| Solution |
Topology:
Recommended Firmware Versions:
- FortiOS v7.4.8, v7.6.5 and later.
- FortiAuthenticator v6.6.4, v8.0.0 and later.
- FortiClient Windows v7.2.4 and later.
- FortiClient Linux/MacOS v7.2.5 and later.
Other versions are also supported depending on the feature set used; see this article: Technical Tip: Required firmware/software versions for using FortiToken Mobile or OTP MFA with Forti....
FortiAuthenticator Configuration:
- Purchase a FortiToken Mobile License and import it to FortiAuthenticator, see FortiToken Mobile licenses.
Note: If using FortiTokens assigned on FortiIdentity Cloud instead, acquire a FortiIdentity Cloud license and ensure FortiAuthenticator is registered to the same FortiCare account, see FortiIdentity Cloud Quickstart Guide. The configuration below assumes FortiToken Mobile is in use, but the steps are similar for FortiToken Cloud.
- Configure Public IP for FortiToken Mobile push.
Go to System -> System Access. Under the 'GUI Access' section, enter the Public IP/FQDN that will be used to receive FortiToken push approvals.
- Go to Authentication -> RADIUS Service -> Clients -> Create New. Configure the RADIUS Authentication client.
Note the IP/hostname and shared secret for configuring on FortiGate later.
- On FortiAuthenticator, configure a Domain Controller as an LDAP Remote Authentication Server and join FortiAuthenticator to the Active Directory Domain. This requires an Active Directory credential.
Go to Authentication -> Remote Auth. Servers -> LDAP -> Select 'Create New'. Configure the LDAP server with 'Windows Active Directory Domain Authentication' enabled.
Note: Because the FortiGate will have FortiAuthenticator configured as a RADIUS server rather than an LDAP server, there is no need to configure Authentication -> LDAP Service on FortiAuthenticator.
Related Articles:
Technical Tip: Joining FortiAuthenticator in the active directory as a machine entity
Troubleshooting Tip: FortiAuthenticator error: Failed to join Windows AD network: Domain Name
Technical Tip: Join FortiAuthenticator to Windows AD with non-administrator account configured with ...
- Verify FortiAuthenticator domain join was successful.
Go to Monitor -> Authentication -> Windows AD. The Active Directory Server entry should show 'joined domain, connected'.
- Import Active Directory User(s). This step is required to assign an OTP authentication method.
Go to User Management -> Remote Users -> Select 'Import'.
Select the Remote LDAP server and the 'Import Users' action.
The import users dialogue opens. Select LDAP user(s) to import. Select 'OK'.
- Edit imported remote LDAP user(s) and assign FortiToken.
Note: a FortiToken activation email or SMS will be sent to the user's configured email address or phone number, depending on the activation delivery method.
- Create a User group and assign imported remote LDAP user(s).
Go to Authentication -> User Management -> User Groups -> Create New. Select 'Remote LDAP' as the group Type. Select the required user(s) to add to the group.
Optionally, create a RADIUS attribute for FortiGate user group matching. 'FGTVM-HV_ADMIN_VPN_ACCESS' is used in this example.
- Go to Authentication -> User Management -> Realms. Select 'Create New'.
Select the Remote LDAP Server as the User source.
- Go to Authentication -> RADIUS Service -> Policies. Select Create New.
See Policies for FortiAuthenticator RADIUS Policy configuration options.
In the Authentication type, enable EAP-GTC and EAP-MSCHAPv2.
In Identity sources, select the configured realm. Enable 'Use Windows AD Domain Authentication'.
Note: If performing user group matching on FortiGate, the Group filter must be assigned in Identity sources in order to return the group's RADIUS attributes for the user. See Creating a RADIUS Policy.
In Authentication factors, ensure 'All configured password and OTP factors', 'Allow FortiToken Mobile push notifications', and 'Allow OTP for EAP-MSCHAPv2 Authentication with FortiClient' are enabled.
FortiGate Configuration:
- Configure FortiAuthenticator as a RADIUS server on FortiGate. Use the same shared secret configured earlier when configuring the RADIUS client on FortiAuthenticator.
Edit the RADIUS configuration in CLI and set a longer timeout to allow time for MFA.
config user radius
edit "FAC"
set server "10.250.0.21"
set secret ENC <>
set timeout 120
set source-ip "10.250.0.1"
set require-message-authenticator disable
next
end
-
Configure remote authentication timeout with sufficient time for a user to perform MFA.
config system global
set remoteauthtimeout 120
end
-
Configure a user group on FortiGate referencing the RADIUS server.
If a Fortinet-Group-Name RADIUS attribute was configured on FortiAuthenticator, enter the value as Remote Group 'Group Name'. Otherwise, leave the field blank.
GUI:
CLI:
config user group
edit "VPN Admin General Access"
set member "FAC"
config match
edit 1
set server-name "FAC"
set group-name "FGTVM-HV_ADMIN_VPN_ACCESS"
next
end
next
end
-
Configure an IKEv2 dial-up IPsec tunnel with EAP authentication enabled. Configure a firewall policy for VPN users.
See Technical Tip: IKEv2 Dialup IPsec tunnel with RADIUS and FortiToken MFA for an example tunnel and firewall policy configuration.
-
If FortiAuthenticator sends a FortiToken push and FortiAuthenticator is behind the FortiGate, configure the following additional firewall policies:
- Firewall policy allowing FortiAuthenticator outbound HTTPS access to push.fortinet.com, or the Fortinet-Web Internet Service.
- Firewall Policy including a Virtual IP allowing remote FortiToken mobile app users to send push codes to FortiAuthenticator.
Note: Since FortiToken is hosted on FortiAuthenticator in this example, the ftm-push service can be left disabled on FortiGate.
config system ftm-push
set status disable
end
FortiClient Configuration:
FortiClient configuration is the same as for local VPN users. FortiClient can be configured from the GUI since the default EAP method will be used. See Configuring an IPsec VPN connection.
FortiToken Push notification flow:
FortiToken OTP flow:
|
