In this recipe, you will create an SSL VPN with two-factor authentication consisting of a username/password and an SMS token. The SMS token is generated by FortiAuthenticator using the FortiGuard Messaging Service.
1. Creating an SMS user and user group on the FortiAuthenticator |
|
|
On the FortiAuthenticator, go to Authentication > User Management > Local Users and add/modify a user to include SMS Token-based authentication and a Mobile number using the preferred SMS gateway as shown. The Mobile number must be in the format: Enable Allow RADIUS authentication. |
Image may be NSFW. Clik here to view.  |
| Go to Authentication > User Management > User Groups and add the above user to a new SMS user group (in the example, ‘SMSgroup‘). | Image may be NSFW. Clik here to view.  |
2. Configuring the FortiAuthenticator RADIUS client |
|
|
Go to Authentication > RADIUS Service > Clients and create a new RADIUS client. Enter a Name for the RADIUS client (the FortiGate) and enter its IP address (in the example, 172.20.121.56). Enter the pre-shared Secret and set the Authentication method. The FortiGate will use this secret key in its RADIUS configuration. |
Image may be NSFW. Clik here to view.  |
|
Choose to Enforce two-factor authentication and add the SMS user group to the Realms group filter as shown. Select Save and then OK. |
|
3. Configuring the FortiGate authentication settings |
|
|
On the FortiGate, go to User & Device > Authentication > RADIUS Servers and create the connection to the FortiAuthenticator RADIUS server, using its IP address and pre-shared secret. Use the Test Connectivity button to make sure that the FortiGate can communicate with the FortiAuthenticator. |
Image may be NSFW. Clik here to view.  |
|
Next, go to User & Device > User > User Groups and create a RADIUS user group called RADIUSgroup. Set the Type to Firewall and add the RADIUS server to the Remote groups table. |
Image may be NSFW. Clik here to view.  |
4. Configuring the SSL VPN |
|
|
Go to VPN > SSL > Settings. Under Connection Settings, set Listen on Port to 10443 and set IP Ranges to the SSL VPN tunnel address range. Under Authentication/Portal Mapping, select Create New. Assign the RADIUSgroup user group to the full-access portal, and assign All Other Users/Groups to the desired portal. |
Image may be NSFW. Clik here to view.  |
5. Creating the security policy for VPN access to the Internet |
|
|
Go to Policy & Objects > Policy > IPv4 and create an ssl.root – wan1 policy. Set Source User(s) to the RADIUSgroup user group. Set Outgoing Interface to wan1 and Destination Address to all. Set Service to ALL and ensure that you enable NAT. |
Image may be NSFW. Clik here to view.  |
6. Results |
|
| In this example, we will use the web portal to access the SSL VPN and test the two-factor authentication. | |
|
Open a browser and navigate to the SSL VPN web portal, in this case https://172.20.121.56:10443. Enter a valid username and password and select Login. You should be prompted to enter a FortiToken Code. |
|
|
The FortiToken Code should have been sent to your mobile phone as a text message containing a 6-digit number. Enter the number into the SSL VPN login portal and select Login. |
Image may be NSFW. Clik here to view.  |
| You should now have access to the SSL VPN tunnel. | Image may be NSFW. Clik here to view.  |
| To verify that the user has connected to the tunnel, go to VPN > Monitor > SSL-VPN Monitor. | Image may be NSFW. Clik here to view.  |
The post SMS two-factor authentication for SSL VPN appeared first on Fortinet Cookbook.