Hardware tokens for two-factor authentication with FortiGate
Two-factor authentication with FortiGate can be implemented using several different methods (SMS, Email etc.) with OTP-based 2FA being the most secure one. 2FA can be implemented natively with FortiToken, a disconnected one-time password (OTP) generator. It is a small physical device with a button that when pressed displays a six-digit authentication code or a mobile app that uses a proprietary algorithm for the enrollment process. FortiToken is a component of Fortinet infrastructure that requires an additional license (even with the mobile app version), which some customers find quite expensive.
Fortunately, Fortinet allows using external RADIUS servers as the authentication source and this will allow implementing two-factor authentication using Token2 TOTPRadius appliance as a more cost-effective alternative to the standard method.
TOTPRadius comes with 5 free user licenses, so if you intend to use 2FA with a mobile app, you can implement the solution at no additional cost. More licenses can be purchased online. Feel free to contact us if you need more than 500 licenses — volume discounts are available.
In this guide, we will show how to configure a Fortinet gateway to work with TOTPRadius in LDAP proxy mode. The authentication will use the standard login forms (username+password only) and the password field is expected to have the LDAP password followed by 6 digit OTP as a single string. For simplicity, this guide will show configuring accounts with administrative access.
About LDAP Proxy
The principle behind LDAP proxy feature of TOTPRadus is that users will provide their AD or LDAP password together with the one-time passwords in the password field. TOTPRadius will then parse the password, split it into two parts and authenticate the OTP and if correct will send the AD/LDAP password part further to the AD/LDAP server configuration. This setup was tested only with Microsoft Active Directory as the LDAP backend.
The setup described in this guide is based on the following components:
- Fortinet gateway deployed as a virtual applianceVMwareware ESXi (FortiGate VM64) and full admin access to the gateway
- Token2 TOTPRadius v2.3 with built-in free 5 users license
- A mobile application (such as Google Authenticator) and/or a classic or a programmable Token2 TOTP hardware token used as the second factor
Step 1. Create a new RADIUS server entry and assign to User group
Navigate to User & Authentication -> RADIUS Servers . Click on the ‘+ Create New’ button and fill in the information below:
Name: the name of the appliance (we will use ‘TOTPRadius’ for this guide as an example)
NAS IP: leave empty
IP/Name: the IP address of your TOTPRadius appliance
Secret: RADIUS secret of your TOTPRadius appliance (configured on the ‘General settings’ page in the admin panel of TOTPRadius)
Navigate to User & Authentication -> User Groups and click on the ‘+ Create New’ button. Provide the following information:
- Name: Name of the user group allowed to use TOTPRadius authentication, in our example, we use “TOTP” as the name of the group
- Type: choose ‘Firewall’
- Remote Groups: click on Add, then select ‘TOTPRadius’ from the Remote Server list
- Click ‘OK’ to complete the process
Step 2. Enable administrative access for TOTPRadius hosted users
Navigate to Security -> Administrators, then click on the ‘+ Create New -> Administrator’ button to prepare the account.
Fill the following information:
- Username: same as your LDAP username
- Type: “Match a user on a remote server group”
- Set a backup password and confirm it (this password may be used as a fallback mechanism if the RADIUS server is unreachable)
- Select Administrator Profile, for example, super_admin
Step 3. Configure TOTPRadius in LDAP Proxy mode
- Set ‘Allow initial login’ to 0
- in LDAP settings section:
- Set LDAP server (hostname or IP for regular LDAP and ldaps://ip_or_hostname for LDAPS). Separate multiple servers with spaces
- Put your NETBIOS prefix or UPN suffix in the username format field keeping %username% string. I.e. if a user in your AD environment is using [email protected] to log in, the username format field should be set as “%firstname.lastname@example.org”
- You also need to define LDAP search string to allow the LDAP connection session to locate the users’ OU (i.e. ‘ou=users,o=myorgname’).
- LDAP Group field should be left empty (this setting is not used by Fortinet integration)
- If you need the user to self-enrol the second factor, enable “Allow LDAP Enrollment” option
Step 4. Generate or set the second factor for the user on TOTPRadius appliance
In this step, we will create a second-factor record (TOTP secret) for the username previously created under the FortiGate interface (Step 2).
Login to TOTPRadius admin interface, and click on New User button. This will generate a QR code that should be used to provision the TOTP profile on a mobile authenticator app (Google Authenticator, Microsoft Authenticator, Token2 TOTP+ or any other RFC6238-compliant application). If a hardware token is to be used for this user, click on Edit profile or assign hardware token button and paste the secret key of the hardware token in Token key field in base32 format.
If a programmable hardware token is used, you can burn the secret onto the hardware token by scanning the QR code using one of the NFC Burner apps.
Ready to log in
After all 4 steps above are completed successfully and without errors, the user can log in to the Fortinet web interface using his/her username and active directory password and the 6 digit OTP generated by the hardware token or the mobile app.
Originally published at https://www.token2.com on November 28, 2020.