Anyone using FortiGate with RSA SecurID?

Question

I have successfully setup our FortiGate with RSA SecureID for SSL VPN however I cannot have more then one type of SSL VPN portal (full access, web access etc).    Fortinet explains that in order to have fortigate to communicate with the RSA SecurID server you must create a RADIUS connection (client) to your RSA Server.  Then create a Local Group that uses RADIUS as a Remote Server.  Under Remote Servers there is the ability to specify the Group in the RADIUS server but I cannot get this function to work.  If I change the current value from " Any"  to a specified DN all SSL authentication fails.    Is there an attribute that my RSA server needs to send back to my fortigate?  I know that some vendors have values that they are expecting back to perform validation.    My use case is the following:  If user A belongs in Group A they get the full access SSL page  If user B belongs in Group B they get the web access SSL page    Both users require 2 factor authentication with RSA SecurID.      Help!

Jeff_FTNT · Accepted Answer

Set up your RSA server support   RADIUS VSA  for Fortinet  ############  VENDORFortinet12356    BEGIN-VENDOR Fortinet  ATTRIBUTEFortinet-Group-Name1string  ATTRIBUTEFortinet-Client-IP-Address2ipaddr  ATTRIBUTEFortinet-Vdom-Name3string  ATTRIBUTEFortinet-Client-IPv6-Address4octets  ATTRIBUTEFortinet-Interface-Name5string  ATTRIBUTEFortinet-Access-Profile6string    #  # Integer Translations  #    END-VENDOR Fortinet  ######  Send back " Fortinet-Group-Name "   to FGT, FGT use it to do group match and match policy with different SSL VPN portal. Hope it is helpful.

Dinesh_FTNT · Answer

Hi,The below document will be helpful on configuring two factor with RAS ACE (Secure ID) servers (page-36). http://docs.fortinet.com/...ate-authentication.pdf

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded