Two-factor authentication – FortiAnalyzer – FortiOS 6.2.3

Two-factor authentication

To configure two-factor authentication for administrators you will need the following:

l FortiAnalyzer l FortiAuthenticator l FortiToken

Configuring FortiAuthenticator

On the FortiAuthenticator, you must create a local user and a RADIUS client.

Before proceeding, ensure you have configured your FortiAuthenticator, created a NAS entry for your FortiAnalyzer, and created or imported FortiTokens.

For more information, see the Two-FactorAuthenticatorInteroperability Guide and FortiAuthenticator Administration Guide in the Fortinet Document Library.

Create a local user:

  1. Go to Authentication > UserManagement > Local Users.
  2. Click Create New in the toolbar.
  3. Configure the following settings:
Username   Enter a user name for the local user.
Password creation   Select Specify a password from the dropdown list.
Password Enter a password. The password must be a minimum of 8 characters.
Password confirmation Re-enter the password. The passwords must match.
Allow RADIUS authentication Enable to allow RADIUS authentication.
Role Select the role for the new user.
Enable account expiration Optionally, select to enable account expiration. For more information see the FortiAuthenticator Administration Guide.
  1. Click OK to continue to the Change local user
  2. Configure the following settings, then click OK.
Disabled Select to disable the local user.
Password-based authentication Leave this option selected. Select [Change Password] to change the password for this local user.
Token-based authentication Select to enable token-based authentication.
Deliver token code by Select to deliver token by FortiToken, email, or SMS. Click Test Token to test the token.
Allow RADIUS authentication Select to allow RADIUS authentication.
Enable account expiration Optionally, select to enable account expiration. For more information see the FortiAuthenticator Administration Guide.
User Role  
Role Select either Administrator or User.
Full Permission Select to allow Full Permission, otherwise select the admin profiles to apply to the user. This option is only available when Role is Administrator.
Web service Select to allow Web service, which allows the administrator to access the web service via a REST API or by using a client application. This option is only available when Role is Administrator.
Restrict admin login from trusted management subnets only Select to restrict admin login from trusted management subnets only, then enter the trusted subnets in the table. This option is only available when Role is Administrator.
Allow LDAP Browsing Select to allow LDAP browsing. This option is only available when Role is User.

Create a RADIUS client:

  1. Go to Authentication > RADIUS Service > Clients.
  2. Click Create New in the toolbar.
  3. Configure the following settings, then click OK.
Name Enter a name for the RADIUS client entry.
Client name/IP Enter the IP address or Fully Qualified Domain Name (FQDN) of the

FortiAnalyzer.

Secret Enter the server secret. This value must match the FortiAnalyzer RADIUS server setting at System Settings > Admin > Remote Authentication Server.
First profile name See the FortiAuthenticator Administration Guide.
Description Enter an optional description for the RADIUS client entry.
Apply this profile based on RADIUS attributes Select to apply the profile based on RADIUS attributes.
Authentication method Select Enforce two-factorauthentication from the list of options.
Username input format Select specific user name input formats.
Realms Configure realms.
Allow MAC-based authentication Optional configuration.
Check machine authentication Select to check machine based authentication and apply groups based on the success or failure of the authentication.
Enable captive portal Enable various portals.
EAP types Optional configuration.

Configuring FortiAnalyzer

On the FortiAnalyzer, you need to configure the RADIUS server and create an administrator that uses the RADIUS server for authentication.

Configure the RADIUS server:

  1. Go to System Settings > Admin > Remote Authentication Server.
  2. Click Create New > RADIUS in the toolbar.
  3. Configure the following settings, then click OK.
Name Enter a name to identify the FortiAuthenticator.
Server Name/IP Enter the IP address or fully qualified domain name of your FortiAuthenticator.
Server Secret Enter the FortiAuthenticator secret.
Secondary Server Name/IP Enter the IP address or fully qualified domain name of the secondary FortiAuthenticator, if applicable.
Secondary Server Secret Enter the secondary FortiAuthenticator secret, if applicable.
Port Enter the port for FortiAuthenticator traffic.
Authentication Type Select the authentication type the FortiAuthenticator requires. If you select the default ANY, FortiAnalyzer tries all authentication types.

Note: RADIUS server authentication for local administrator users stored in FortiAuthenticator requires the PAP authentication type.

Create the administrator:

  1. Go to System Settings > Admin > Administrator.
  2. Click Create New from the toolbar.
  3. Configure the settings, selecting the previously added RADIUS server from the RADIUS Server dropdown list. See Creating administrators on page 224.
  4. Click OK to save the settings.

Test the configuration:

  1. Attempt to log in to the FortiAnalyzer GUI with your new credentials.
  2. Enter your user name and password and click Login.
  3. Enter your FortiToken pin code and click Submit to log in to the FortiAnalyzer.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiAnalyzer, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.