FortiClient is a VPN solution from Fortinet and can be integrated with Keyless to provide a passwordless login experience. In this guide, will show how this can be accomplished using the Keyless RADIUS Appliance.

Assumptions:

• At least one account has been configured with the Keyless Authenticator so that it could be used to test authentication on the Keyless Radius server.

• FortiGate is already up and running and its initial setup is out-of-scope of this guide.

• This document is based on the below network configuration (i.e. network setup, routes, etc. Different steps may be required steps if your set up is different.

Adding the RADIUS Server in the FortiGate Client

1. From the FortiGate Management Portal go to "User & Authentication" --> "RADIUS Servers" and click "Create New".

2. Set a meaningful name in the "Name" field for the Keyless Radius Server (i..e "Keyless_Radius").

3. Leave Authentication method set to Default. Note: The PAP, MS-CHAPv2, and CHAP methods will be tried in order. The Keyless RADIUS connector uses PAP.

4. Under Primary Server, set "IP/Name" to the IP and "Secret" to the shared secret configured on the RADIUS server that was provided to you.

Example:

To confirm that FortiGate can successfully establish a connection with Keyless Radius Server click on the Test Connectivity button. If everything is fine, the below message will be shown:

Click "OK".

To configure the user group:

1. Go to "User & Authentication" --> "User Groups" and click "Create New".

2. In the "Name" field, enter a group name (i.e. KLS_VPN_Group )

3. In the "Remote Groups" area, click "Add", and from the Remote Server dropdown, select the Radius Server previously created (i.e. KLS_Radius )

4. Click OK, and then click OK again.

To configure the SSL VPN settings:

1. Go to "VPN" --> "SSL-VPN Settings".

2. From the "Listen on Interface(s)" dropdown select the port associated to the Fortigate Public IP (i.e port1).

3. In the Listen on Port field enter 10443.

• Optionally, from the Server Certificate dropdown, select the authentication certificate if you have one for this SSL VPN portal.

• Under Authentication/Portal Mapping, set the default portal web-access.

  1. Select "All Other Users/Groups" and click "Edit".

  2. From the Portal dropdown, select "web-access".

  3. Click "OK".

• Create a web portal for KLS_VPN_Group

  1. Under "Authentication/Portal Mapping", click Create "New".

  2. Click "Users/Groups" and select the KLS_VPN_Group.

  3. From the Portal dropdown, select "full-access".

  4. Click "OK".

To configure SSL VPN firewall policy go to "Policy & Objects" --> "Firewall Policy" > "IPv4 Policy".

Click "Create New" to create a new policy, or double-click an existing policy to edit it and configure the settings below:

Configure any remaining firewall and security options as desired and click "OK".

Example:

Set Remote Authentication Timeout

Open the Fortigate CLI and execute the following commands:

config system global
set remoteauthtimeout 30
end

Test Keyless Radius Authentication

1. Go to "User & Authentication" --> "RADIUS Servers"

2. Select the Radius Server item and click on the Edit button

3. Click on "Test User Credentials"

4. Provide your account username

5. Provide a random fake password (Fortigate client requires a non-empty password)

   • The Keyless Authenticator app will be invoked during authentication process.

6. Click on the Test button

Check the Keyless authenticator app on your phone to authenticate.

Once authenticated, the below message will be shown:

References:

• https://docs.fortinet.com/document/fortigate/6.4.0/administration-guide/766392/ssl-vpn-with-multiple-radius-servers

• https://forum.fortinet.com/tm.aspx?m=72535