RADIUS Chained Authentication

RADIUS Chained Authentication is useful for providing FortiAuthenticator services in an environment where 3rd Party Multi-Factor Authentication tokens are already widely deployed. For instance, if you want to use FortiAuthenticator to provide Fortinet Single Sign-on and SAML services, but there is already a large number of RSA tokens deployed in the environment, you can use FortiAuthenticator as the username/password server, and rely on the RSA server for token authentication only. This example provides instructions for using RADIUS Chained Authentication for administrative access to a Fortinet FortiGate Firewall using two FortiAuthenticators. One FortiAuthenticator will be acting as the username/password server, and the other will be used as the token server.

Configure Primary FortiAuthenticator

These are the configuration steps for the primary FortiAuthenticator that will be acting as the username/password authentication server.

Configure Remote LDAP Server

Navigate to Authentication > Remote Auth Servers > LDAP and create a new LDAP Server. You will need to provide the following information:

  • LDAP Server Name or IP
  • LDAP Server Port
  • Base Distinguished Name
  • Domain Administrator username and password

After entering the basic LDAP settings, under Windows Active Directory Domain Authentication, check Enable then enter the following information:

  • Kerberos Realm Name
  • Domain NetBIOS Name
  • FortiAuthenticator NetBIOS Name
  • Domain Administrator username and password

Once this information is provided, FortiAuthenticator will join the domain and users will be able to authenticate against Active Directory.

Create Remote LDAP Group

Navigate to Authentication > User Management > User Groups and create a new group.

  • Provide a name for the Group ex. FortiGateAdmins
  • Set the Type as Remote LDAP
  • For User retrieval, you can specify an LDAP Filter, or you can manually add users that have been imported to FortiAuthenticator from your LDAP Server
  • Select your LDAP server from the dropdown
  • Save the group configuration, then drill back in to add the required RADIUS attributes. To add a RADIUS attribute, click Add Attribute. Then choose Fortinet for the Vendor and Fortinet-Group-Name for the Attribute ID. Enter FortiGateAdmins in the Value field. This attribute will be passed to the FortiGate and will let the FortiGate know which firewall group to associate the user with.
Import Remote LDAP Users

Users can be imported from the remote LDAP server in several different ways.

Import Method Configuration Steps
Import from Authentication > Remote Auth Servers > LDAP Edit your LDAP Server entry. Scroll to the bottom and next to “Import Users” click Go. The LDAP tree will open allowing you to manually select users to import, or a LDAP filter can be provided to select users to import.
Import from Authentication > User Management > Remote Users Select your LDAP Server, and next to “Import Users” click Go. The LDAP tree will open allowing you to manually select users to import, or a LDAP filter can be provided to select users to import.
Import via Remote User Sync Rule Provide a name for your rule, Select your LDAP Server, select how often you would like the sync rule to run, provide the Base DN and LDAP Filter, and optionally choose to automatically associate imported users with a group.
Add Remote LDAP Users to FAC Remote Users Group
User Addition Method Configuration Steps
Manual Edit your group and select “Set a list of imported remote LDAP users”. All imported users will be listed under “Available LDAP Users”. Select the users you would like added to the group, and click the “right arrow” to add the users to the “Selected LDAP Users” box.
LDAP Filter Edit your group and select “Specify an LDAP filter”. Provide the appropriate filter syntax and all users matching that filter will be automatically added to the group.
Remote User Sync Rule Edit your Remote User Sync Rule and select the appropriate group in the “Group to associate users with” dropdown.
Add the FortiGate as a RADIUS Client

Navigate to Authentication > RADIUS Service > Clients, create a new entry, and provide the following information:

  • FortiGate Name
  • FortiGate IP address or FQDN
  • Shared Secret

Next, under User Authentication - Authentication method, select Password-only Authentication (exclude users without a password) and under Realms select local (we will come back to change this later). Click Save, wait a few seconds, then click OK.

Add Token Server as RADIUS Server

Navigate to Authentication > Remote Auth Servers > RADIUS and create a new entry. Enter the following information:

  • Name of Token Server
  • IP Address or FQDN of Token Server
  • Shared Secret
Create FAC Realm

Navigate to Authentication > User Management > Realms and create a new entry. Enter the following information:

  • Provide a name
  • For User source, select your LDAP server from the dropdown
  • Check “Chained token authentication with remote RADIUS server”
  • Select the Token Server that you added as a RADIUS server
Add Realm to RADIUS Client Configuration

Navigate back to Authentication > RADIUS > Clients and edit the RADIUS Client that you created earlier. Under Realms, use the dropdown to change the realm to your LDAP server realm. Check “Allow Windows AD Domain Authentication” and set the group filter to only allow members the FortiGateAdmins group that was created earlier.


Configure Token Server

This provides the configuration for Secondary FortiAuthenticator acting as the Token Server. 3rd Party Token Servers will have the same basic requirements, but the exact steps may be different.

Add Primary FortiAuthenticator as RADIUS client

Navigate to Authentication > RADIUS Service > Clients, create a new entry, and provide the following information:

  • Name of network device ex. FortiAuthenticator
  • IP address or FQDN of FortiAuthenticator
  • Shared Secret (Must exactly match the shared secret that was provided when configuring the Token Server as a RADIUS Server on the Primary FortiAuthenticator)
Configure Local User Accounts

Navigate to Authentication > User Management > Local Users and create a new entry. Complete the following steps to create a new user:

  • Enter a username. This username must match the username of the corresponding Remote LDAP user that was imported into the primary FortiAuthenticator.
  • From the dropdown, select “No Password, FortiToken authentication only”.
  • Make sure “Allow RADIUS authentication” is checked.
  • Click “OK”.
  • Uncheck “Disabled”.
  • Check “Token-based authentication”
  • Choose “FortiToken” for “Deliver token code by”
  • Use the FortiToken Hardare or FortiToken Mobile dropdown to assign a token to the user.
  • Enter the users email address.
  • Click OK

If using FortiToken Mobile, the user will receive an email with instructions on how to activate their token.


Configure FortiGate

This provides the configuration steps for the FortiGate to allow LDAP members who have been imported into the FortiGateAdmins group on FortiAuthenticator to login to the FortiGate as admistrators.

Add Primary FortiAuthenticator as RADIUS Server

Navigate to User & Device > User Groups and click Create New

  • Provide a Name ex. FortiAuthenticator
  • Enter the IP or FQDN of the Primary FortiAuthenticator
  • Enter the Shared Secret (Must exactly match the shared secret that was provided when configuring the FortiGate as a RADIUS Client on the Primary FortiAuthenticator)
Create FortiGateAdmins Group

Navigate to User & Device > User Groups and click Create New

  • Provide a name. ex. FortiGateAdmins
  • Set the Type to “Firewall”
  • Leave the “Members” field blank
  • Under Remote Groups click “Add”
  • Set the Remote Server to the Primary FortiAuthenticator
  • In the Groups field, enter “FortiGateAdmins”. This is the RADIUS Attribute that you configured in the Primary FortiAuthenticator Group, and these strings must match exactly.
Create Administrator Account

Navigate to System > Administrators and click Create new

  • For username enter “*”
  • For Type select “Match all users in a remote server group”
  • For Remote User Group select the “FortiGateAdmins” group that was created in the previous step.

Testing

Login to the FortiGate using an account in the FortiGateAdmins group. The user will be prompted for their username and password. After providing this information they will be challenged for their FortiToken one-time password.

For a successful authentication, the Primary FortiAuthenticator will have the following log message:

Remote RADIUS user authentication partially done, remote server expecting challenge response

The Token Server will have the following log message:

Local user authentication(mschap) with FortiToken successful

And the final message on the Primary FortiAuthenticator will look like this:

Windows AD user authentication with chained radius auth successful