Log into Centrify cloud tenant with an administrator account, navigate to Settings > Authentication > RADIUS Connections. Within Clients tab, click Add.
In the RADIUS Client Settings window, enter a name, internal IP address of FortiGate and create a strong client secret.
Navigate to Settings > Network > Centrify Connectors, double-click connectors that you would like to accept RADIUS connections for authentication from FortiGate, navigate to RADIUS section and click the checkbox to enable incoming RADIUS connections.
Navigate to Settings > Authentication > Authentication Profiles. Click Add Profile to create a new profile for RADIUS MFA.
For challenge 1, select password. For challenge 2, select what you would like to use for authentication challenge. I’m using SMS in this example.
Navigate to Core Services > Policies to modify default policy. Under User Security Policies > RADIUS, need to set “Allow RADIUS connections” to Yes and check the box for “Require authentication challenge”, select RADIUS authentication profile we created earlier.
Now we will go over configuration on the FortiGate. Log into FortiGate with an admin account, navigate to users and device > RADIUS servers, click create new button to add a new entry.
Enter a name, IP address of the server running Centrify Cloud Connector and server secret.
You should get successful test result if settings are correct and communication isn’t blocked. If not, check basic network communications between Centrify server running Cloud Connector and the FortiGate. Verify that firewalls are not blocking port 1812 used for RADIUS connections.
Next, we will create an AdminMFA user group. Navigate to User & Device > User Groups and click Create New. Give it a name such as “AdminMFA” and select Centrify RADIUS server under “Remote groups”.
Add RADIUS user under Users & Device > User Definition. Select Create New, select Remote RADIUS User, enter an AD username you would like to be a FortiGate Admin and select Centrify RADIUS server.
Navigate to System > Administrators. Select Create New. Enter username, under type, select “Match a user on a remote server”, select Administrator Profile, for Remote User Group select AdminMFA we created.
Now we can test. Login with admin user you setup, you will be prompted for MFA and sent an SMS with token. Make sure you have phone number defined in users AD profile. The SMS is sent to mobile device once you enter username and password at login.
Web GUI example.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.