Professional Documents
Culture Documents
MAS Fortinet Fortigate Implementation Guide PDF
MAS Fortinet Fortigate Implementation Guide PDF
Copyright
Copyright © 2006, CRYPTOCard Corp. All Rights Reserved. No part of this publication may be
reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in
any form or by any means without the written permission of CRYPTOCard Corp.
Fortinet Fortigate Overview
This documentation presents an overview and necessary steps to configure a Fortinet Fortigate 60 for
use with CRYPTO-MAS and CRYPTOCard tokens. The Fortigate can be used to create an encrypted
tunnel between hosts. CRYPTO-MAS works in conjunction with the Fortigate to replace static
passwords with strong two-factor authentication that prevents the use of lost, stolen, shared, or easily
guessed passwords when establishing a connection to gain access to protected resources.
With CRYPTO-MAS acting as the authentication server for a VPN enabled resource, an authenticated
connection sequence would be as follows:
2. The incoming RADIUS authentication request is relayed over to the CRYPTO-MAS Server as
shown in Figure 1 below.
3. The CRYPTO-MAS Server examines the incoming packet. If the user exists, it then checks the
token associated with the user for the expected PIN + One-time password.
4. Once the PIN + One-time password is verified against the user’s token and it is valid, it will
then send an access accepted. This is illustrated in Figure 2 below.
In order for the Fortigate to authenticate CRYPTOCard token users, RADIUS authentication must be
enabled.
The IP Address and Shared Secret will be provided so the Fortinet Fortigate will point
towards the CRYPTO-MAS Server for authentication.
Enter the user’s username, and select RADIUS, then select the radius server it will be authenticating
to. Click OK when everything has been selected.
Note: the username must match the username that is provided to the CRYPTO-MAS Server
Now a group must be created. From the Local tab, click on:
• User Group tab
• Create New
Source
Interface/Zone wan1
Address Name All
Destination
Interface/Zone internal
Address Name all
Schedule always
Service ANY
Action SSL-VPN
Create a new HyperTerminal on the machine where the Fortinet Fortigate is connected.
Once you have logged on, the syntax should be entered as followed:
# diag test auth rad <radius server name> <auth protocol> <username> <One-Time Password>
If it succeeds, the output message will be something along the line of:
“authenticate ‘henry’ against ‘pap’ succeeded, server=primary session_timeout=0 secs!”
Summary
Trademarks
Publication History
Date Changes
October 27, 2006 Initial Draft
November 9, 2006 Global Draft
November 30, 2006 Minor Revision