FortiToken two-factor authentication with RADIUS on a FortiAuthenticator

1. Adding the FortiToken to FortiAuthenticator

On the FortiAuthenticator, go to Authentication > User Management > FortiToken, and select Create New.

Make sure Token type is set to FortiToken 200, and enter the FortiToken’s serial number into the field provided.

2. Adding the FortiToken user to FortiAuthenticator

On the FortiAuthenticator, go to Authentication > User Management > Local Users, and select Create New.

Enter a Username (gthreepwood), enter and confirm a password, and make sure that Allow RADIUS authentication is enabled.

Select OK to access additional settings.

Next, go to Authentication > User Management > User Groups, create a user group (RemoteFortiTokenUsers), and add gthreepwood to the group.

3. Creating the RADIUS Client on FortiAuthenticator

On the FortiAuthenticator, go to Authentication > RADIUS Service > Clients, and select Create New.

Enter a name (OfficeServer), set Client name/IP to the IP of the FortiGate, and set a Secret. The secret is a pre-shared, secure password that the FortiGate will use to authenticate to the FortiAuthenticator.

Set Authentication method to Enforce two-factor authentication, set Realms to local | Local users, and add RemoteFortiTokenUsers to the Groups filter.

Note the Username input format. This is the format that the user must use to enter their username in the web portal.

4. Connecting the FortiGate to the RADIUS Server

On the FortiGate, go to User & Device > RADIUS Servers, and select Create New.

Enter a Name (OfficeRADIUS), set Primary Server IP/Name to the IP of the FortiAuthenticator, and enter the Secret created before.

Test the connectivity and enter the credentials for gthreepwood. The test should come back with a successful connection.
The FortiGate can now log into the RADIUS client added earlier to the FortiAuthenticator.

On the FortiGate, go to User & Device > User Groups, and select Create New.

Enter a Name (SSLVPNGroup), and under Remote groups, select Create New.

Select OfficeRADIUS under the Remote Server dropdown menu.

5. Configuring the SSL VPN on FortiGate

On the FortiGate, go to VPN > SSL-VPN Portals, and edit the full-access portal.

Disable Split Tunneling.

Go to VPN > SSL-VPN Settings.

Under Connection Settings set Listen on Port to 10443.

Under Tunnel Mode Client Settings, select Specify custom IP ranges and set it to SSLVPN_TUNNEL_ADDR1.

Under Authentication/Portal Mapping, select Create New.

Assign the SSLVPNGroup user group to the full-access portal, and assign All Other Users/Groups to web-access — this will grant all other users access to the web portal only.

Go to Policy & Objects > IPv4 Policy and create a new SSL-VPN policy.

Set Incoming Interface to the SSL-VPN tunnel interface and set Outgoing Interface to the Internet-facing interface.

Set Source to the SSLVPNGroup user group and set Destination Address to all.

Set Schedule to always, Service to ALL, and enable NAT.

6. Results

From a remote device, open a web browser and navigate to the SSL VPN web portal (https://FortiGate-IP:10443).

Enter gthreepwood‘s credentials and select Login.

Note that the username has to be entered in the format ‘realm\username‘, as per the client configuration on the FortiAuthenticator (in this example, local\gthreepwood).

The user will then be prompted to enter their FortiToken code.

Once the code is successfully entered, gthreepwood will successfully log into the SSL VPN Portal.

On the FortiGate, go to Monitor > SSL-VPN Monitor to confirm the user’s connection.