MFA to Secure FortiGate Admin CLI and GUI Login

MFA to Secure FortiGate Admin CLI and GUI Login

By Centrify ‎05-21-2018 11:26 AM

Log into Centrify cloud tenant with an administrator account, navigate to Settings > Authentication > RADIUS Connections. Within Clients tab, click Add.

 

 Picture1.png

 

 

 

In the RADIUS Client Settings window, enter a name, internal IP address of FortiGate and create a strong client secret.

 

Picture1.png

 

 

 

Navigate to Settings > Network > Centrify Connectors, double-click connectors that you would like to accept RADIUS connections for authentication from FortiGate, navigate to RADIUS section and click the checkbox to enable incoming RADIUS connections.

 

Picture1.png

 

 

 

Navigate to Settings > Authentication > Authentication Profiles. Click Add Profile to create a new profile for RADIUS MFA.

 

Picture1.png

 

 

 

For challenge 1, select password. For challenge 2, select what you would like to use for authentication challenge. I’m using SMS in this example.

 

Picture1.png

 

 

 

Navigate to Core Services > Policies to modify default policy. Under User Security Policies > RADIUS, need to set “Allow RADIUS connections” to Yes and check the box for “Require authentication challenge”, select RADIUS authentication profile we created earlier.

 

Picture1.png

 

 

 

Now we will go over configuration on the FortiGate. Log into FortiGate with an admin account, navigate to users and device > RADIUS servers, click create new button to add a new entry.

 

Picture1.png

 

 

 

Enter a name, IP address of the server running Centrify Cloud Connector and server secret.

 

Picture1.png

 

 

 

You should get successful test result if settings are correct and communication isn’t blocked. If not, check basic network communications between Centrify server running Cloud Connector and the FortiGate. Verify that firewalls are not blocking port 1812 used for RADIUS connections.

 

Picture1.png

 

 

 

Next, we will create an AdminMFA user group. Navigate to User & Device > User Groups and click Create New. Give it a name such as “AdminMFA” and select Centrify RADIUS server under “Remote groups”.

 

Picture1.png

 

 

 

 

Add RADIUS user under Users & Device > User Definition. Select Create New, select Remote RADIUS User, enter an AD username you would like to be a FortiGate Admin and select Centrify RADIUS server.

 

Picture1.png

 

 

 

 

Navigate to System > Administrators. Select Create New. Enter username, under type, select “Match a user on a remote server”, select Administrator Profile, for Remote User Group select AdminMFA we created.

 

Picture1.png

 

 

 

Now we can test. Login with admin user you setup, you will be prompted for MFA and sent an SMS with token. Make sure you have phone number defined in users AD profile. The SMS is sent to mobile device once you enter username and password at login.

 

CLI example.

Picture1.png

Web GUI example.

Picture1.png

 

 

Showing results for 
Search instead for 
Do you mean 
Labels

Community Control Panel