RSA SECURID® ACCESS

Implementation Guide

Fortinet FortiGate v5.6

Yiqiang Wang, RSA Partner Engineering

John Sammon, RSA Partner Engineering
Last Modified: October 23, 2018
Fortinet
FortiGate v5.6

Solution Summary
FortiGate enterprise firewalls offer flexible deployments from the network edge to the core, data center,
internal segment, and the Cloud. FortiGate enterprise firewalls leverages purpose-built security
processors (SPUs) that delivers scalable performance of advanced security services like Threat Protection,
SSL inspection, and ultra-low latency for protecting internal segments and mission critical environments.
FortiGate supports RSA SecurID Access authentication, allowing organizations to secure their resources
by requiring end-users to authenticate with RSA SecurID hardware or software tokens and/or SecurID
Access Cloud Authentication Service multifactor authentication methods. FortiGate can be configured to
communicate with either the RSA SecurID Access via the RADIUS protocol.

RSA SecurID Access Features

Fortinet FortiGate 5.6

On Premise Methods
RSA SecurID ✔
On Demand Authentication ✔
Risk-Based Authentication (AM) -
Cloud Authentication Service Methods
Authenticate App ✔
FIDO Token -
SSO
SAML SSO -
HFED SSO -

Identity Assurance

Collect Device Assurance and User Behavior -

-- 2 -
Fortinet
FortiGate v5.6

Supported Authentication Methods by Integration Point

This section indicates which authentication methods are supported by integration point. The next section
(Configuration Summary) contains links to the appropriate configuration sections for each integration
point.

FortiGate 5.6 integration with RSA Cloud Authentication Service

IDR Cloud
Authentication Methods REST HFED RADIUS
SAML SAML

RSA SecurID - - - - ✔
LDAP Password - - - - ✔
Authenticate Approve - - - - ✔
Authenticate Tokencode - - - - ✔
Device Biometrics - - - - ✔
SMS Tokencode - - - - ✔
Voice Tokencode - - - - ✔
FIDO Token - - -

FortiGate 5.6 integration with RSA Authentication Manager

UDP TCP
Authentication Methods REST RADIUS
Agent Agent

RSA SecurID - ✔ - -
AM RBA - -

✔ Supported
- Not supported
n/t Not yet tested or documented, but may be possible

-- 3 -
Fortinet
FortiGate v5.6

Configuration Summary
All of the supported use cases of RSA SecurID Access with FortiGate require both server-side and client-
side configuration changes. This section of the guide includes links to the appropriate sections for
configuring both sides for each use case.
RSA Cloud Authentication Service – FortiGate can be integrated with RSA Cloud Authentication
Service in the following way:
RADIUS Client
RSA Cloud Authentication Service RADIUS Configuration
FortiGate RADIUS Configuration

RSA Authentication Manager – FortiGate can be integrated with RSA Authentication Manager in the
following way:
RADIUS Client
RSA Authentication Manager RADIUS Configuration
FortiGate RADIUS Configuration

-- 4 -
Fortinet
FortiGate v5.6

RSA SecurID Access Server Side Configuration

RSA Cloud Authentication Service Configuration
RADIUS
To configure the Cloud Authentication Service for FortiGate, you must configure a RADIUS client for the
FortiGate server in the RSA SecurID Access Console.
1. Log in to the RSA SecurID Access console, select the Authentication Clients -> RADIUS menu
item and click the Add RADIUS Client button.
2. Enter a name for the server in the Name field, enter the server’s IP address in the IP Address
field and enter its shared secret in the Shared Secret field.
3. Choose which access policy to apply to users who authenticate through this RADIUS client and
select the policy’s name from the Access Policy dropdown list.
4. By default, the Cloud Authentication Service validates the user's directory server password and
applies the access policy that is configured for the RADIUS client for additional authentication. In
order to disable password authentication, click the radio button labeled Cloud Authentication
Service only applies access policy for additional authentication to toggle the
Authentication Details option.

5. Click the Save button and the Publish button.

Continue to the Partner Product Configuration section.

-- 5 -
Fortinet
FortiGate v5.6

RSA Authentication Manager RADIUS Configuration

RADIUS
To configure your FortiGate appliance to use RSA Authentication Manager, you must configure a RADIUS
client and a corresponding agent host record in the RSA Authentication Manager Security Console. The
relationship of agent host record to RADIUS client can be 1 to 1, 1 to many or 1 to all (global).

Note: RSA Authentication Manager’s RADIUS server listens on ports UDP 1645 and UDP 1812.

The following information is required to create a RADIUS client and corresponding authentication agent
for your FortiGate appliance.
 The FortiGate appliance’s hostname
 The FortiGate appliance’s internal IP address(es)
 The RADIUS server’s shared secret

Important: the RSA Authentication Manager must be able to resolve FortiGate hostnames to
valid IP addresses on the local network. Please refer to the RSA Authentication Manager help
documentation for additional information about creating, modifying and managing Authentication
Agents and RADIUS clients.

Once you have created your RADIUS client and agent host record, continue to the Partner Product
Configuration section.

-- 6 -
Fortinet
FortiGate v5.6

Partner Product Configuration

Before You Begin
This section provides instructions for enabling RSA SecurID Access authentication for FortiGate users.
You should have working knowledge of FortiGate and RSA SecurID Access, as well as access to the
appropriate end-user and administrative documentation. Ensure that both products are running properly
prior to configuring the integration.

RSA Cloud Authentication Service Prerequisites

If you are using the RSA Cloud Authentication Service, you must complete the RSA Cloud
Authentication Service Configuration section and you will need the IP address of your IDR and
your RADIUS server’s shared secret before you continue.

RSA Authentication Manager Prerequisites

If you are using RSA Authentication Manager, you must complete the RSA Authentication Manager
Configuration section, and you will need the IP address and shared secret of you RSA Authentication
Manager’s primary RADIUS server. If you have configured a secondary RADIUS server, you will need its
IP address and shared secret as well.

-- 7 -
Fortinet
FortiGate v5.6

Configure FortiGate for RSA SecurID Access RADIUS

Follow the instructions in the sections below to enable RSA SecurID Access authentication for FortiGate.
 Add an RSA SecurID Access RADIUS Server Connection to FortiGate
 Create FortiGate Users and Groups
 Configure the Full-Access FortiGate SSL-VPN Portal
 Set FortiGate SSL-VPN Settings
 Create an IPv4 Policy

Add an RSA SecurID Access RADIUS Server Connection to FortiGate

1. Log in to the FortiGate appliance as the admin user and select the User & Device  RADIUS
Servers menu item from the FortiGate toolbar.

2. Enter a name to identify the connection in the Name field.

3. Enter the RADIUS server’s IP or hostname in the Primary Server IP/Name field and its shared
secret in the Primary Server Secret field.

Note: If you are using the RSA Cloud Authentication Service, use your Identity Router’s
IP address as the primary server IP.

4. If you are configuring FortiGate to communicate with an RSA Authentication Manager RADIUS
server and you have configured an RSA RADIUS replica server, enter the server’s IP or hostname in
the Secondary Server field and its shared secret in the Secondary Server Secret field.

Note: A secondary RADIUS server isn’t applicable if you are configuring FortiGate to
communicate with the RSA Cloud Authentication Service.

5. Select the Default button on the Authentication Method toggle switch.

-- 8 -
Fortinet
FortiGate v5.6

6. Optionally, enter a NAS IP in the NAS IP field. Consult your FortiGate administration
documentation for details and options.
7. Click the Test Connectivity button to run a test authentication. If the connection fails, confirm
that you have the correct RADIUS server IP address and shared secret and that you have
completed your RSA SecurID Access server side configuration properly. Consult your
FortiGate and RSA SecurID Access logs and documentation if necessary.
8. If you configured a secondary RADIUS server in step 4, click the Test Connectivity button to the
right of the Secondary Server Secret field to run a test authentication. If the connection fails,
confirm that you have the correct secondary RADIUS server IP address and shared secret and that
you have completed your RSA SecurID Access server side configuration properly. Consult
your FortiGate and RSA SecurID Access logs and documentation if necessary.

9. Once you have successfully preformed a test connection, click the OK button to save the RADIUS
server connection.

-- 9 -
Fortinet
FortiGate v5.6

Create FortiGate Users and Groups

After you create your RADIUS server connection, you must you map your RSA SecurID Access users to
FortiGate users and/or groups so that you can give them network access when you configure you
FortiGate policies. There are many way to do this. For example, if you want to give all of your RSA
SecurID Access users access to FortiGate, you can create a FortiGate firewall group and add the RADIUS
server as a nested remote group. If you only want to include a small subset of users in your FortiGate
group, you can create remote RADIUS users and associate them with your RADIUS server connection
This section contains instructions for the two options described above. For additional options and details
about creating FortiGate users and groups, consult your FortiGate administration documentation.
 Example 1: Create a FortiGate Group with a Remote RADIUS Group
 Example 2: Create a FortiGate Group with Individual Remote RADIUS Users

Example 1: Create a FortiGate Group with a Remote RADIUS Group

1. Select the User & Device  User Definition menu item from the FortiGate toolbar.

2. Click the Create New button.

3. Enter a name for the group in the Name field.

4. Select Firewall from the Type dropdown list.

-- 10 -
Fortinet
FortiGate v5.6

5. Scroll to the Remote Groups table and click the + Add button.

6. Select your RADIUS sever from the Remote Server dropdown list and click the OK button.

7. Click the OK button to save the group, and continue to the Configure the Full-Access
FortiGate SSL-VPN Portal section.

-- 11 -
Fortinet
FortiGate v5.6

Example 2: Create a FortiGate Group with Individual Remote RADIUS Users

1. Select the User & Device  User Definition menu item from the FortiGate toolbar.

2. Click the Create New button.

3. Select Remote RADIUS User from the dropdown list and click the Next button.

4. Enter the user’s RSA SecurID Access username in the Username field and select your RADIUS
server configuration from the RADIUS Server dropdown list.

Important: The FortiGate user’s username must match the corresponding RSA SecurID
Access user’s username.

5. Click the Next button.

-- 12 -
Fortinet
FortiGate v5.6

6. Enter the user’s email address in the Email Address field list. Optionally, enter additional contact
information for the user. Consult your FortiGate administration documentation for options and
instructions.

7. Click the Next button.

8. Click the Enabled button on the User Account Status switch and click the Submit button.
Repeat steps 1-8 for each additional user you want to create

9. Select the Users & Device  User Groups menu item from the FortiGate toolbar.

10. Click the Create New button.

-- 13 -
Fortinet
FortiGate v5.6

11. Enter a name for the group in the Name field and select Firewall from the Type dropdown list.
12. Click the + button in the Members list.
13. Go to the Select Entries frame on the right side of the page, and locate and select the RADIUS
users you added in the steps above. You will notice that each user you click will be added to the
group’s Members list.

14. After you have added all of the users you want to include the group, click the OK button.

-- 14 -
Fortinet
FortiGate v5.6

Configure the Full-Access FortiGate SSL-VPN Portal

1. Select the VPN  SSL-VPN Portals menu item from the FortiGate toolbar.

2. Double-click the policy named full-access in the policy table.

3. Enable the Tunnel Mode and toggle switch and disable the Enable Split Tunneling switch.
4. Leave the default settings in the Source IP Pools list.
5. Enable the Enable Web Mode toggle switch.

6. Configure other SSL VPN settings based on your requirements. See your FortiGate administration
documentation for details and options.
7. Click the OK button.

-- 15 -
Fortinet
FortiGate v5.6

Set FortiGate SSL-VPN Settings

1. Select the VPN  SSL-VPN Settings menu item from the FortiGate toolbar.

2. Decide which interface(s) the appliance will use to listen for HTTPS SSL VPN tunnel requests and
enter it/them in the Listen on Interface(s) combination list.
3. Decide which port the appliance will use to listen for HTTPS SSL VPN tunnel requests and enter it in
the Listen on Port field.
4. Enable/disable the Redirect HTTP to SSL-VPN toggle switch based on your requirements.
5. If you want to allow SSL VPN web access from any host, select the Allow access from any host
button on the Restrict Access toggle switch. Otherwise, select the Limit access to specific
hosts button and specify which IP range(s) should be allowed access. Consult your FortiGate
administration documentation for details.

6. If you don’t want FortiGate to automatically terminate an idle SSL-VPN user’s session, disable the
Idle Logout toggle button. Otherwise, enable the Idle Logout toggle button, decide the number
of seconds a user can remain inactive before FortiGate ends the user’s session and enter the
number in the Seconds field.

-- 16 -
Fortinet
FortiGate v5.6

7. From the Server Certificate dropdown list, select the signed certificate the FortiGate server will
use to identify itself to SSL-VPN clients. Consult your FortiGate administrative documentation for
recommendations.
8. Enable/disable the Require Client Certificate toggle button based on your requirements.

9. If you want to specify which IP address range(s) FortiGate will use when assigning client IP
addresses, select the Specify Custom IP ranges button on the Address Range toggle switch
and specify the IP range(s) FortiGate will use. Otherwise, select the Automatically assign
addresses button.
10. Configure your DNS, WINS server and endpoint registration settings based on your requirements.
Consult your FortiGate administration documentation for details and options.
11. Scroll to the Authentication/Portal Mapping table and click the Create New button.

12. Click the + button in the Users and Groups list to assign users and groups to the full-access SSL-
VPN portal.
13. If you want to associate a custom SSL-VPN realm with the mapping, click Specify button on the
Realm toggle switch and select a custom realm. Otherwise, click the Default realm button.
Consult your FortiGate administrative documentation for information about SSL-VPN realms.
14. Select full-access from the Portal dropdown list and click the OK button.

15. Click the Apply button.

-- 17 -
Fortinet
FortiGate v5.6

Create an IPv4 Policy

1. Select the Policy & Objects  IPv4 Policy menu item from the FortiGate toolbar.

2. Enter a name for the policy in the Name field.

3. Choose which inbound interface(s) your policy will control, and select the interface(s) from the
Incoming Interface dropdown list.
4. Choose which outbound interface(s) your policy will control, and select the interface(s) from the
Outgoing Interface dropdown list.
5. Decide which source IP addresses and/or users and groups your policy will control, and add them
to the Source list.
6. Decide which destinations your policy will control, and add them to the Destination list.
7. Decide with service(s) the policy will allow authenticated users to access, and add the service(s) to
the Service list.
8. Select always from the Schedule list and click the Accept button on the Action switch.
9. Enable/disable the NAT toggle switch depending on whether you want to use Network Address
Translation. See your FortiGate documentation for more information.

10. Click the OK button.

-- 18 -
Fortinet
FortiGate v5.6

FortiGate RSA SecurID Access Login Screenshots

RSA Authentication Manager Login

Passcode Login Screen

New PIN Prompt

-- 19 -
Fortinet
FortiGate v5.6

Confirm New PIN Prompt

System-Generated PIN Prompt

-- 20 -
Fortinet
FortiGate v5.6

Confirm System-Generated PIN Prompt

Next Tokencode Prompt

-- 21 -
Fortinet
FortiGate v5.6

RSA Cloud Authentication Service RADIUS Login Screens

Password Login Screen

Passcode Login Screen

-- 22 -
Fortinet
FortiGate v5.6

New PIN Prompt

System-Generated PIN

-- 23 -
Fortinet
FortiGate v5.6

Next Tokencode Prompt

Approve Prompt

-- 24 -
Fortinet
FortiGate v5.6

Cloud Tokencode Prompt

SMS Tokencode Prompt

-- 25 -
Fortinet
FortiGate v5.6

Voice Tokencode Prompt

-- 26 -
Fortinet
FortiGate v5.6

Certification Checklist for RSA SecurID Access

Certification Environment Details:
RSA Authentication Manager 8.2, Virtual Appliance
FortiGate 5.6

RSA Cloud Authentication Service Date Tested: October 15, 2018

REST RADIUS
Authentication Method
Client Client

RSA SecurID - ✔
LDAP Password - ✔
Authenticate Approve - ✔
Authenticate Tokencode - ✔
Device Biometrics - ✔
SMS Tokencode - ✔
Voice Tokencode - ✔
FIDO Token -

RSA Authentication Manager Date Tested: October 18, 2018

REST UDP TCP RADIUS
Authentication Method
Client Agent Agent Client

RSA SecurID - - - ✔
RSA SecurID Software Token Automation - - - -
On Demand Authentication - - - ✔
Risk-Based Authentication - -

✔ = Passed, X = Failed, - = N/A

-- 27 -