| Description | This article describes some integration details for FortiGate-Okta RADIUS |
| Scope | FortiGate. |
| Solution |
Okta can be used to authenticate user access using the RADIUS protocol. FortiGate can integrate with Okta RADIUS to manage the access.
For Okta RADIUS, domain-controller must be able to reach Okta (using 'Okta AD Agent' software), while FortiGate must be able to communicate to Okta via "Okta Server Agent" for authentication/authorization.
Note: 'Okta AD Agent' and 'Okta Server Agent' are different software:
After setting up the Okta account, the software 'Okta AD Agent' is installed in the domain controller. The domain controller communicates to the Okta account to import Active Directory (AD) user info into Okta. The 'Okta AD Agent' must have internet access to reach the Okta account.
It may require each AD user account to have this information to ensure it can be imported into Okta (Directory Integrations): First Name, Last Name, Email@, Department
Once AD users are imported to Okta, the Okta RADIUS Application is created to associate with the AD user/group. In the application, the RADIUS Client UDP port and RADIUS secret-key is configured.
Note: The RADIUS Client UDP port and RADIUS secret-key will be used later in the FortiGate RADIUS Server configuration.
The 'Okta Server Agent' software has to be installed in a computer/server that has internet access and can be reached by FortiGate. FortiGate as RADIUS Client communicates to Okta RADIUS via 'Okta Server Agent'. In FortiGate, set the RADIUS server. The secret-key, radius-port are similar to the config in the Okta RADIUS Application.
The RADIUS user group is created in FortiGate, which is associated with the RADIUS server above. Then associate the RADIUS user group to the SSL VPN portal and the SSLVPN policy.
Result: Use FortiGate to perform auth-test and it is successful.
SSL VPN Debug shows auth and connection successful:
|
