FortiAuthenticator 4.1 Two-Factor Authentication Interoperability Guide

FortiAuthenticator 4.1 Two-Factor Authentication Interoperability Guide

77 Pages · 2016 · 5.36 MB · English

Privilege Levels. 48. Cisco ASA. 49. Configuring System Authentication. 49. Configuring Remote Access Authentication. 51. Citrix Access Gateway. 55 Guide. Fortinet Technologies Inc. 6 When new, all tokens are set to a drift of 0 which is a measure of how close the time on the token and time on th

FortiAuthenticator 4.1 Two-Factor Authentication Interoperability Guide free download

FortiAuthenticator Two Factor Authentication Interoperability Guide VERSION 10 FORTINET DOCUMENT LIBRARY http://docsfortinetcom FORTINET VIDEO GUIDE http://videofortinetcom FORTINET BLOG https://blogfortinetcom CUSTOMER SERVICE & SUPPORT https://supportfortinetcom  http://cookbookfortinetcom/how to work with fortinet support/ FORTIGATE COOKBOOK http://cookbookfortinetcom FORTINET TRAINING SERVICES http://wwwfortinetcom/training FORTIGUARD CENTER http://wwwfortiguardcom END USER LICENSE AGREEMENT http://wwwfortinetcom/doc/legal/EULApdf FEEDBACK Email: [email protected] 9/2/2016 FortiAuthenticator 41 Two Factor Authentication Interoperability Guide 23 330 264235 20150901 TABLE OF CONTENTS Change Log 6 Introduction 7 Software versions 7 Basic Configuration of the FortiAuthenticator 8 Basic Configuration 8 Configuration Using the CLI 8 System Settings 9 DNS 9 Time Synchronization 9 Create a test token 9 Create test user 11 Configure a RADIUS Client 12 FortiGate 13 Create Remote RADIUS Connection 13 Single group defined Admin users 13 Create RADIUS_ Admins user group on FortiGate 14 Create a Wildcard Admin user 14 Testing 16 Results 18 Multiple group defined Admin users 18 Modify FortiAuthenticator groups 18 Create user groups on the FortiGate 20 Create Wildcard Admin users 21 Testing 22 Results 23 RADIUS packet captures 24 Attribute defined Admin users 26 Configure additional test users 26 Configure the Wildcard Admin user object 27 Testing 27 RADIUS packet captures 28 FortiAuthenticator Groups 30 RADIUS Packets 32 Authenticating SSL VPN Users 32 Create User Group 32 Firewall SSL VPN Policy 33 User Login – Password + Token PIN Appended 35 User Login – Token PIN Challenge 35 IPSec VPN 36 Create User Group 36 Edit Existing IKE Policy 36 FortiManager 38 Configure the RADIUS Server 38 Create the Admin Users 38 Testing 39 FortiWeb 41 Configure the RADIUS Server 41 Create an Admin Group 41 Create an Admin User 42 Admin Logon 42 FortiMail 44 Admin Login 44 Configure the RADIUS Server 44 Create the Admin User 45 Admin User Logon 45 Cisco IOS based switches and routers 46 Telnet Authentication 46 Configure Enable Authorization 47 Privilege Levels 48 Cisco ASA 49 Configuring System Authentication 49 Configuring Remote Access Authentication 51 Citrix Access Gateway 55 Configure the RADIUS Server 55 Create a logon point 56 User logon to the Citrix Access Gateway 57 F5 Big IP 59 Configure the AAA Server 59 User logon to the F5 Big IP Management interface 62 Linux Login 64 Integrating Linux with RADIUS (FortiAuthenticatoryf 64 Enabling Strong Authentication for SSH 64 Enabling Challenge Response 65 Apache Web Server 66 Modifying the Apache configuration 66 Appendix A – Debugging 68 Logging 68 Extended Logging 69 RADIUS Packet Generation 69 Appendix B – Supported Two Factor Authentication Methods 71 Appendix C – Syncing FortiTokens 75 Administrator Synchronization 75 User Synchronization 76 Change Log Change Log Date Change Description 2016 09 02 Updated information regarding using FortiAuthenticator to authenticate FortiGate administrators 2015 10 05 Initial release Two Factor Authentication Interoperability Guide Fortinet Technologies Inc 6 Software versions Introduction Introduction This document has been produced to aid the configuration of the FortiAuthenticator Secure Authentication system with Fortinet solutions and other third party products Software versions Testing was performed with the following versions of software where applicable: l FortiAuthenticator 30 l FortiGate 50 GA PR4 l FortiWeb 40 MR3 PR6 l FortiClient Connect 40 MR3 l FortiManager 40 MR3 l Ubuntu 1104 l OpenSSH version 58p1 l Apache version 2217 l Citrix Access Gateway 50 7 Two Factor Authentication Interoperability Guide Fortinet Technologies Inc Basic Configuration of the FortiAuthenticator Basic Configuration Basic Configuration of the FortiAuthenticator The Basic configuration of the FortiAuthenticator is shown below Any deviations or changes which are required from this configuration will be detailed in the relevant section For more details on the setup and configuration of the FortiAuthenticator see the Administration Guide at http://docsfortinetcom/fortiauthenticator/admin guides Basic Configuration On first boot, the FortiAuthenticator is configured to the default settings: Port 1 IP: 192168199 Port 1 Netmask: 2552552550 Default Gateway: 19216811 These setting can be modified by configuring aPC to an address on the same subnet and accessing the Web GUI via https://192168199/ ,alternatively you can use the CLI method below Configuration Using the CLI Basic configuration of the interface IP and gateway address can be done using the Command Line Interface (CLIyf Connect the Management Computer to the FortiAuthenticator unit using the supplied Console Cable Using asuitable terminal emulation program connect to the unit with the following settings: Baud Rate: 9600 Data Bits: 8 Parity: None Stop Bits: 1 Flow Control: None Log in to the FortiAuthenticator unit using the default credentials below: Username: admin Password: Configure the network settings as required, for example: set port1 ip 101199/24 set default gw 10111 Two Factor Authentication Interoperability Guide Fortinet Technologies Inc 8 System Settings Basic Configuration of the FortiAuthenticator This will give you access to the GUI via the specified IP address, in this case https://101199 System Settings Once the basic networking has been configured, further configuration can be performed via the GUI DNS To enable resolution of the FortiGuard network and other systems such as NTP servers, set your DNS to you local or ISP nameserver configuration via System >Network >DNS Time Synchronization FortiToken two factor authentication uses atime based algorithm to generate Token PINs for use in the authentication process  It is therefore essential that the time is accurate on the FortiAuthenticator system and NTP time synchronization is recommended  Change your settings to alocal NTP server for accurate timing via Dashboard >Status >System Time and select Change Create a test token To test two factor authentication aFortiToken will be required  The token serial can be found on the reverse of the token For security reasons atoken can only be automatically registered from the FortiGuard network asingle time Should you require to re register itasubsequent time, you should contact Fortinet support If you require to use atoken on multiple FortiGates, a FortiAuthenticator is recommended 9 Two Factor Authentication Interoperability Guide Fortinet Technologies Inc Basic Configuration of the FortiAuthenticator Create atest token By default, each new installation comes with two FortiToken Mobile Tokens included  To register anew physical token (FTK200yf go to Authentication >User Management >FortiToken and select Create New For single tokens, enter the token serial in the Serial numbers dialogue box  To register multiple tokens, select the Once registered the token should show as status Available in the Authentication >User Management > FortiToken page When new, all tokens are set to adrift of 0which is ameasure of how close the time on the token and time on the FortiAuthenticator match  When new, this should be 0  If you are unable to authenticate at any time, this may be due to clock drift To force atoken drift synchronization, hover the mouse over the drift section for the token and click the Sync option which is displayed Two Factor Authentication Interoperability Guide Fortinet Technologies Inc 10 Create test user Basic Configuration of the FortiAuthenticator You will be prompted to enter two consecutive PINs from the token  Ensure you have not just used the number for an authentication attempt; ifso, wait until the next number refreshed  Once synchronized wait until the next refresh before attempting to authenticate (token PINs are for one time use, regardless of what they are used foryf Create test user For the purpose of this interoperability test, asingle user will be created: johndoe Test user with RADIUS based username /password and FortiToken In Authentication >User Management >Local Users select Create New In the resulting dialogue, enter ausername and password for this test user account Once created, you will be provided with additional options to edit for the user  For the purpose of this document, all that is needed is to enable Two factor authentication by ticking the radio buttons and select the token serial you have just created from the drop down menu 11 Two Factor Authentication Interoperability Guide Fortinet Technologies Inc Basic Configuration of the FortiAuthenticator Create test user Configure a RADIUS Client Before any device can connect to the FortiAuthenticator to authenticate users via RADIUS, itmust be configured as aRADIUS Client  For security reasons, until this is done, the FortiAuthenticator will ignore all authentication requests  In Authentication >RADIUS Service >Clients ,select Create New and on the resulting page, enter the details of the device you wish to authenticate  Enter aunique name for the device and the IP from which itwill be connecting  Note that this is the IP address of the device itself, not the IP that the users will be authenticating from In the secret section, enter asecret password which will be used by both ends of the RADIUS connection to secure the authentication process You will have to repeat this process for every device you wish to authenticate against the FortiAuthenticator Two Factor Authentication Interoperability Guide Fortinet Technologies Inc 12 Create Remote RADIUS Connection FortiGate FortiGate Before proceeding, ensure that you have followed the steps detailed in Basic Configuration  Pay particularly attention to Configure aRADIUS Client and ensure you have created aNAS entry for the device you will be testing otherwise all authentication attempts will be ignored for security reasons The FortiGate appliance is the Gateway to your network therefore securing remote access, whether to the box itself (administration or to the network behind it(VPNyf is critical  FortiOS versions 40 MR3 and above support two factor authentication using FortiToken, however to perform two factor authentication to multiple FortiGate or to versions 40 MR2 and lower, you will want to use FortiAuthenticator to enable strong authentication Create Remote RADIUS Connection A RADIUS association is required for all FortiGate configurations described below so configure the system to point at the FortiAuthenticator In User >Remote >RADIUS select Create New and configure the details of the FortiAuthenticator  Enter the shared secret which you created previously Single group defined Admin users When the RADIUS Client (NASyf was defined on the FortiAuthenticator in the section titled Create User Groups, the FortiAuthenticator was configured to authenticate the group “RADIUS_ Admins” In this example we will use this to map all such users to the Super_ Admin permission No other users will be authenticated 13 Two Factor Authentication Interoperability Guide Fortinet Technologies Inc FortiGate Single group defined Admin users Create RADIUS_ Admins user group on FortiGate In User & Device > User > User Groups ,select Create New Create auser group of Type Firewall with name RADIUS_ Admins Select Add to attach aRemote Server to the Group and select your FortiAuthenticator For this example, select Group Name “Any” This is because the FortiAuthenticator was configured in the previous step to only authenticate users from the group “RADIUS_ Admins” Create a Wildcard Admin user In System > Admin > Administrators ,select Create New In the resulting page, enter the following: Administrator: RADIUS_ Wildcard_ Admins Type: Remote User Group: RADIUS_ Admins Wildcard: Two Factor Authentication Interoperability Guide Fortinet Technologies Inc 14 Single group defined Admin users FortiGate Admin Profile: super_ admin Do not select Enable Two factor Authentication at this point The two factor authentication is done externally on the FortiAuthenticator, so the FortiGate does not need any configuration This is why the FortiAuthenticator is capable of providing two factor authentication to FortiOS 42 and below and third party systems which have no direct support for two factor authentication 15 Two Factor Authentication Interoperability Guide Fortinet Technologies Inc FortiGate Single group defined Admin users Testing Attempt to log into the FortiGate Administration GUI using the johndoe credentials: Username: johndoe Password: Token: An example is shown below: Two Factor Authentication Interoperability Guide Fortinet Technologies Inc 16 Single group defined Admin users FortiGate It is also possible to authenticate using aconcatenated passcode eg for aPassword fortinet and one time PIN of 318008 ,the login would appear as shown below (except the password would be starred outyf: Login via the CLI Console will also be protected similarly: Successful authentication will provide the user with access to the device and will generate alogin event log on the FortiAuthenticator: If authentication is unsuccessful, follow the steps in Appendix A –Debugging to identify the issue 17 Two Factor Authentication Interoperability Guide Fortinet Technologies Inc FortiGate Multiple group defined Admin users Results User Permission granted johndoe super_ admin janedoe Login failed Unauthenticateduser Login failed Multiple group defined Admin users There are many situations where multiple administrative user groups are required on the FortiGate These could include situations where support have access to view the configuration, or where there are users with limited admin rights This section will demonstrate how this can be achieved to deliver the multiple administrative permission levels Modify FortiAuthenticator groups When multiple groups are configured, FortiGate needs to differentiate users based on their FortiAuthenticator group membership To do this, FortiAuthenticator must be configured to send group information with the RADIUS Access Accept packet To do this, configure the RADIUS Attribute Fortinet Group Name for each Group, as shown below: Name: RADIUS_ Admins Fortinet Group Name = RADIUS_ Admins Name: RADIUS_ Viewers Fortinet Group Name = RADIUS_ Viewers Two Factor Authentication Interoperability Guide Fortinet Technologies Inc 18 Multiple group defined Admin users FortiGate Once the two groups have been created, they must be added to the group list authenticated for that RADIUS Client/NAS as shown: 19 Two Factor Authentication Interoperability Guide Fortinet Technologies Inc FortiGate Multiple group defined Admin users Create user groups on the FortiGate In User & Device > User > User Groups ,select Create New Create two user groups with their Type set to Firewall named RADIUS_ Admins and RADIUS_ Viewers Select Add to attach aRemote Server to the Group and select your FortiAuthenticator In this example, FortiAuthenticator will be authenticating multiple groups so you must be able to differentiate between them Select Group Name and enter the appropriate group for each, as shown below: Two Factor Authentication Interoperability Guide Fortinet Technologies Inc 20 Multiple group defined Admin users FortiGate Create Wildcard Admin users You will need to map the RADIUS Groups to the Admin Permissions To achieve this, create two new wildcard admin users Go to System > Admin > Administrators and select Create New In the resulting page, create a new user: Administrator: RADIUS_ Wildcard_ Admins Type: Remote User Group: RADIUS_ Admins Wildcard: Admin Profile: super_ admin Repeat this process for the RADIUS_ Viewers account: Administrator: RADIUS_ Wildcard_ Viewers Type: Remote User Group: RADIUS_ Viewers Wildcard: Admin Profile: ro_ admin Where ro_ admin will only allow read only access to the configuration 21 Two Factor Authentication Interoperability Guide Fortinet Technologies Inc FortiGate Multiple group defined Admin users Do not select  Enable Two factor Authentication at this point The two factor authentication is done externally on the FortiAuthenticator, so the FortiGate does not need to know itis happening This is why the FortiAuthenticator is capable of authenticating FortiOS 42 and below and third party systems which have no direct support for two factor authentication Testing Attempt to log into the FortiGate Administration GUI using the johndoe credentials: Username: johndoe Password: Token: An example is shown below: It is also possible to authenticate using aconcatenated passcode eg for aPassword fortinet and one time PIN of 318008 ,the login would appear as shown below (except the password would be starred outyf: Two Factor Authentication Interoperability Guide Fortinet Technologies Inc 22 Multiple group defined Admin users FortiGate Login via the CLI Console will also be protected similarly: Successful authentication will provide the user with access to the device with the correct permissions level based on their group membership and will generate alogin event log on the FortiAuthenticator: Repeat the process with janedoe and unauthenticateduser ,who should obtain read only and failed login , respectively If authentication is unsuccessful in any way, follow the steps in Appendix A –Debugging to identify the issue Results User Permission granted johndoe super_ admin (Super user permissionyf janedoe ro_ admin (Read only adminyf Unauthenticateduser Login failed 23 Two Factor Authentication Interoperability Guide Fortinet Technologies Inc FortiGate Multiple group defined Admin users RADIUS packet captures RADIUS Query johndoe RADIUS Response johndoe Two Factor Authentication Interoperability Guide Fortinet Technologies Inc 24 Multiple group defined Admin users FortiGate RADIUS Query janedoe RADIUS Response janedoe 25 Two Factor Authentication Interoperability Guide Fortinet Technologies Inc FortiGate Attribute defined Admin users RADIUS Query unauthenticateduser RADIUS Response unauthenticateduser Attribute defined Admin users While itis possible to define assigned users to groups, from which their administrative permissions are defined, it is also possible and more flexible to specify permissions via RADIUS Attributes FortiAuthenticator can return specific RADIUS attributes based on the Group membership or directly from the user configuration This section will describe the options available Configure additional test users For this test, additional users are created to demonstrate the range and flexibility of options available Five RADIUS users were created, each with different access rights configured via RADIUS attributes as follows: User: rnone Attributes: None User: ruser Attributes: Fortinet Access Profile = prof_ admin User: ronly Attributes: Fortinet Access Profile = read_ only User: radmin Attributes: Fortinet Access Profile = super_ admin Two Factor Authentication Interoperability Guide Fortinet Technologies Inc 26 Attribute defined Admin users FortiGate Configure the Wildcard Admin user object Go to System > Admin > Administrators and select Create New In the resulting page, enter the following: Administrator: RADIUS_ Wildcard_ Admins Type: Remote User Group: RADIUS_ Admins Wildcard: Admin Profile: noaccess Note that anew admin profile was created and assigned called noaccess ,which users will default to ifthey do not have aRADIUS Attribute profile override set To enable RADIUS Attribute overriding of the admin profile, the highlighted command must be set on the CLI (this feature is not available in the GUIyf: config system admin edit "RADIUS_ Wildcard_ Admins" set remote auth enable set accprofile "noaccess" set vdom "root" set wildcard enable set remote group "radadmin" set radius accprofile override enable next end Testing The following is the result of logging in with each of the assigned users: User Permission granted rnone noaccess ruser prof_ admin ronly read_ only radmin super_ admin FortiOS 507 only supports RADIUS Attribute Override when concatenating the token passcode at the end of the password Challenge for token passcodes fails due to a bug This was resolved in FortiOS 52 27 Two Factor Authentication Interoperability Guide Fortinet Technologies Inc FortiGate Attribute defined Admin users RADIUS packet captures RADIUS Query rnone RADIUS Response rnone RADIUS Query ronly Two Factor Authentication Interoperability Guide Fortinet Technologies Inc 28 Attribute defined Admin users FortiGate RADIUS Response ronly RADIUS Query radmin RADIUS Response radmin 29 Two Factor Authentication Interoperability Guide Fortinet Technologies Inc FortiGate Attribute defined Admin users There is also the ability to use wildcard accounts to avoid the need to specify each user locally  If this option is enabled, any user from the specified group (or from the whole RADIUS Server ifagroup is not specifiedyf will be able to authenticate  If this is required, create anew administrator with aname with adescriptive name (it will not be used to authenticateyf  When the wildcard option is selected, any user configured on the FortiAuthenticator who is in an allowed group will be able to authenticate In FortiOS 504, when wildcard users are configured the challenge response method is not supported, only token appended  This will be resolved in afuture release Do not select two factor authentication at this point The Two Factor Authentication is done externally, so the FortiGate does not need to know itis happening  This is why the FortiAuthenticator is capable of authenticating FortiOS 42 and below and third party systems which have no direct support for two factor authentication FortiAuthenticator Groups If aGroup Name was specified in the FortiGate configuration, for auser to correctly match the policy and be authenticated, aFortinet VSA (Vendor Specific Attributeyf must be configured on FortiAuthenticator  RADIUS Attributes are sent in the Access Accept packet and can be configured at the group or user level Two Factor Authentication Interoperability Guide Fortinet Technologies Inc 30 Attribute defined Admin users FortiGate In this example, agroup called FW_ Admins is going to be created, containing the user johndoe with the Fortinet Group Name Attribute value of FW_ Admins On FortiAuthenticator, browse to Authentication >User Management >User Groups and select Create New Create anew group named FW_ Admins, select the user and click the right arrow to move them into the Selected Users Next, select Add Attribute and add the Fortinet Group Name Attribute with the value of FW_ Admins and select OK Log out of the FortiGate and log back into the FortiGate Admin GUI with your new credentials  The Username and Password used to authenticate will include the 6 digit two factor authentication PIN from your token: Username: johndoe Password: For example, ifthe password was fortinet and one time PIN was 318008 ,the login would become Successful authentication will provide the user with access to the device and will generate alogin event log on the FortiAuthenticator 31 Two Factor Authentication Interoperability Guide Fortinet Technologies Inc FortiGate Authenticating SSL VPN Users If authentication is unsuccessful, follow the steps in the Chapter Appendix A –Debugging to identify what is wrong RADIUS Packets The following shows the RADIUS Packet decodes for the Access Request from the FOrtiGate and the Access Accept from the FortiAuthenticator  The returned groups information that allows the user privilege to be set is displayed in the Fortinet VSA as Fortinet Group Name =FW_ Admins Authenticating SSL VPN Users This guide does not detail how to configure the SSL VPN, only how to enable secure authentication using FortiAuthenticator  For more information on configuring the SSL VPN please see the SSL VPN Guide for your specific firmware release here http://docsfortinetcom/d/fortigate ssl vpn 3 Create User Group In User >User Group ,select Create New Create agroup called SSLVPN_ Users ,set type to Firewall and enable Allow SSL VPN Access with your selected access permissions Under Remote Authentication Servers , select Add Select FortiAuthenticator from the drop down list and select OK to save Two Factor Authentication Interoperability Guide Fortinet Technologies Inc 32 Authenticating SSL VPN Users FortiGate The Group Name configuration can be used to limit which users can authenticate or to limit what they can do in the VPN (by creating multiple groups in conjunction with the Allow SSL VPN Access optionyf Firewall SSL VPN Policy Create afirewall policy which enables SSL VPN access into you chosen network  In this example, apolicy is being created from WAN1 to the Internal network for the defined Group Go to Policy & Objects >Policy >IPv4 and select Create New Set Source Interface to WAN1 ,Destination Interface to Internal and Action to SSL VPN 33 Two Factor Authentication Interoperability Guide Fortinet Technologies Inc FortiGate Authenticating SSL VPN Users Enable Identity Based Policy and add all the user groups allowed to log into the SSL VPN Select the required Group from Available Select Any from the Available Services  Select OK  and OK  again on the Edit Policy page to save the settings  Where multiple user groups have been configured to allow differentiated VPN access, specify all user groups at this point eg Two Factor Authentication Interoperability Guide Fortinet Technologies Inc 34 Authenticating SSL VPN Users FortiGate User Login – Password + Token PIN Appended Attempt to log into the FortiGate SSL VPN GUI eg https://192168199:10443 (depending upon your settingsyf with your new credentials  The Username and Password used to authenticate will include the 6 digit two factor authentication PIN from your token: Username: johndoe Password: For example, ifthe password was fortinet and one time PIN was 318008 ,the login would become Successful authentication will provide the user with access to the VPN Portal with the configuration specific to your configured user group and will generate alogin event log on the FortiAuthenticator If authentication is unsuccessful, follow the steps in the Chapter Debugging Authentication to identify what is wrong User Login – Token PIN Challenge Whilst the PIN Appended method is the most widely supported method of authentication for 3rd party systems, FortiGate SSL VPN supports the RADIUS Challenge Response mechanism  This allows the user to enter their username and password and then be challenged separately for the token PIN which is more intuitive  No changes need to be made to the systems to support either method and they can be used interchangeably Attempt to log into the FortiGate SSL VPN GUI eg https://192168199:10443 (dependent on your settingsyf with your new credentials Username: johndoe Password: For example, ifthe password was fortinet ,the login would become 35 Two Factor Authentication Interoperability Guide Fortinet Technologies Inc FortiGate IPSec VPN The FortiAuthenticator will detect that the password is correct but the token PIN has not been provided and issue aRADIUS Challenge FortiGate detects this and prompts the user for the additional information The user should enter the correct token PIN and select login Successful authentication will provide the user with access to the VPN Portal with the configuration specific to your configured user group and will generate alogin event log on the FortiAuthenticator If authentication is unsuccessful, follow the steps in the Chapter Debugging Authentication to identify what is wrong IPSec VPN Note that this guide does not detail how to configure the IPSec VPN or the FortiClient Connect client, only how to enable secure authentication using FortiAuthenticator  For more information on configuring the VPN on FortiGate and the FortiClient Connect client please see the relevant documentation here http://docsfortinetcom/fortigate/admin guides This section assumes you have aworking IKE configuration Create User Group In User >User Group ,select Create New  Create agroup called VPN_ Users ,set Type to Firewall ,and under Remote Authentication Servers select Add Select FortiAuthenticator from the drop down list and select OK to save Edit Existing IKE Policy To enable FortiAuthenticator strong two factor authentication, the existing IKE Policy must be configured to enable XAUTH (eXtended AUTHenticationyf7o do this browse to VPN >IPSec >Auto Key (IKEyf and edit the Two Factor Authentication Interoperability Guide Fortinet Technologies Inc 36 IPSec VPN FortiGate Phase 1settings of your VPN (select the radio button of the first entry for your VPN and click Edit yf 37 Two Factor Authentication Interoperability Guide Fortinet Technologies Inc FortiManager Configure the RADIUS Server FortiManager Before proceeding, ensure that you have followed the steps detailed in Basic Configuration Pay particular attention to Configure aRADIUS Client and ensure you have created aNAS entry for the device you will be testing otherwise all authentication attempts will be ignored for security reasons Configure the RADIUS Server Log into the FortiManager GUI and go to System Settings >Admin >Remote Auth Server Select Create New and RADIUS Enter the details of the remote FortiAuthenticator including the shared secret Create the Admin Users In System Settings >  Admin >  Administrator ,select Create New  Enter aname for the config; ifthis is for a single admin user, enter the user name, ifthis is for multiple users, enter ageneric name and select Wildcard Select Auth Type RADIUS and select the RADIUS server you created in the previous step Two Factor Authentication Interoperability Guide Fortinet Technologies Inc 38 Create the Admin Users FortiManager Wildcard authentication will allow authentication from any account on the FortiAuthenticator  To restrict authentication, RADIUS Service Clients can be configured to only authenticate specific user groups Testing Attempt to log into the FortiManager GUI with your new credentials The Username and Password used to authenticate will include the 6 digit two factor authentication PIN from your token: Username: johndoe Password: For example, ifthe password was fortinet and the one time PIN was 561555 ,the login would become 39 Two Factor Authentication Interoperability Guide Fortinet Technologies Inc FortiManager Create the Admin Users Successful authentication will provide the user with access to the FortiManager and will generate alogin event log on the FortiAuthenticator If authentication is unsuccessful, follow the steps in Appendix A –Debugging to identify what is wrong As of FortiManager 504, RADIUS Challenge Response is not supported Only Token Appending is supported This will be resolved in afuture release Two Factor Authentication Interoperability Guide Fortinet Technologies Inc 40 Configure the RADIUS Server FortiWeb FortiWeb Before proceeding, ensure that you have followed the steps detailed in Basic Configuration  Pay particular attention to Configure aRADIUS Client and ensure you have created aNAS entry for the device you will be testing otherwise all authentication attempts will be ignored for security reasons FortiWeb, (tested to the latest version at the time 40 MR3 PR6yf does not support challenge response so the Token Appended method should be used Configure the RADIUS Server Log into the FortiWeb GUI and go to User >RADIUS User >RADIUS User The FortiWeb GUI incorrectly refers to RADIUS User whereas this is actually the RADIUS Server (FortiAuthenticatoryf configuration This will be changed in future versions of FortiWeb Select Create New Enter the details of the remote FortiAuthenticator including the shared secret Create an Admin Group In User >Admin Group ,select Create New Enter the Auth Type RADIUS and select the RADIUS server you created in the previous step under the heading user 41 Two Factor Authentication Interoperability Guide Fortinet Technologies Inc FortiWeb Create an Admin User Enter the RADIUS server name at this point, not the User Name This is an error in the GUI and will be rectified in alater release of the FortiWeb GUI Create an Admin User Go to System  > Admin >Administrators ,and select Create New Enter the details of the user to be authenticated, set the type to Remote User ,the Admin User Group (as created in the previous stepyf and select the access profile to use FortiWeb does not currently support wildcard users or user groups Admin Logon Attempt to log into the FortiWeb GUI eg https://192168199 (dependent on your settingsyf with the FortiAuthenticator credentials  The Username and Password used to authenticate will include the 6 digit two factor authentication PIN from your token: Two Factor Authentication Interoperability Guide Fortinet Technologies Inc 42 Admin Logon FortiWeb Username:johndoe Password: For example, ifthe password was fortinet and the one time PIN was 034032 ,the login would become Successful authentication will provide the user with access to the FortiWeb and will generate alogin event log on the FortiAuthenticator If authentication is unsuccessful, follow the steps in the Chapter Debugging Authentication to identify what is wrong 43 Two Factor Authentication Interoperability Guide Fortinet Technologies Inc FortiMail Admin Login FortiMail Before proceeding, ensure that you have followed the steps detailed in Basic Configuration  Pay particular attention to Configure aRADIUS Client and ensure you have created aNAS entry for the device you will be testing otherwise all authentication attempts will be ignored for security reasons Admin Login Configure the RADIUS Server Log into the FortiMail GUI and browse to Profile >Authentication and select New Enter the details of the remote FortiAuthenticator including the FortiAuthenticator IP, Authentication Port (1812yf, Port, Protocol (authentication schemeyf and shared secret In System >Administrator ,select New  Enter the User Name ,set Auth Type to RADIUS and select the RADIUS server you created in the previous step FortiMail Administrator configuration does not support the use of wildcard users, ie those not defined locally  The use of awildcard “*” for username will not work here Two Factor Authentication Interoperability Guide Fortinet Technologies Inc 44 Create the Admin User FortiMail Create the Admin User Admin User Logon Attempt to log into the FortiManager GUI eg https://192168199 (depending upon your settingsyf with your new credentials  The Username and Password used to authenticate will include the 6 digit two factor authentication PIN from your token: Username: johndoe Password: For example, ifthe password was fortinet and the one time PIN was 561555 ,the login would become Successful authentication will provide the user with access to the FortiManager and will generate alogin event log on the FortiAuthenticator If authentication is unsuccessful, follow the steps in the Chapter Debugging Authentication to identify what is wrong 45 Two Factor Authentication Interoperability Guide Fortinet Technologies Inc Cisco IOS based switches and routers Telnet Authentication Cisco IOS based switches and routers The following was tested with aCisco 2950 switch running IOS 121 (13yf:KLOe this should work with other versions and IOS based routers, the command structure on the Cisco IOS is liable to vary between versions so please consult the Cisco documentation for changes Before proceeding, ensure that you have followed the steps detailed in Chapter titled Basic Configuration  Pay particularly attention to Configure aRADIUS Client and ensure you have created aNAS entry for the device you will be testing otherwise all authentication attempts will be ignored for security reasons Telnet Authentication Configure the Cisco switch to allow remote access via Telnet To do this enter enable mode on the switch and execute to begin editing the configuration: Switch> en Enter Password: ********* Switch# conf t Switch (configyf# Enter the following commands to enable an IP address on the switch and enable telnet management: Switch (configyf# interface Vlan1 Switch (configyf# ip address 1921680253 2552552550 Switch (configyf# ip default gateway 19216801 Switch (configyf# no shutdown Enter the following commands to enable two factor authentication: Switch (configyf# aaa new model Switch (configyf# aaa authentication login default group radius Switch (configyf# radius server host 1921680122 auth port 1812 key fortinet1234 Switch (configyf# radius server retransmit 3 Two Factor Authentication Interoperability Guide Fortinet Technologies Inc 46 Configure Enable Authorization Cisco IOS based switches and routers Attempt to log in to the switch via telnet and you should be presented with atwo factor enhanced login: telnet 1921680253 User Access Verification Username: johndoe Password: fortinet Please enter token: 721194 Switch> Notice that the login has dropped the user into the non privileged admin level denoted by the > Enable mode is accessed via the command enable and entering the enable password Configure Enable Authorization To directly authenticate the user into enable mode, itis possible to include an authorization attribute in the RADIUS Access Accept packet Cisco uses the following attribute from their standard RADIUS Dictionary for this purpose: Cisco AVPair = shell:priv lvl=15 RADIUS Attributes can be configured either at the group or user level  The following example sets this attribute at the group level but the configuration mechanism is the same for both 1 Go to Authentication >User Groups >Local and create anew group called Cisco_ Admins Add the required users to this group 2 Edit the group and select Add Attributes 3 Set vendor to Cisco and Attribute ID to Cisco AV Pair 4 In the Attribute Value field enter shell:priv lvl=15 which will give full administrative rights to the user Create asecond Attribute with Vendor set to Default (this is the RADIUS RFC standard dictionariesyf, Attribute ID set to Service Type and Attribute set to Value NAS Prompt User To configure the switch to accept these attributes, enter the following configuration: Switch (configyfDDa authorization exec default radius 47 Two Factor Authentication Interoperability Guide Fortinet Technologies Inc Cisco IOS based switches and routers Privilege Levels Attempt to login again telnet 1921680253 User Access Verification Username: johndoe Password: fortinet Please enter token: 983403 Switch# Notice that the user is granted the enable (15yf privilege level denoted by # Privilege Levels The default Cisco IOS privilege levels are defined as: Privilege Level Result 0 Seldom used, but includes five commands: disable ,enable ,exit ,help ,and logout 1 User level only (prompt is switch>yf The default level for login 15 Privileged level (prompt is router#yf, the level after going into enable mode Whilst authorization levels 0, 1, and 15 are configured by default, levels 2to 14 are undefined and can be used to create additional levels by adding and removing specific CLI commands eg To specify which commands will exist in privilege level 7, issue the following commands on Switch1 from the console: Switch1 (configyf# privilege configure level 7 snmp server host Switch1 (configyf# privilege configure level 7 snmp server enable Switch1 (configyf# privilege configure level 7 snmp server Switch1 (configyf# privilege exec level 7 ping Switch1 (configyf# privilege exec level 7 configure terminal Switch1 (configyf# privilege exec level 7 configure This level can be then authorized by creating aseparate FortiAuthenticator group, including the required users and specifying the new RADIUS Attribute privilege level eg Cisco AVPair = shell:priv lvl=7 Two Factor Authentication Interoperability Guide Fortinet Technologies Inc 48 Configuring System Authentication Cisco ASA Cisco ASA The following was tested with aCisco ASA 5520 running ASA version 82 (1yf and ASDM 63 (5yf  Whilst this should work with other ASA versions, Cisco firmware is liable to vary between versions so please consult the Cisco documentation for changes  The configuration of the Cisco ASA device requires the installation of the ASDM management software and/or Oracle Java Before proceeding, ensure that you have followed the steps detailed in Chapter titled Basic Configuration Pay particular attention to Configure aRADIUS Client and ensure you have created aNAS entry for the device you will be testing otherwise all authentication attempts will be ignored for security reasons Configuring System Authentication Select the relevant ASA device in Device List and then Configuration from top menu In Device Management ,go to Users/AAA >AAA Server Groups Under AAA Server Groups select Add Create agroup that the FortiAuthenticator device will later be added to as shown and select OK Select the Server Group specified in the previous step and, in the Servers in Selected Group window, click Add Specify the details of the FortiAuthenticator device as shown, taking care to include the correct Pre Shared Key (Server Secret Keyyf 49 Two Factor Authentication Interoperability Guide Fortinet Technologies Inc Cisco ASA Configuring System Authentication Once complete, select OK The configuration can be validated by selecting the group and the FortiAuthenticator server and selecting Test To configure authentication of the Cisco ASA system via FortiAuthenticator two factor authentication: Two Factor Authentication Interoperability Guide Fortinet Technologies Inc 50 Configuring Remote Access Authentication Cisco ASA 1 Go to Device Management >Users/AAA >AAA Access 2 In the Authentication tab, under Require authentication for the following types of connection ,select the mode you wish to employ FortiAuthenticator two factor authentication to, eg HTTP/ASDM Management as shown Configuring Remote Access Authentication To configure authentication for Remote Access VPN, the configuration from the previous step is repeated 1 In Remote Access VPN >AAA/Local Users >  AAA Server Groups ,select Add and create agroup 2 Create aserver and add the server to the group 51 Two Factor Authentication Interoperability Guide Fortinet Technologies Inc Cisco ASA Configuring Remote Access Authentication To enable two factor authentication with FortiAuthenticator on the SSL VPN, go to Remote Access VPN > Clientless SSL VPN Access > Connection Profiles and set the required group members to the Authentication Method (RADIUSyf and group created in the previous step Two Factor Authentication Interoperability Guide Fortinet Technologies Inc 52 Configuring Remote Access Authentication Cisco ASA To enable two factor authentication with FortiAuthenticator on the IPSEC VPN, go to Remote Access VPN > Network (Clientyf Access >IPSEC Connection Profiles and set the required group members to the Authentication Method (RADIUSyf and Group created in the previous step 53 Two Factor Authentication Interoperability Guide Fortinet Technologies Inc Cisco ASA Configuring Remote Access Authentication Two Factor Authentication Interoperability Guide Fortinet Technologies Inc 54 Configure the RADIUS Server Citrix Access Gateway Citrix Access Gateway Before proceeding, ensure that you have followed the steps detailed in Chapter titled Basic Configuration  Pay particular attention to Configure aRADIUS Client and ensure you have created aNAS entry for the device you will be testing otherwise all authentication attempts will be ignored for security reasons Configure the RADIUS Server Log into the Citrix Access Gateway Management GUI https://Logon Points  and select New Create aTest logon point, eg Test1 with Type set to SmartAccess Select the FortiAuthenticator as the Primary authentication profile as created in the previous section Optionally configure an authorization profile using the same FortiAuthenticator settings, and select Save Two Factor Authentication Interoperability Guide Fortinet Technologies Inc 56 User logon to the Citrix Access Gateway Citrix Access Gateway User logon to the Citrix Access Gateway There are two options for FortiAuthenticator authenticated logon to the Citrix Access Gateway: Token Appended and Challenge Response Challenge Response is the most simple method for users and is shown below Attempt to log into the Citrix Access Gateway User GUI with the user credentials from the FortiAuthenticator  The Username and Password can be entered without the token PIN eg Username: johndoe Password: For example, ifthe password was fortinet and the one time PIN was 937543 ,the login would become The FortiAuthenticator detects the missing token PIN and sends aRADIUS challenge which the Citrix Access Gateway presents to the user 57 Two Factor Authentication Interoperability Guide Fortinet Technologies Inc Citrix Access Gateway User logon to the Citrix Access Gateway Successful authentication will provide the user with access to the Citrix Access Gateway resource As an alternative asingle step login can be made to bypass the challenge using the token appended method, eg Successful authentication will provide the user with access to the Citrix Access Gateway resource and will generate alogin event in Monitor >Audit 1921680254 0xb0409002a18b9b1:johndoe\:Test1: [04/Apr/2012:06:08:41 0700] "" "" "" Login "NavUI" If authentication is unsuccessful, follow the steps in Appendix A –Debugging to identify what is wrong Two Factor Authentication Interoperability Guide Fortinet Technologies Inc 58 Configure the AAA Server F5 Big IP F5 Big IP Before proceeding, ensure that you have followed the steps detailed in Chapter titled Basic Configuration  Pay particular attention to Configure aRADIUS Client and ensure you have created aNAS entry for the device you will be testing otherwise all authentication attempts will be ignored for security reasons The following configuration was performed on an F5 Big IP Edge Gateway device however, given the shared OS, this configuration should also be transferable to other devices in the Big IP range including Local Traffic Manager (LTMyf Configure the AAA Server Log into the F5 Big IP device and browse to Main > Access Policy >AAA Servers >RADIUS and select the + symbol to add anew configuration Enter the details of the FortiAuthenticator including IP (Serveryf Address, port, and secret 59 Two Factor Authentication Interoperability Guide Fortinet Technologies Inc F5 Big IP Configure the AAA Server Next go to Main >Access Policy >Access Profiles >Access Profiles List and select the +symbol to add anew configuration Create aRADIUS resource profile (see the F5 documentation for detailed explainations of this sectionyf This profile binds the RADIUS authentication method to the Logon Page and defines what happens on successful or unsuccessful authentication Two Factor Authentication Interoperability Guide Fortinet Technologies Inc 60 Configure the AAA Server F5 Big IP Edit the RADIUS object and define the correct details for the FortiAuthenticator as created in the previous Access Policy step (Server defined as FortiAuthyf1RWe that extended errors may be useful for debugging but should be disabled during normal operation Once the RADIUS Authentication method has been defined, itshould be configured for use in the Main Access Policy Additional validation steps can be defined ifrequired Subsequent attempts to authenticate with token enabled users will result in an additional challenge prompting for the token 61 Two Factor Authentication Interoperability Guide Fortinet Technologies Inc F5 Big IP User logon to the F5 Big IP Management interface User logon to the F5 Big IP Management interface There are two options for FortiAuthenticator authenticated logon to the F5 Big IP device: Token Appended and Challenge Response Challenge Response is the most simple method for users and is shown below Attempt to log into the F5 Big IP User GUI with the user credentials from the FortiAuthenticator The Username and Password can be entered without the token PIN, eg Username: johndoe Password: For example, ifthe password was fortinet and the one time PIN was 874463 ,the login would become However obviously the password would be starred out  The FortiAuthenticator detects the missing token PIN and sends aRADIUS challenge which the F5 Big IP presents to the user Successful authentication will provide the user with access to the F5 Big IP resource As an alternative asingle step login can be made to bypass the challenge using the token appended method eg Two Factor Authentication Interoperability Guide Fortinet Technologies Inc 62 User logon to the F5 Big IP Management interface F5 Big IP If authentication is unsuccessful, follow the steps in the Chapter Debugging Authentication to identify what is wrong 63 Two Factor Authentication Interoperability Guide Fortinet Technologies Inc Linux Login Integrating Linux with RADIUS (FortiAuthenticatoryf Linux Login Linux uses Pluggable Authentication Modules (PAMyf to extend the usual local authentication methods out to external third party devices   This makes Linux is very flexible in how itcan be integrated with two factor authentication Applications can be configured so that locally accessed services can be authenticated via password only whilst applications accessible over the Internet can be authenticated using strong two factor methods The instructions below are for Ubuntu 1104 however, PAM is pretty standard across all Linux distributions so the instructions should be usable with only minor changes Integrating Linux with RADIUS (FortiAuthenticatoryf In order to integrate with RADIUS authentication and therefore FortiAuthenticator, first you must install the PAM RADIUS Module $ sudo apt get install libpam radius auth Once installed, edit /etc/pam_ radius_ authconf The default configuration will contain the following examples (commented outyf: #127001 secret 1#other server other secret 3 To configure the FortiAuthenticator, add an additional line of the format eg 1921680110 fortinet 3 To configure the FortiAuthenticator, add an additional line of the format Enabling Strong Authentication for SSH Before configuring, make sure that the user you are trying to authenticate already exists on the Linux system This limitation will be covered in alater section To enable two factor authentication in SSH by editing the file /etc/pamd/ssh and insert the following lines in before the line #Standard Un*x authentication Two Factor Authentication Interoperability Guide Fortinet Technologies Inc 64 Enabling Challenge Response Linux Login # Enable Two Factor Authentication with FortiAuthenticator auth sufficient pam_ radius_ authso debug Note that the debug option at the end of the line increases debugging sent to /var/log/authlog and can be removed once successfully configured Attempt to log into SSH using your chosen client with your new credentials  The Username and Password used to authenticate will include the 6 digit two factor authentication PIN from your token: Username: johndoe Password: For example, ifthe password was fortinet and the one time PIN was 947826 ,the login would become login as: johndoe Password: fortinet947826 Welcome to Ubuntu 1104 (GNU/Linux 2638 10 generic i686yf Last login: Mon Aug 22 18:09:18 2011 from 192168024 [email protected]:~$ Successful authentication will provide the user with access to the system via SSH and will generate alogin event log on the FortiAuthenticator If authentication is unsuccessful, follow the steps in Appendix A –Debugging to identify what is wrong Enabling Challenge Response The configuration described above requires the user to log in with the RADIUS username and password appended with the PIN  The benefit of this is that itsupports almost any system which can authenticate with RADIUS  However, the FortiAuthenticator also supports achallenge response mechanism  When the platform detects that only the password has been returned, itwill respond with aRADIUS Challenge Response and expect the PIN to be returned  This requires the client to support this additional step which the OpenSSH server does  To configure this step on the SSH Server, edit /etc/ssh/sshd_ config and change ChallengeResponseAuthentication no to ChallengeResponseAuthentication yes Restart the SSH Server to apply the setting $ sudo restart ssh 65 Two Factor Authentication Interoperability Guide Fortinet Technologies Inc Apache Web Server Modifying the Apache configuration Apache Web Server This document details how to enable RADIUS authentication in Apache2 for use with FortiAuthenticator two factor authentication If Apache2 is not installed, install itwith sudo apt get install apache2 The Ubuntu 1104 build of Apache2 comes with the mod auth radius module installed and enabled, however, if you need to manually install it sudo apt get install libapache2 mod auth radius and enable itwith a2enmod auth_ radius At this point, confirm that you can browse to the Apache2 server via http://localhost/ or via the IP/FQDN of your test server Modifying the Apache configuration There is agreat deal of documentation on the Internet recommending where to place the relevant configuration lines about to be described However the majority of this does not appear to work with the current installation of Apache2 on Ubuntu 1104 The majority of documentation recommends that the RADIUS server configuration is put into /etc/apache2/apache2conf or /etc/apache2/httpdconf however, this does not work and generates an error in the /var/log/apache2/errorlog [warn] AuthRadiusActive set, but no RADIUS server IP missing AddRadiusAuth in this context? The following has been tested and confirmed to work correctly Edit the default site /etc/apache2/sites enabled/000 default, or your specific server site ifthis is configured, adding the lines shown in bold in the positions specified: ServerAdmin [email protected] AddRadiusAuth 1921680110:1812 fortinet 5:3 AddRadiusCookieValid 5 DocumentRoot /var/www Options FollowSymLinks AllowOverride None AuthType Basic Two Factor Authentication Interoperability Guide Fortinet Technologies Inc 66 Modifying the Apache configuration Apache Web Server AuthName "FortiAuthenticator Secure Authentication" AuthBasicAuthoritative Off AuthBasicProvider radius AuthRadiusAuthoritative on AuthRadiusActive On Require valid user Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all When completed, restart the Apache2 daemon sudo /etc/initd/apache2 restart Clear the cache on your browser and restart to avoid any locally cached content from being displayed without the need for authentication Browse to the web site configured, eg http://localhost/ and you should be prompted for your credentials The Username and Password used to authenticate will include the 6 digit two factor authentication PIN from your token: Username: johndoe Password: For example, ifthe password was fortinet and the one time PIN was 880342 ,the login would become Successful authentication will provide the user with access to the page and will generate alogin event log on the FortiAuthenticator If authentication is unsuccessful, follow the steps in the Chapter Debugging Authentication to identify what is wrong Additional debugging can be performed using the Apache2 logs located in /var/log/apache2 Most useful is the errorlog which will display alog ifthe RADIUS server credentials are incorrectly configured 67 Two Factor Authentication Interoperability Guide Fortinet Technologies Inc Appendix A –Debugging Logging Appendix A – Debugging FortiAuthenticator is simple to get working however, should you encounter difficulty, there are some simple steps which can be taken to diagnose the problem Logging If authentication is failing on your NAS, the first place to check to see why is the FortiAuthenticator log files Bad Password Try resetting the password ifthe user insists they have the correct credentials If this persists, verify that the pre shared secret is correct on both the NAS and the FortiAuthenticator Bad Token Code This may be due to user error (entering the incorrect Token yfor may be caused by time issues To debug this issue, verify the following: l Ensure the user is not trying to use apreviously used Token number  ie you cannot log in twice with the same Token number l The time and time zone on the FortiAuthenticator is correct and preferably synchronised using NTP l The Token is correctly synced with the FortiAuthenticator  Verify the drift by syncing the token as shown in Section Nothing Logged If there is no failure or successful authentication logged This will be generally be due to one of two things: 1 Request is not reaching the FortiAuthenticator  Verify that any intervening firewalls are permitting the required traffic through the network  RADIUS Authentication traffic will require UDP Port 1812 opening to the FortiAuthenticator and pseudo stateful responses allowed to return 2 Request is reaching the FortiAuthenticator but is being ignored  If traffic is seen reaching the FAC (eg by packet sniffingyf but is being ignored, itis most likely that the requesting NAS not configured in the FortiAuthenticator  Verify that the NAS is sending the traffic from the expected IP and not from asecondary IP or alternative interface The FortiAuthenticator RADIUS server will not respond to requests from an unknown NAS for security reasons One other less likely possibility is the NAS_ Calling_ IP Attribute is set to an incorrect value Two Factor Authentication Interoperability Guide Fortinet Technologies Inc 68 Extended Logging Appendix A –Debugging Extended Logging The standard GUI Logs found Logging >Log Access >Logs provide aconcise summary of events occurring on the system, particularly the information needed for audit purposes (who logged in, when, and where fromyf  However there are times when amore detailed view is required in order to debug issues Detailed system and application logs can be found by browsing to https:///debug/ There are several log files as detailed below: FSSO Agent Details of Fortinet Single Sign On events GUI Errors encountered whilst rendering the appliance GUI HA Details of and errors in the HA process LDAP Details of the LDAP authentication process for both local and remote connections RADIUS Details of the RADIUS authentication process Startup Errors during creation of the initial database and during the system startup Web Server Errors encountered by the WebServer RADIUS Packet Generation Testing authentication directly without the use of aNAS device is useful to rule out issues with the NAS device  This is most easily achieved by using atool such as NTRADPing 69 Two Factor Authentication Interoperability Guide Fortinet Technologies Inc Appendix A –Debugging RADIUS Packet Generation Two Factor Authentication Interoperability Guide Fortinet Technologies Inc 70 RADIUS Packet Generation Appendix B –Supported Two Factor Authentication Methods Appendix B – Supported Two Factor Authentication Methods Product Feature FortiToken Direct FortiAuthenticator (Token Appendedyf FortiAuthenticator (Token Challengeyf Wildcard Users FortiGate 540 tested on FortiGate 540 and FortiClient 540 NAT Route Mode Web Based Management SSH Based Management Telnet Management IPsec VPN (FortiClientyf SSL VPN  (Webyf SSL VPN (FortiClientyf Identity Based Policy Web Filtering Override Explicit Proxy Identity Based Policy (Basic Authyf Identity Based Policy (Forms Authyf Web Filtering Override 71 Two Factor Authentication Interoperability Guide Fortinet Technologies Inc Appendix B –Supported Two Factor Authentication Methods RADIUS Packet Generation Product Feature FortiToken Direct FortiAuthenticator (Token Appendedyf FortiAuthenticator (Token Challengeyf Wildcard Users FortiGate 52x tested on FortiGate 524 GA and FortiClient 540 NAT Route Mode Web Based Management SSH Based Management Telnet Management IPsec VPN (FortiClientyf SSL VPN  (Webyf SSL VPN (FortiClientyf Identity Based Policy Web Filtering Override Explicit proxy Identity Based Policy (Basic Authyf Identity Based Policy (Forms Authyf Web Filtering Override FortiManager tested on FortiManager 504 Web Based Management x a x a SSH Based Management x a x a Telnet Management x a x a Two Factor Authentication Interoperability Guide Fortinet Technologies Inc 72 RADIUS Packet Generation Appendix B –Supported Two Factor Authentication Methods Product Feature FortiToken Direct FortiAuthenticator (Token Appendedyf FortiAuthenticator (Token Challengeyf Wildcard Users FortiAnalyzer tested on FortiAnalyzer 40 MR3 PR1 Web Based Management x a x x SSH Based Management x a x x Telnet Management x a x x FortiMail tested on FortiMail 40 MR3 GA Web Based Management x a x x SSH Based Management x a x x Telnet Management x a x x FortiWeb tested on FortiWeb 40 MR3 PR6 Web Based Management x a x x SSH Based Management x a x x Telnet Management x a x x Citrix Access Gateway tested on Citrix Access Gateway 50 Web Based Management x a a a SSH Based Management x a a a Web Based User Authentication x a a a Cisco ASA tested on Cisco ASA 82 (1yf Web Based Management x a a a SSH Based Management x a a a SSL VPN x a a a IPsec VPN x a a a 73 Two Factor Authentication Interoperability Guide Fortinet Technologies Inc Appendix B –Supported Two Factor Authentication Methods RADIUS Packet Generation Product Feature FortiToken Direct FortiAuthenticator (Token Appendedyf FortiAuthenticator (Token Challengeyf Wildcard Users F5 BIG IP EG tested on TMOS 1121 Web Based Management x a a a SSH Based Management x a a a SSH tested on OpenSSH version 58p1 SSH Login x a a a Apache tested on Apache 2217 Web Authentication x a a a Tested with FortiAuthenticator 41 GA 1Mantis 02 22003: Wildcard supported but only with Token Appended Two Factor Authentication Interoperability Guide Fortinet Technologies Inc 74 Administrator Synchronization Appendix C –Syncing FortiTokens Appendix C – Syncing FortiTokens Under most circumstances, itis not necessary to synchronize aFortiToken unless the time on the host FortiAuthenticator system has been allowed to deviate from the correct time It is essential that the time is kept accurate at all times to prevent issues occurring so configuration of an NTP server is recommended Under normal operation, the natural drift of the time on the FortiToken (as found in all clocksyf is accounted for automatically by the FortiAuthenticator Every time auser logs in, the FortiAuthenticator calculates the drift and if itis within +/ 1(where 1is atoken cycle of 60 secondsyf, the drift is adjusted accordingly Should the drift deviate by greater than 1(ie the clock is more than 60 seconds outyf since the last login, amanual synchronization is required If this is required for several tokens, itis an indicator that the time may be inaccurate on the FortiAuthenticator Verify the current time and the NTP settings Administrator Synchronization It is possible for the administrator to synchronize atoken for use on the FortiAuthenticator and sometime advisable when issuing new tokens which have been held in storage for an extended period or are being reissued If this is required for several tokens, itis an indicator that the time may be inaccurate on the FortiAuthenticator Verify the current time and the NTP settings Go to Authentication >FortiTokens and mouse over the required token drift category An option to sync will appear Select Sync and follow instructions to input two consecutive Token PINs Key points to note during the synchronization process are: 75 Two Factor Authentication Interoperability Guide Fortinet Technologies Inc Appendix C –Syncing FortiTokens User Synchronization l Ensure that the FortiAuthenticator time is accurate before proceeding l Ensure the serial of the token you are trying to synchronize matches that on the reverse of the token l Ensure that the token has not been used in the preceding 60 seconds All tokens are one time passwords and cannot therefore be used to authenticate (successful or otherwiseyf and synchronize l Once successfully synchronized, wait afurther 60 seconds before attempting to log in A token used to synchronize cannot be re used to authenticate User Synchronization Should itbe required, FortiAuthenticator provides amechanism for the user to perform their own manual synchronization The user should be allowed to access the FortiAuthenticator WebUI, eg https://login/ On logging into the FortiAuthenticator the user will be prompted to enter their token PIN If the token PIN is out of sync, they will be prompted to enter two consecutive PINs If the user receives no such prompt, the token is already correctly synchronized Two Factor Authentication Interoperability Guide Fortinet Technologies Inc 76 Copyright© 2016 Fortinet, Inc All rights reserved Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks ofFortinet, Inc, inthe US and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks ofFortinet All other product orcompany names may be trademarks oftheir respective owners Performance and other metrics contained herein were attained ininternal lab tests under ideal conditions, and actual performance and other results may vary Network variables, different network environments and other conditions may affect performance results Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express orimplied, except tothe extent Fortinet enters abinding written contract, signed by Fortinet’s General Counsel, with apurchaser that expressly warrants that the identified product will perform according tocertain expressly identified performance metrics and, insuch event, only the specific performance metrics expressly identified insuch binding written contract shall be binding on Fortinet For absolute clarity, any such warranty will be limited toperformance inthe same ideal conditions as inFortinet’s internal lab tests Inno event does Fortinet make any commitment related tofuture deliverables, features, ordevelopment, and circumstances may change such that any forward looking statements herein are not accurate Fortinet disclaims infull any covenants, representations,and guarantees pursuant hereto, whether express orimplied Fortinet reserves the right tochange, modify, transfer, orotherwise revise this publication without notice, and the most current version ofthe publication shall be applicable

------------- Read More -------------

Download fortiauthenticator-4-1-two-factor-authentication-interoperability-guide.pdf

FortiAuthenticator 4.1 Two-Factor Authentication Interoperability Guide related documents

Telephone Interview Guide 2

1 Pages · 2007 · 9 KB · English

Telephone Interview Guide Use this format to gain additional information from the candidates quickly before you schedule them for an interview.

Internet Tablet OS 2006 edition User Guide

48 Pages · 2004 · 770 KB · English

Internet Tablet. Although you can only use one phone at a time, you can pair several phones with your device. To pair a phone with your device, do the following: 1.

POWERTEC CATALOG 2011 A5 part 1

26 Pages · 2011 · 6.11 MB · English

"Still the original best selling leg machine Professional Bikini Competitor, Singer, Actress, Model, My time in the Marines lasted almost 6 years with my

CT-1 User Manual w Specs

16 Pages · 2011 · 1.57 MB · English

Receiver Functionality 12. Audio Output Level Adjustment . 1100 1111 00. 1071. 1110 1111 00. 1130. 1100 1111 01. 1080. 1110 1111 01 

Study guide for content mastery earthquakes

2 Pages · 2016 · 10 KB · English

ebook study guide for content mastery earthquakes PDF? You will be glad to know that right now study guide for content mastery earthquakes PDF is 

Taleo Enterprise Taleo Anywhere for Microsoft Outlook 2010/2007 Configuration Guide

22 Pages · 2012 · 1.13 MB · English

Installing Taleo Inbox for Outlook - Single Installation • Options Toolbar: We added the options menu to be selected from a Tool Bar not just the Menu

Internet Research Guide

5 Pages · 2008 · 45 KB · English

Thinking with Data: Science Part 5 Teacher Version Date: Name: Part 5. Researching U.S. Watersheds 1

Software Installation Instructions for the 1-year Student License

10 Pages · 2011 · 1.11 MB · English

Software Installation Instructions for the 1-year Student License of ArcGIS Desktop 9.3.1 1. Open the software envelope and remove the DVD. Load the

BusinessObjects SDK Reference Guide

486 Pages · 2004 · 3.24 MB · English

Online Help For Business Objects Windows desktop products, online help is available in the Introduction to Developer Suite describes how to customize

SMG Teachers Guide

21 Pages · 2016 · 819 KB · English

access a troubleshooting document, and contact the Stock Market Game's Help Desk through an electronic form. Additional . mutual fund. This is an excellent way to teach students about mutual funds and .. Fourth: D E C I D E.