Technical Tip: Chained token authentication with remote RADIUS server

Description

This article describes the use of RADIUS Chained Authentication in FortiAuthenticator where 3rd Party Multi-Factor Authentication tokens can be used as 2FA.

Scope

FortiAuthenticator.

Solution

RADIUS Chained Authentication is useful for providing and integrating FortiAuthenticator services in an environment where 3rd Party Multi-Factor Authentication tokens are already widely deployed.

The authentication flow will be as follows, using FortiClient as a VPN login:

FortiClient <SSL> FortiGate <RADIUS> FortiAuthenticator <LDAP> LDAP server (user database)

After the LDAP server accepted the authentication, FortiAuthenticator sends an Access-Challenge to the RADIUS client (for a 3rd token that is expected in this configuration). With the Access-Request, a response will be received containing the answer or OTP. FortiAuthenticator sends an Access-request to the remote RADIUS server, expecting an Access-Accept.

For instance, use chained authentication for administrative access to a FortiGate wherein FortiAuthenticator can validate the username/password (Remote LDAP) and rely on the RSA server for token authentication only.

RADIUS Chained Authentication can be created under the FortiAuthenticator Realm.

• Go to Authentication -> User Management -> Realms and create a new entry. Enter the following information:
  • Provide a name.
  • For User source, select the LDAP server from the drop-down menu.
  • Enable 'Chained token authentication with remote RADIUS server'.
  • Select the FortiToken server added as a RADIUS server.

• Optionally, it is possible to configure selected groups are applied with chained token authentication.