This document will describe the required steps to integrate a Fortinet FortiGate Firewall with Keyless Radius Server.
FortiClient is a VPN solution from Fortinet and can be integrated with Keyless to provide a passwordless login experience. In this guide, will show how this can be accomplished using the Keyless RADIUS Appliance.
At least one account has been configured with the Keyless Authenticator so that it could be used to test authentication on the Keyless Radius server.
FortiGate is already up and running and its initial setup is out-of-scope of this guide.
This document is based on the below network configuration (i.e. network setup, routes, etc. Different steps may be required steps if your set up is different.
This walkthrough will use FortiGate version 6.4 version is used. Steps may vary between client versions.
Adding the RADIUS Server in the FortiGate Client
From the FortiGate Management Portal go to "User & Authentication" --> "RADIUS Servers" and click "Create New".
Set a meaningful name in the "Name" field for the Keyless Radius Server (i..e "Keyless_Radius").
Leave Authentication method set to Default.
Note: The PAP, MS-CHAPv2, and CHAP methods will be tried in order. The Keyless RADIUS connector uses PAP.
Under Primary Server, set "IP/Name" to the IP and "Secret" to the shared secret configured on the RADIUS server that was provided to you.
To confirm that FortiGate can successfully establish a connection with Keyless Radius Server click on the Test Connectivity button. If everything is fine, the below message will be shown:
At this point, the Radius Server Authentication will not yet work because the remote authentication has been modified.
To configure the user group:
Go to "User & Authentication" --> "User Groups" and click "Create New".
In the "Name" field, enter a group name (i.e. KLS_VPN_Group )
In the "Remote Groups" area, click "Add", and from the Remote Server dropdown, select the Radius Server previously created (i.e. KLS_Radius )
Click OK, and then click OK again.
To configure the SSL VPN settings:
Go to "VPN" --> "SSL-VPN Settings".
From the "Listen on Interface(s)" dropdown select the port associated to the Fortigate Public IP (i.e port1).
In the Listen on Port field enter 10443.
Optionally, from the Server Certificate dropdown, select the authentication certificate if you have one for this SSL VPN portal.
Under Authentication/Portal Mapping, set the default portal web-access.
Select "All Other Users/Groups" and click "Edit".
From the Portal dropdown, select "web-access".
Create a web portal for KLS_VPN_Group
Under "Authentication/Portal Mapping", click Create "New".
Click "Users/Groups" and select the KLS_VPN_Group.
From the Portal dropdown, select "full-access".
To configure SSL VPN firewall policy go to "Policy & Objects" --> "Firewall Policy" > "IPv4 Policy".
Click "Create New" to create a new policy, or double-click an existing policy to edit it and configure the settings below:
Enter the firewall policy name.
Select SSL-VPN tunnel interface (ssl.root).
Set to the local network interface so that the remote user can access the internal network. For this example, select port2.
In the Address tab select SSLVPN_TUNNEL_ADDR1.
In the User tab, select KLS_VPN_Group.
Select the internal private subnet 10.0.1.0/24.
Set to Enable.
Configure any remaining firewall and security options as desired and click "OK".
Set Remote Authentication Timeout
Openthe Fortigate CLI and execute the following commands:
config system global
set remoteauthtimeout 30
Test Keyless Radius Authentication
Go to "User & Authentication" --> "RADIUS Servers"
Select the Radius Server item and click on the Edit button
Click on "Test User Credentials"
Provide your account username
Provide a random fake password (Fortigate client requires a non-empty password)
The Keyless Authenticator app will be invoked during authentication process.
Click on the Test button
Check the Keyless authenticator app on your phone to authenticate.
Once authenticated, the below message will be shown: