Settings when Type is RADIUS Single Sign On Agent
Use RADIUS Shared Secret
Enable
Shared Secret Enter the RADIUS server shared secret.
Send RADIUS Responses
Enable.
RSA ACE (SecurID) servers
SecurID is a two-factor system that uses one-time password (OTP) authentication. It is produced by the company RSA. This system includes portable tokens carried by users, an RSA ACE/Server, and an Agent Host. In our configuration, the FortiGate unit is the Agent Host.
Components
When using SecurID, users carry a small device or “token” that generates and displays a pseudo-random password. According to RSA, each SecurID authenticator token has a unique 64-bit symmetric key that is combined with a powerful algorithm to generate a new code every 60 seconds. The token is time-synchronized with the SecurID RSA ACE/Server.
The RSA ACE/Server is the management component of the SecurID system. It stores and validates the information about the SecurID tokens allowed on your network. Alternately the server could be an RSA SecurID 130 Appliance.
The Agent Host is the server on your network, in this case it is the FortiGate unit, that intercepts user logon attempts. The Agent Host gathers the user ID and password entered from their SecurID token, and sends that information to the RSA ACE/Server to be validated. If valid, a reply comes back indicating it is a valid logon and the FortiGate unit allows the user access to the network resources specified in the associated security policy.
Configuring the SecurID system
To use SecurID with a FortiGate unit, you need:
- to configure the RSA server and the RADIUS server to work with each other (see RSA server documentation)
- to configure the RSA SecurID 130 Appliance
or
- to configure the FortiGate unit as an Agent Host on the RSA ACE/Server
- to configure the FortiGate unit to use the RADIUS server
- to create a SecurID user group
- to configure a security policy with SecurID authentication
The following instructions are based on RSA ACE/Server version 5.1, or RSA SecurID 130 Appliance, and assume that you have successfully completed all the external RSA and RADIUS server configuration steps listed above.
For this example, the RSA server is on the internal network, with an IP address of 192.128.100.100. The FortiGate unit internal interface address is 192.168.100.3, RADIUS shared secret is fortinet123, RADIUS server is at IP address 192.168.100.102.
To configure the RSA SecurID 130 Appliance
1. Go to the IMS Console for SecurID and logon.
2. Go to RADIUS > RADIUS Clients, and select Add New.
3. Enter the following information to configure your FortiGate as a SecurID Client, and select Save.
RADIUS Client Basics
Client Name FortiGate
Associated RSA Agent FortiGate
| RADIUS Client Settings |
| IP Address 192.168.100.3
The IP address of the FortiGate unit internal interface. |
| Make / Model Select Standard Radius |
| Shared Secret fortinet123
The RADIUS shared secret. |
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!