Fortinet Fortigate 60 Implementation Guide

Copyright

Copyright © 2006, CRYPTOCard Corp. All Rights Reserved. No part of this publication may be
reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in
any form or by any means without the written permission of CRYPTOCard Corp.
Fortinet Fortigate Overview

This documentation presents an overview and necessary steps to configure a Fortinet Fortigate 60 for
use with CRYPTO-MAS and CRYPTOCard tokens. The Fortigate can be used to create an encrypted
tunnel between hosts. CRYPTO-MAS works in conjunction with the Fortigate to replace static
passwords with strong two-factor authentication that prevents the use of lost, stolen, shared, or easily
guessed passwords when establishing a connection to gain access to protected resources.

With CRYPTO-MAS acting as the authentication server for a VPN enabled resource, an authenticated
connection sequence would be as follows:

1. The administrator configures the Fortinet Fortigate 60 to use RADIUS Authentication.

2. The incoming RADIUS authentication request is relayed over to the CRYPTO-MAS Server as
shown in Figure 1 below.

Figure 1 – RADIUS authentication request is relayed to the CRYPTO-MAS Server

3. The CRYPTO-MAS Server examines the incoming packet. If the user exists, it then checks the
token associated with the user for the expected PIN + One-time password.

4. Once the PIN + One-time password is verified against the user’s token and it is valid, it will
then send an access accepted. This is illustrated in Figure 2 below.

Fortinet Fortigate 60 Implementation Guide 2

 If the user does not exist, or the PIN + One-time password is incorrect it will send the user an
access reject message.

Figure 2 – The CRYPTO-MAS Server responds with an access accepted or rejected.

Fortinet Fortigate 60 Implementation Guide 3

Prerequisites
The following systems must be verified operational prior to configuring the Fortigate to use
CRYPTOCard authentication:
1. Verify end users can authenticate through the Fortigate with a static password before
configuring the Fortigate to use CRYPTOCard authentication.
2. An initialized CRYPTOCard token assigned to a CRYPTOCard user.

The following CRYPTO-MAS server information is also required:

Primary CRYPTO-MAS RADIUS Server Fully Qualified

Hostname or IP Address:
Secondary CRYPTO-MAS RADIUS Server Fully Qualified
Hostname or IP Address (OPTIONAL):
CRYPTO-MAS RADIUS Accounting port number
(OPTIONAL):
CRYPTO-MAS RADIUS Shared Secret:

Fortinet Fortigate 60 Implementation Guide 4

Configuring Fortinet Fortigate

In order for the Fortigate to authenticate CRYPTOCard token users, RADIUS authentication must be
enabled.

Add RADIUS Server

To add a new RADIUS Server, choose:
• User
• RADIUS
• Create New

The IP Address and Shared Secret will be provided so the Fortinet Fortigate will point
towards the CRYPTO-MAS Server for authentication.

Fortinet Fortigate 60 Implementation Guide 5

Creating a Local User

Next thing to do is to create a user in the Fortigate.

To create a user click:
• User
• Local
• Create New

Enter the user’s username, and select RADIUS, then select the radius server it will be authenticating
to. Click OK when everything has been selected.

Note: the username must match the username that is provided to the CRYPTO-MAS Server

Fortinet Fortigate 60 Implementation Guide 6

Creating a User Group

Now a group must be created. From the Local tab, click on:
• User Group tab
• Create New

At least the following

configuration options should
be selected:
• Enter the name of the
group
• Change type from
Firewall to SSL VPN
• Expand the SSL-VPN
User Group Options.
• Put a check mark in
the following boxes.
• “Enable SSL-VPN
Tunnel Service”
• Enable Web
Application
o HTTP/HTTPS
Proxy
o Telnet(applet)
o VNC
o FTP
o Samba
o RDP
• Click OK

Fortinet Fortigate 60 Implementation Guide 7

Configuring SSL-VPN Settings
To configure your SSL-VPN Connection, click on VPN, then SSL.

• Select Enable SSL-VPN.

• Choose a port for the SSL-VPN Connection.
• Enter the Tunnel IP Range.
• Select the Server Certificate (Self-Signed by default)
• Select “Default” for Encryption Key Algorithm
• Idle Timeout is 300 seconds.

Fortinet Fortigate 60 Implementation Guide 8

Creating a Firewall Policy
To create a new firewall policy, click on Firewall, Policy, Create New.

The following should be done.

Source
Interface/Zone wan1
Address Name All
Destination
Interface/Zone internal
Address Name all
Schedule always
Service ANY
Action SSL-VPN

Select the Group on the

Available Groups side and
move them over to the
Allowed side for SSL-VPN
access.
Check off Protection Profile
and it should be defaulted to
unfiltered.
Click OK when finished.

Fortinet Fortigate 60 Implementation Guide 9

Testing RADIUS Authentication through HyperTerminal

Create a new HyperTerminal on the machine where the Fortinet Fortigate is connected.

Once you have logged on, the syntax should be entered as followed:
# diag test auth rad <radius server name> <auth protocol> <username> <One-Time Password>

If it succeeds, the output message will be something along the line of:
“authenticate ‘henry’ against ‘pap’ succeeded, server=primary session_timeout=0 secs!”

Fortinet Fortigate 60 Implementation Guide 10

VPN Client login page

To test the VPN access from a browser, navigate to https://<Fortigate_Wan_IP_Address>:<port>

A login prompt comes

up. Enter the
username and PIN +
One-time password.

Fortinet Fortigate 60 Implementation Guide 11

Once the user has
successfully logs in, they will
be prompt with a Welcome
to SSL-VPN Service page.

The CRYPTO-MAS Server can

also be set up to do New PIN
Mode – Stored on Server,
server changeable.

If the user’s PIN style has

been set to Store on Server,
server changeable, and set
to push out a new PIN after
next log on, it will display a
new PIN on the webpage
which is illustrated below.

Fortinet Fortigate 60 Implementation Guide 12

Solution Overview

Summary

Product Name Fortinet Fortigate

Vendor Site http://www.fortinet.com/
Supported VPN Client Software Internet Explorer 6 or higher
Mozilla Firefox 1.5 or higher
Authentication Method RADIUS Authentication
Supported RADIUS Functionality for Fortinet Fortigate

RADIUS Authentication Encryption PAP

Authentication Method One-time password

Challenge-response
Static password

New PIN Mode User changeable Alphanumeric 4-8 digit PIN

User changeable Numeric 4-8 digit PIN
Server changeable Alphanumeric 4-8 digit PIN
Server changeable Numeric 4-8 digit PIN

Trademarks

CRYPTOCard, CRYPTO-Server, CRYPTO-Web, CRYPTO-Kit, CRYPTO-Logon, CRYPTO-VPN, CRYPTO-MAS

are either registered trademarks or trademarks of CRYPTOCard Corp.

Microsoft Windows and Windows XP/2000/2003/NT are registered trademarks of Microsoft

Corporation. All other trademarks, trade names, service marks, service names, product names, and
images mentioned and/or used herein belong to their respective owners.

Publication History

Date Changes
October 27, 2006 Initial Draft
November 9, 2006 Global Draft
November 30, 2006 Minor Revision

Fortinet Fortigate 60 Implementation Guide 13