× Welcome to the Centrify Community! We are rolling out product name changes — click here to learn more.

[How To] Centrify MFA with Fortinet FortiGate IPsec Client to Site VPN

[How To] Centrify MFA with Fortinet FortiGate IPsec Client to Site VPN

By Centrify 4 weeks ago - last edited 4 weeks ago

Log into Centrify cloud tenant with an administrator account. Navigate to Settings > Authentication > RADIUS Connections. Under Clients tab, click Add.

 

Picture1.png

 

 

 

 

 

In the RADIUS Client Settings window, enter a name, internal IP address of FortiGate and create a client secret. Save settings.

 

Picture1.png

 

 

 

 

 

 

 

 

Navigate to Settings > Network > Centrify Connectors, double click connectors that you would like to accept RADIUS connections for VPN authentication from FortiGate, navigate to RADIUS section and click check box to enable incoming RADIUS connections. Save settings.

 

Picture1.png

 

 

 

 

 

 

 

 

 

Navigate to Settings > Authentication > Authentication Profiles. Click Add Profile to create a new profile for VPN MFA.

 

Picture1.png

 

 

 

 

 

 

 

 

For challenge 1, select Password. For challenge 2, select what you would like to use for authentication challenge.

 

Picture1.png

 

 

 

 

 

 

 

 

 

 

Navigate to Core Services > Policies to modify current policy or add a new one. Under User Security Policies > RADIUS, need to set “Allow RADIUS connections” to Yes and check the box for “Require authentication challenge”, select VPN authentication profile you created earlier.

 

Picture1.png

 

 

 

 

 

 

  

 

Now we will go over configuration on the FortiGate firewall. Log into FortiGate with an admin account. Navigate to users and device > RADIUS servers, click create new button to add a new entry.

 

Picture1.png

 

 

 

 

 

 

 

 

 

 

Enter name, IP address of server running Centrify Cloud Connector and server secret.

 

Picture1.png

 

 

 

 

 

 

 

 

 

Test to verify successful communication, click test connectivity button, enter a valid username and password to run test.

 

Picture1.png

 

 

 

 

 

 

 

 

 

You should see successful result if settings are correct and RADIUS communication isn’t blocked. If not, check basic network communications between Centrify server running Cloud Connector and the FortiGate. Verify that firewalls are not blocking port 1812 used for RADIUS connections.

 

Picture1.png

 

 

 

 

 

 

 

Next, we will create a RADIUS VPN user group. Navigate to User & Device > User Groups and click Create New. Give it a name and select Centrify RADIUS server under “Remote groups”.

 

Picture1.png

 

 

 

 

 

 

 

 

If you don’t already have a client to site IPsec VPN profile setup, navigate to VPN > IPsec Wizard, select Remote Access and complete steps in wizard. Select RADIUS VPN user group when going through steps.

 

Picture1.png

 

 

 

 

 

 

 

When a VPN user authenticates using FortiClient, they will be prompted for MFA.

 

 

 

First enter username and password.

 

Picture1.png

 

 

 

 

Now prompted for second form of authentication.

 

Picture1.png

 

 

 

 

 

 

 

 

On Centrify portal as an admin user, you can view Core Services > Reports > Built in Reports > Security and run the “MFA Events – Last 30 days” to verify and troubleshoot RADIUS authentication.

 

Picture1.png

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Showing results for 
Search instead for 
Do you mean 
Labels

Community Control Panel