Professional Documents
Culture Documents
Fortinet FortiGate 5.6 RSA SecurID Access PDF
Fortinet FortiGate 5.6 RSA SecurID Access PDF
Implementation Guide
Solution Summary
FortiGate enterprise firewalls offer flexible deployments from the network edge to the core, data center,
internal segment, and the Cloud. FortiGate enterprise firewalls leverages purpose-built security
processors (SPUs) that delivers scalable performance of advanced security services like Threat Protection,
SSL inspection, and ultra-low latency for protecting internal segments and mission critical environments.
FortiGate supports RSA SecurID Access authentication, allowing organizations to secure their resources
by requiring end-users to authenticate with RSA SecurID hardware or software tokens and/or SecurID
Access Cloud Authentication Service multifactor authentication methods. FortiGate can be configured to
communicate with either the RSA SecurID Access via the RADIUS protocol.
On Premise Methods
RSA SecurID ✔
On Demand Authentication ✔
Risk-Based Authentication (AM) -
Cloud Authentication Service Methods
Authenticate App ✔
FIDO Token -
SSO
SAML SSO -
HFED SSO -
Identity Assurance
-- 2 -
Fortinet
FortiGate v5.6
This section indicates which authentication methods are supported by integration point. The next section
(Configuration Summary) contains links to the appropriate configuration sections for each integration
point.
IDR Cloud
Authentication Methods REST HFED RADIUS
SAML SAML
RSA SecurID - - - - ✔
LDAP Password - - - - ✔
Authenticate Approve - - - - ✔
Authenticate Tokencode - - - - ✔
Device Biometrics - - - - ✔
SMS Tokencode - - - - ✔
Voice Tokencode - - - - ✔
FIDO Token - - -
UDP TCP
Authentication Methods REST RADIUS
Agent Agent
RSA SecurID - ✔ - -
AM RBA - -
✔ Supported
- Not supported
n/t Not yet tested or documented, but may be possible
-- 3 -
Fortinet
FortiGate v5.6
Configuration Summary
All of the supported use cases of RSA SecurID Access with FortiGate require both server-side and client-
side configuration changes. This section of the guide includes links to the appropriate sections for
configuring both sides for each use case.
RSA Cloud Authentication Service – FortiGate can be integrated with RSA Cloud Authentication
Service in the following way:
RADIUS Client
RSA Cloud Authentication Service RADIUS Configuration
FortiGate RADIUS Configuration
RSA Authentication Manager – FortiGate can be integrated with RSA Authentication Manager in the
following way:
RADIUS Client
RSA Authentication Manager RADIUS Configuration
FortiGate RADIUS Configuration
-- 4 -
Fortinet
FortiGate v5.6
-- 5 -
Fortinet
FortiGate v5.6
Note: RSA Authentication Manager’s RADIUS server listens on ports UDP 1645 and UDP 1812.
The following information is required to create a RADIUS client and corresponding authentication agent
for your FortiGate appliance.
The FortiGate appliance’s hostname
The FortiGate appliance’s internal IP address(es)
The RADIUS server’s shared secret
Important: the RSA Authentication Manager must be able to resolve FortiGate hostnames to
valid IP addresses on the local network. Please refer to the RSA Authentication Manager help
documentation for additional information about creating, modifying and managing Authentication
Agents and RADIUS clients.
Once you have created your RADIUS client and agent host record, continue to the Partner Product
Configuration section.
-- 6 -
Fortinet
FortiGate v5.6
-- 7 -
Fortinet
FortiGate v5.6
Note: If you are using the RSA Cloud Authentication Service, use your Identity Router’s
IP address as the primary server IP.
4. If you are configuring FortiGate to communicate with an RSA Authentication Manager RADIUS
server and you have configured an RSA RADIUS replica server, enter the server’s IP or hostname in
the Secondary Server field and its shared secret in the Secondary Server Secret field.
Note: A secondary RADIUS server isn’t applicable if you are configuring FortiGate to
communicate with the RSA Cloud Authentication Service.
-- 8 -
Fortinet
FortiGate v5.6
6. Optionally, enter a NAS IP in the NAS IP field. Consult your FortiGate administration
documentation for details and options.
7. Click the Test Connectivity button to run a test authentication. If the connection fails, confirm
that you have the correct RADIUS server IP address and shared secret and that you have
completed your RSA SecurID Access server side configuration properly. Consult your
FortiGate and RSA SecurID Access logs and documentation if necessary.
8. If you configured a secondary RADIUS server in step 4, click the Test Connectivity button to the
right of the Secondary Server Secret field to run a test authentication. If the connection fails,
confirm that you have the correct secondary RADIUS server IP address and shared secret and that
you have completed your RSA SecurID Access server side configuration properly. Consult
your FortiGate and RSA SecurID Access logs and documentation if necessary.
9. Once you have successfully preformed a test connection, click the OK button to save the RADIUS
server connection.
-- 9 -
Fortinet
FortiGate v5.6
-- 10 -
Fortinet
FortiGate v5.6
5. Scroll to the Remote Groups table and click the + Add button.
6. Select your RADIUS sever from the Remote Server dropdown list and click the OK button.
7. Click the OK button to save the group, and continue to the Configure the Full-Access
FortiGate SSL-VPN Portal section.
-- 11 -
Fortinet
FortiGate v5.6
3. Select Remote RADIUS User from the dropdown list and click the Next button.
4. Enter the user’s RSA SecurID Access username in the Username field and select your RADIUS
server configuration from the RADIUS Server dropdown list.
Important: The FortiGate user’s username must match the corresponding RSA SecurID
Access user’s username.
-- 12 -
Fortinet
FortiGate v5.6
6. Enter the user’s email address in the Email Address field list. Optionally, enter additional contact
information for the user. Consult your FortiGate administration documentation for options and
instructions.
9. Select the Users & Device User Groups menu item from the FortiGate toolbar.
-- 13 -
Fortinet
FortiGate v5.6
11. Enter a name for the group in the Name field and select Firewall from the Type dropdown list.
12. Click the + button in the Members list.
13. Go to the Select Entries frame on the right side of the page, and locate and select the RADIUS
users you added in the steps above. You will notice that each user you click will be added to the
group’s Members list.
14. After you have added all of the users you want to include the group, click the OK button.
-- 14 -
Fortinet
FortiGate v5.6
3. Enable the Tunnel Mode and toggle switch and disable the Enable Split Tunneling switch.
4. Leave the default settings in the Source IP Pools list.
5. Enable the Enable Web Mode toggle switch.
6. Configure other SSL VPN settings based on your requirements. See your FortiGate administration
documentation for details and options.
7. Click the OK button.
-- 15 -
Fortinet
FortiGate v5.6
2. Decide which interface(s) the appliance will use to listen for HTTPS SSL VPN tunnel requests and
enter it/them in the Listen on Interface(s) combination list.
3. Decide which port the appliance will use to listen for HTTPS SSL VPN tunnel requests and enter it in
the Listen on Port field.
4. Enable/disable the Redirect HTTP to SSL-VPN toggle switch based on your requirements.
5. If you want to allow SSL VPN web access from any host, select the Allow access from any host
button on the Restrict Access toggle switch. Otherwise, select the Limit access to specific
hosts button and specify which IP range(s) should be allowed access. Consult your FortiGate
administration documentation for details.
6. If you don’t want FortiGate to automatically terminate an idle SSL-VPN user’s session, disable the
Idle Logout toggle button. Otherwise, enable the Idle Logout toggle button, decide the number
of seconds a user can remain inactive before FortiGate ends the user’s session and enter the
number in the Seconds field.
-- 16 -
Fortinet
FortiGate v5.6
7. From the Server Certificate dropdown list, select the signed certificate the FortiGate server will
use to identify itself to SSL-VPN clients. Consult your FortiGate administrative documentation for
recommendations.
8. Enable/disable the Require Client Certificate toggle button based on your requirements.
9. If you want to specify which IP address range(s) FortiGate will use when assigning client IP
addresses, select the Specify Custom IP ranges button on the Address Range toggle switch
and specify the IP range(s) FortiGate will use. Otherwise, select the Automatically assign
addresses button.
10. Configure your DNS, WINS server and endpoint registration settings based on your requirements.
Consult your FortiGate administration documentation for details and options.
11. Scroll to the Authentication/Portal Mapping table and click the Create New button.
12. Click the + button in the Users and Groups list to assign users and groups to the full-access SSL-
VPN portal.
13. If you want to associate a custom SSL-VPN realm with the mapping, click Specify button on the
Realm toggle switch and select a custom realm. Otherwise, click the Default realm button.
Consult your FortiGate administrative documentation for information about SSL-VPN realms.
14. Select full-access from the Portal dropdown list and click the OK button.
-- 17 -
Fortinet
FortiGate v5.6
-- 18 -
Fortinet
FortiGate v5.6
-- 19 -
Fortinet
FortiGate v5.6
-- 20 -
Fortinet
FortiGate v5.6
-- 21 -
Fortinet
FortiGate v5.6
-- 22 -
Fortinet
FortiGate v5.6
System-Generated PIN
-- 23 -
Fortinet
FortiGate v5.6
Approve Prompt
-- 24 -
Fortinet
FortiGate v5.6
-- 25 -
Fortinet
FortiGate v5.6
-- 26 -
Fortinet
FortiGate v5.6
RSA SecurID - ✔
LDAP Password - ✔
Authenticate Approve - ✔
Authenticate Tokencode - ✔
Device Biometrics - ✔
SMS Tokencode - ✔
Voice Tokencode - ✔
FIDO Token -
RSA SecurID - - - ✔
RSA SecurID Software Token Automation - - - -
On Demand Authentication - - - ✔
Risk-Based Authentication - -
-- 27 -