Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
ssteo
Staff
Staff

Created on ‎11-12-2024 10:53 PM Edited on ‎12-05-2024 10:43 AM By Moderator

Article Id 357319

Technical Tip: Integrating Linux Ubuntu with FortiAuthenticator (username+password+FortiToken) for SSH

Description This article describes how to configure FortiAuthenticator to integrate Linux Ubuntu (radius client).
FortiToken Mobile as two factor authentication.
Scope FortiAuthenticator, Linux Ubuntu.
Solution

Linux Ubuntu configuration.

  1. Install the lipam-radius-auth package:

 

sudo apt-get install libpam-radius-auth

 

  1. Configure radius in Ubuntu by adding FortiAuthenticator IP and secret:

 

sudo nano /etc/pam_radius_auth.conf

 

radius1.png

 

  1. Modify the SSHD configuration by adding config which is highlighted in yellow. This is to allow inject radius authentication:

 

sudo nano /etc/pam.d/sshd

 

radius2.png

 

  1. Modify sshd_config configuration by adding config which is highlighted in yellow. This is to allow two-factor authentication for SSH.

 

sudo nano /etc/ssh/sshd_config

 

radius3.png

 

Screenshot 2024-12-06 000955.png

 

Note: the keyboard-interactive authentication protocol in SSHv2 is effectively the replacement for the challenge-response protocol in SSHv1

 

  1. Restart the SSHD service:

 

systemctl restart sshd

 

  1. Add a user which the same as a username that was configured in FortiAuthenticator:

 

sudo useradd fac_teo

 

  1. Run the command 'tail -f /var/log/auth.log' to troubleshoot the Radius issue in Ubuntu.

 

FortiAuthenticator configuration.

  1. Enable Radius under System-> Network -> Interfaces.

 

radius7.png

 

  1. Configure the Radius client under Authentication -> RADIUS Service -> Clients.

 

radius4.png

 

  1. Configure Radius policies under Authentication -> RADIUS service -> Policies.

 

radius5.png

 

Select 'Next' until the end and select 'Save and exit'.

 

  1. Configure a local user account with the username that same as the username that was created in Ubuntu. Enable One-Time Password (OTP) authentication by selecting FortiToken.

 

radius6.png

 

Test result:

Login using username+password then it will prompt for FortiToken code.

 

radius8.png

 

Verify the log from FortiAuthenticator under Logging -> Logs.

 

radius9.png
282
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.