How it Works
HID
Loading...
AAA Server
User Manual
28 pgs1.38 Mb0
Table of contents
Loading...

HID AAA Server User Manual

ActivIdentity® 4TRESS AAA
Web Tokens and
SSL VPN Fortinet
Document Version 1.1 | Released | July 16, 2012
®
Secure Access
ActivIdentity 4TRESS AAA Web Tokens and SSL VPN Fortinet Secure Access | Integration Handbook
P 2
External Use | July 16, 2012 | © 2012 ActivIdentity

Table of Contents

1.0 Introduction ....................................................................................................................................................... 3
1.1 Scope of Document .................................................................................................................................... 3
1.2 Prerequisites .............................................................................................................................................. 3
2.0 Secure Access Configuration ........................................................................................................................... 4
2.1 Procedure 1: Configure the RADIUS Authentication Server ...................................................................... 4
2.2 Procedure 2: Create New User Group ....................................................................................................... 5
3.0 ActivIdentity 4TRESS AAA Configuration ......................................................................................................... 7
3.1 Procedure 1: Configure Basic SSL VPN Settings ...................................................................................... 7
3.2 Procedure 2: Configure the Portal .............................................................................................................. 9
3.3 Procedure 3: Configure the FortiGate Replacement Message ................................................................ 10
3.4 Procedure 4: Configure the Security Policy ............................................................................................. 13
3.5 Procedure 5: Create Tunnel Mode Security Policy .................................................................................. 14
3.6 Procedure 6: Configure Routing for Tunnel Mode ................................................................................... 16
4.0 Configure 4TRESS AAA ................................................................................................................................. 17
4.1 Procedure 1: Configure FortiGate Gate ................................................................................................... 17
4.2 Procedure 2: Assign Group(s) to the FortiGate Gate ............................................................................... 19
5.0 Configure for Soft Token Activation ................................................................................................................ 21
5.1 Procedure 1: Enable Soft Token Activation ............................................................................................. 21
5.2 Procedure 2: Configure Soft Token Activation Portal .............................................................................. 22
6.0 Sample Authentication Using Web Soft Token Authentication ....................................................................... 25
6.1 Prerequisite: User Enrolls Web Token and Computer ............................................................................. 25
6.2 Authenticating with Web Soft Token Launched in the Sign-In Page ....................................................... 27
ActivIdentity 4TRESS AAA Web Tokens and SSL VPN Fortinet Secure Access | Integration Handbook
P 3
External Use | July 16, 2012 | © 2012 ActivIdentity

1.0 Introduction

FortiGate® appliances provide enterprise-class protection against network, content, and application-level threats for any deployment, from small offices to large enterprises, service providers, and carriers. Providing secure access via a VPN over existing Internet connections requires strong, two-factor authentication to protect resources. The ActivIdentity solutions that work with FortiGate appliances incorporate SSL VPN solutions with versatile, strong authentication that is flexible, scalable, and simple to manage. ActivIdentity offers two solutions:
ActivIdentity® 4TRESS AAA Server for Remote Access—Addresses the security risks associated with a mobile workforce remotely accessing systems and data.
ActivIdentity 4TRESS Authentication Server (AS)—Offers support for multiple authentication methods that are useful for diverse audiences across a variety of service channels (SAML, Radius, etc.), including user name and password, mobile and PC soft tokens, one-time passwords, and transparent Web soft tokens.

1.1 Scope of Document

This document explains how to set up ActivIdentity 4TRESS AAA Web token authentication with FortiGate solutions. Use this handbook to enable authentication via a Web soft token for use with an SSL-protected FortiGate VPN.

1.2 Prerequisites

The ActivIdentity 4TRESS AAA Server is up-to-date (v6.7) with LDAP users and groups already configured.
FortiGate version greater than 4.0,build 0513,120130 (MR3 Patch 5) installed and configured.
The Web soft token is configured to work with a PIN.
Users have static LDAP passwords for access to the Self Help Desk to enroll web tokens.
The FortiGate login page has been customized (illustrated in this handbook).
The 4TRESS AAA Self Help Desk portal must be published on the Internet. It is not possible to host
the ActivIdentity applet in the Fortinet appliance. The Self Help Desk is used to host and publish the applet.
ActivIdentity 4TRESS AAA Web Tokens and SSL VPN Fortinet Secure Access | Integration Handbook
P 4
External Use | July 16, 2012 | © 2012 ActivIdentity
Getting Started

2.0 Secure Access Configuration

This chapter describes how to manage FortiGate Secure Access.

2.1 Procedure 1: Configure the RADIUS Authentication Server

1. Logged into the FortiGate Web console, navigate to User > Remote > RADIUS.
2. Click Create New.
The following dialog is displayed.
3. Enter the following attributes.
Name—Enter the name that is used to identify the AAA server on the FortiGate unit.
Primary Server Name/IP—Enter the domain name or IP address of the primary AAA server.
Primary Server Secret—Enter the RADIUS server secret key for the primary AAA server. The
primary server secret key should be a maximum of 16 characters in length.
Secondary Server Name/IP—Enter the domain name or IP address of the secondary AAA server, if you have one.
Secondary Server Secret—Enter the RADIUS server secret key for the secondary AAA server. The secondary server secret key MUST be a maximum of 16 characters in length.
ActivIdentity 4TRESS AAA Web Tokens and SSL VPN Fortinet Secure Access | Integration Handbook
P 5
External Use | July 16, 2012 | © 2012 ActivIdentity
Authentication Scheme—Select the Use Default Authentication Scheme option to authenticate with the default method. The default authentication scheme uses PAP, MSCHAP- V2, and CHAP, in that order. Select the Specify Authentication Protocol option to override the default authentication method, and then choose the protocol from the list: MSCHAP- V2, MS-CHAP, CHAP, or PAP, depending on what your RADIUS server requires.
NAS IP/Called Station ID—Enter the NAS IP address and Called Station ID. If you do not enter an IP address, then the IP address that the FortiGate interface uses to communicate with the AAA server will be applied.
Include in every User Group—Select this option to have the AAA server automatically included in all user groups.
4. Click OK at the bottom of the page.

2.2 Procedure 2: Create New User Group

A user group is a list of user identities. In this case, the identity is a RADIUS server.
1. Logged into the FortiGate Web console,
2. Click Create New.
The following dialog is displayed.
navigate to User >
User Group > User Group.
ActivIdentity 4TRESS AAA Web Tokens and SSL VPN Fortinet Secure Access | Integration Handbook
P 6
External Use | July 16, 2012 | © 2012 ActivIdentity
Note: In any firewall user group, you can enable SSL VPN access and select the Web portal that the users can access. When the user connects to the FortiGate unit via HTTPS on the SSL VPN port (default 10443), the FortiGate unit requests a username and password.
3. To add a new remote authentication server, click Add. The Remote Server drop-down list appears, along with information about the Group Name.
4. Use the Group Name field to configure group name(s) to be added as identities who can be authenticated.
GROUP NAME OPTIONS:
In the Group Name field, select Any to match all possible groups.
In the Group Name field, select Specify, and then enter the group name in the appropriate format
for the type of server (RADIUS).
You must specify at least one group name. The group name is the name of the group on the RADIUS server.
If you want to specify more than one group name, then use a comma to separate the names.
Important: When you specify a group name or names, you must use a specific RADIUS dictionary on the AAA Server and also create an authorization profile. For more information on this topic, refer to the guide named 4TRESS_AAA_AdminGuide.pdf, specifically the section called Create a New RADIUS Authorization Profile.
Also refer to the following vendor-specific requirements.
ActivIdentity 4TRESS AAA Web Tokens and SSL VPN Fortinet Secure Access | Integration Handbook
P 7
External Use | July 16, 2012 | © 2012 ActivIdentity
The FortiGate unit RADIUS VSA dictionary is supplied by Fortinet and is available through the Fortinet Knowledge Base (http://kb.forticare.com) or through Technical Support.
# Fortinet Vendor-Specific attributes vid=12356
ATTRIBUTE Fortinet-Group-Name 26 [vid=12356 vty=1 vat=string]
ATTRIBUTE Fortinet-Client-IP-Address 26 [vid=12356 vty=2 vat=ipaddr]
ATTRIBUTE Fortinet-Vdom-Name 26 [vid=12356 vty=3 vat=string]
ATTRIBUTE Fortinet-Client-IPv6-Address 26 [vid=12356 vty=4 vat=octets]
ATTRIBUTE Fortinet-Interface-Name 26 [vid=12356 vty=5 vat=string]
ATTRIBUTE Fortinet-Access-Profile 26 [vid=12356 vty=6 vat=string]

3.0 ActivIdentity 4TRESS AAA Configuration

This chapter describes how to configure the ActivIdentity 4TRESS AAA Authentication Server.

3.1 Procedure 1: Configure Basic SSL VPN Settings

1. To configure the basic SSL VPN settings for encryption and login options, navigate to VPN > SSL > Config in the FortiGate Web console.
ActivIdentity 4TRESS AAA Web Tokens and SSL VPN Fortinet Secure Access | Integration Handbook
P 8
External Use | July 16, 2012 | © 2012 ActivIdentity
2. Select the option Enable SSL-VPN.
3. Next to IP Pools—SSLVPN_TUNNEL_ADDR1,click Edit. IP Pools.
This allows you to select the range or subnet firewall addresses that represent IP address ranges reserved for tunnel-mode SSL VPN clients. The IP Pool that you select will be the one created.
4. From the Server Certificate drop-down list, select the signed server certificate to use for authentication. If you accept the default setting (Self-Signed), then the FortiGate unit offers its Fortinet factory installed certificate to remote clients when they connect.
5. Deselect the Require Client Certificate option.
6. For Encryption Key Algorithm, select the algorithm for creating a secure SSL connection between the remote client Web browser and the FortiGate unit.
7. For Idle Timeout, enter the period of time (in seconds) that the connection can remain idle before the user must log in again. The range is from 10 to 28800 seconds. Setting the value to 0 will disable the idle connection timeout. This setting applies to the SSL VPN session.
8. For Advanced (DNS and WINS Servers), enter up to two DNS servers and/or two WINS servers to be provided for the use of clients.
9. Click OK at the bottom of the page.
ActivIdentity 4TRESS AAA Web Tokens and SSL VPN Fortinet Secure Access | Integration Handbook
P 9
External Use | July 16, 2012 | © 2012 ActivIdentity

3.2 Procedure 2: Configure the Portal

Portal configuration determines what remote users see when they log in to the portal. Both the system administrator and the user have the ability to customize the SSL VPN portal.
There are three pre-defined default Web portal configurations available:
Full access
Tunnel access
Web access
1. To view the portal settings page, navigate to VPN > SSL > Portal in the FortiGate Web console. (This document uses the full-access portal default.)
2. Configure the following settings.
Session Information—The Session Information widget displays the login name of the user, the amount of time the user has been logged in, and the inbound and outbound traffic statistics.
Loading...
+ 19 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use