FortiGate Firewall - RADIUS Configuration Using Admin Access UI - RSA Ready Implementation Guide
a year ago

This section describes how to integrate FortiGate Remote Access Admin UI with RSA Cloud Authentication service using RADIUS.

Configure RSA Cloud Authentication Service

Perform these steps to configure RSA Cloud Authentication Service.

Procedure

  1. In the RSA Cloud authentication service section, go to RSA Cloud Tenant Admin GUI > Authentication Clients > RADIUS > Add RADIUS Clients and Profiles.
  2. Enter the IP address.
  3. Enter the Shared Secret.

  1. Disable the Message Authenticator attribute checkbox, as FortiGate doesn’t send authentication request with this attribute.

Note: Enter the rest of the configuration according to the required set up. 

Configuration is complete.

Configure FortiGate Admin Access UI using RADIUS.

This section describes how to integrate FortiGate Remote Access Admin Access UI with RSA Authentication Manager using RADIUS.

Procedure  

  1. Go to Admin UI of FortiGate > Users & Authentication > RADIUS ServersNew.
  2. Enter the IP of the RSA Authentication Manager or if you are using Cloud Authentication enter the RSA Identity Router Management IP and shared secret.

Note: You can enter up to three servers if you have replicas or 3 identity routers, the second server can be configured via GUI, the tertiary one must be configured from CLI only. To Configure a tertiary server, follow the following details. 

    1. FEIRDUFG02 # config user radius
    2. FEIRDUFG02 (radius) # edit RSA-AM
    3. FEIRDUFG02 (RSA-AM) # set tertiary-server 10.65.65.50
    4. FEIRDUFG02 (RSA-AM) # set tertiary-secret support1!
    5. FEIRDUFG02 (RSA-AM) # end

  1. Go to User & Authentication and select User Groups  to create a user group that aligns with the RADIUS server. 
  2. In Remote Groups, click Add to create the corresponding RADIUS Server. 

  1. Go to System > Administrators > Create New > Administrator. 
  2. In the Username section, enter the name that match RSA ‘s Identity Source . 
  3. In the Type, select either Match a User on Remote Server Group or Match on all Users on Remote Server Group
  4. In the Administrator profile section, select the required profile. 
  5. In the Remote User Group section, select the previously configured group.

  1. Go to the FortiGate SSH and perform the below two commands to specify the time out and retries for the authentication.
  2.  Ensure selecting the required VDOM), This timeout will be the Time in seconds between re-sending authentication requests. 

Note: You can configure this setting based on your requirements. It represents the number of retries FortiGate sends to the RSA server. To account for potential packet loss and network issues, consider setting it to half the interval of the maximum waiting time, referred to as remoteauthtimeout in FortiGate. For details on the maximum waiting time, refer to the section below, following the two provided examples.

    1. FEIRDUFG02 # config user radius
    2. FEIRDUFG02 (radius) # edit RSA-On_Prem
    3. FEIRDUFG02 (RSA-On_Prem) # set timeout 15 or 30

Note: If you are using RSA Cloud Authentication Service as the RADIUS server:

    1. FEIRDUFG02 # config user radius
    2. FEIRDUFG02 (radius) # edit RSA_Cloud_IDR
    3. FEIRDUFG02 (RSA_Cloud_IDR) # set timeout 15 or 30
    4. FEIRDUFG02 (RSA_Cloud_IDR) # end

Note: The setting Maximum Waiting Time specifies the maximum duration the system will wait for a valid token code to be entered before closing the connection, regardless of whether the token code remains valid for a longer period. This timeout also impacts other authentication protocols, such as LDAP.

  1. If you are using RSA Authentication Manager with PIN-Approve or RSA Cloud Authentication Service with methods such as Biometrics/Approve, it can be set as 60.
  2.  If you are only using OTP with any of them, without Biometrics/Approve then it can be set as 30.
    1. FEIRDUFG02 # config sys global
    2. FEIRDUFG02 (global) # set remoteauthtimeout60 or 30
    3. FEIRDUFG02 (global) # end
  1. Perform the following commands to return the Groups from RSA to perform Authorization

Note: RSA may return a different profile. The following configuration outlines the setup required on the FortiGate side.

    1. FEIRDUFG02 # config sys admin
    2. FEIRDUFG02 (admin) # edit RSA_AM
    3. FEIRDUFG02 (RSA_AM) # set accprofile-override enable
    4. FEIRDUFG02 (RSA_AM) # end
  1. Go to Configuration from RSA Authentication Manager.
  2.  Select RSA Security Console > RADIUS > RADIUS Profile > Add new.
  3. Add the Fortinet-Access-Profile attribute to return the needed access profile after successful authentications,

Note: (Optional) you can return a Fortinet-Group-Name, if the Fortinet Remote User Group requires it.  Check the following configuration as an example. (Prerequisite: An existing RADIUS Model “Fortinet” must be in use by a RADIUS Client).

  1. Go to Configuration from RSA Cloud Authentication Service.
  2. Select Authentication Clients > RADIUS > FortiGate RADIUS Client > RADIUS Profile.
  3. Add the Fortinet-Access-Profile attribute to return the required access profile after successful authentications.

Note:  (Optional) you can return the Fortinet-Group-Name, if Fortinet Remote User Group requires it. Check the following configuration as an example. 

  1. Click Save and Publish.

 

Configuration is complete.

Return to the main page.

 

Related Articles

Trending Articles

Don't see what you're looking for?