and POP3 traffic from the internal interface to wan1. If these interfaces are not available on your FortiGate unit, substitute other similar interfaces.
To configure a security policy with SecurID authentication
- Go to Policy & Objects > IPv4 Policy.
- Select Create New.
- Enter:
Incoming Interface | internal |
Source Address | all |
Source User(s) | securIDgrp |
Outgoing Interface | wan1 |
Destination Address | all |
Schedule | always |
Services | HTTP, FTP, POP3 |
Action | ACCEPT |
NAT | On |
Shared Shaper | On, if you want to either limit traffic or guarantee minimum bandwidth for traffic that uses the SecurID security policy. Use the default shaper guarantee-100kbps. |
Log Allowed Traffic | On, if you want to generate usage reports on traffic authenticated with this policy. |
- Select OK.
The SecurID security policy is configured.
For more detail on configuring security policies, see the FortiOS Handbook FortiGate Fundamentals guide.
IPsec VPN XAuth
Extended Authentication (XAuth) increases security by requiring user authentication in addition to the preshared key.
When creating an IPsec VPN using the wizard, under VPN > IPsec Wizard, select the SecurID User Group on the Authentication page. Members of the SecurID group are required to enter their SecureID code to authenticate.
For more on XAuth, see Configuring XAuth authentication on page 96
PPTP VPN
PPTP VPN is configured in the CLI. In the PPTP configuration (config vpn pptp), set usrgrp to the SecurID user group.
SSL VPN
You need to map the SecurID user group to the portal that will serve SecurID users and include the SecurID user group in the Source User(s) field in the security policy.
To map the SecurID group to an SSL VPN portal:
- Go to VPN > SSL-VPN Settings.
- In Authentication/Portal Mapping, select Create New.
- Enter
Users/Groups | securIDgrp |
Portal | Choose the portal. |
- Select OK.