-
Copyright
Copyright © 2006, CRYPTOCard Corp. All Rights Reserved. No part of this publication may be
reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in
any form or by any means without the written permission of CRYPTOCard Corp.
Fortinet Fortigate 60 Implementation Guide
-
Fortinet Fortigate 60 Implementation Guide 2
Fortinet Fortigate Overview
This documentation presents an overview and necessary steps to configure a Fortinet Fortigate 60 for
use with CRYPTO-MAS and CRYPTOCard tokens. The Fortigate can be used to create an encrypted
tunnel between hosts. CRYPTO-MAS works in conjunction with the Fortigate to replace static
passwords with strong two-factor authentication that prevents the use of lost, stolen, shared, or easily
guessed passwords when establishing a connection to gain access to protected resources.
With CRYPTO-MAS acting as the authentication server for a VPN enabled resource, an authenticated
connection sequence would be as follows:
1. The administrator configures the Fortinet Fortigate 60 to use RADIUS Authentication.
2. The incoming RADIUS authentication request is relayed over to the CRYPTO-MAS Server as shown in Figure 1 below.
Figure 1 – RADIUS authentication request is relayed to the CRYPTO-MAS Server
3. The CRYPTO-MAS Server examines the incoming packet. If the user exists, it then checks the
token associated with the user for the expected PIN + One-time password.
4. Once the PIN + One-time password is verified against the user’s token and it is valid, it will
then send an access accepted. This is illustrated in Figure 2 below.
-
Fortinet Fortigate 60 Implementation Guide 3
If the user does not exist, or the PIN + One-time password is incorrect it will send the user an
access reject message.
Figure 2 – The CRYPTO-MAS Server responds with an access accepted or rejected.
-
Fortinet Fortigate 60 Implementation Guide 4
Prerequisites
The following systems must be verified operational prior to configuring the Fortigate to use
CRYPTOCard authentication:
1. Verify end users can authenticate through the Fortigate with a static password before
configuring the Fortigate to use CRYPTOCard authentication.
2. An initialized CRYPTOCard token assigned to a CRYPTOCard user.
The following CRYPTO-MAS server information is also required:
Primary CRYPTO-MAS RADIUS Server Fully Qualified
Hostname or IP Address:
Secondary CRYPTO-MAS RADIUS Server Fully Qualified
Hostname or IP Address (OPTIONAL):
CRYPTO-MAS RADIUS Accounting port number
(OPTIONAL):
CRYPTO-MAS RADIUS Shared Secret:
-
Fortinet Fortigate 60 Implementation Guide 5
Configuring Fortinet Fortigate
In order for the Fortigate to authenticate CRYPTOCard token users, RADIUS authentication must be
enabled.
Add RADIUS Server
To add a new RADIUS Server, choose:
• User
• RADIUS
• Create New
The IP Address and Shared Secret will be provided so the Fortinet Fortigate will point
towards the CRYPTO-MAS Server for authentication.
-
Fortinet Fortigate 60 Implementation Guide 6
Creating a Local User
Next thing to do is to create a user in the Fortigate.
To create a user click:
• User
• Local
• Create New
Enter the user’s username, and select RADIUS, then select the radius server it will be authenticating
to. Click OK when everything has been selected.
Note: the username must match the username that is provided to the CRYPTO-MAS Server
-
Fortinet Fortigate 60 Implementation Guide 7
Creating a User Group
Now a group must be created. From the Local tab, click on:
• User Group tab
• Create New
At least the following
configuration options should
be selected:
• Enter the name of the
group
• Change type from
Firewall to SSL VPN
• Expand the SSL-VPN
User Group Options.
• Put a check mark in
the following boxes.
• “Enable SSL-VPN
Tunnel Service”
• Enable Web
Application
o HTTP/HTTPS
Proxy
o Telnet(applet)
o VNC
o FTP
o Samba
o RDP
• Click OK
-
Fortinet Fortigate 60 Implementation Guide 8
Configuring SSL-VPN Settings
To configure your SSL-VPN Connection, click on VPN, then SSL.
• Select Enable SSL-VPN.
• Choose a port for the SSL-VPN Connection.
• Enter the Tunnel IP Range.
• Select the Server Certificate (Self-Signed by default)
• Select “Default” for Encryption Key Algorithm
• Idle Timeout is 300 seconds.
-
Fortinet Fortigate 60 Implementation Guide 9
Creating a Firewall Policy
To create a new firewall policy, click on Firewall, Policy, Create New.
The following should be done.
Source
Interface/Zone wan1
Address Name All
Destination
Interface/Zone internal
Address Name all
Schedule always
Service ANY
Action SSL-VPN
Select the Group on the
Available Groups side and
move them over to the
Allowed side for SSL-VPN
access.
Check off Protection Profile
and it should be defaulted to
unfiltered.
Click OK when finished.
-
Fortinet Fortigate 60 Implementation Guide 10
Testing RADIUS Authentication through HyperTerminal
Create a new HyperTerminal on the machine where the Fortinet Fortigate is connected.
Once you have logged on, the syntax should be entered as followed:
# diag test auth rad
If it succeeds, the output message will be something along the line of:
“authenticate ‘henry’ against ‘pap’ succeeded, server=primary session_timeout=0 secs!”
-
Fortinet Fortigate 60 Implementation Guide 11
VPN Client login page
To test the VPN access from a browser, navigate to https://:
A login prompt comes
up. Enter the
username and PIN +
One-time password.
-
Fortinet Fortigate 60 Implementation Guide 12
Once the user has
successfully logs in, they will
be prompt with a Welcome
to SSL-VPN Service page.
The CRYPTO-MAS Server can
also be set up to do New PIN
Mode – Stored on Server,
server changeable.
If the user’s PIN style has
been set to Store on Server,
server changeable, and set
to push out a new PIN after
next log on, it will display a
new PIN on the webpage
which is illustrated below.
-
Fortinet Fortigate 60 Implementation Guide 13
Solution Overview
Summary
Product Name Fortinet Fortigate
Vendor Site http://www.fortinet.com/
Supported VPN Client Software Internet Explorer 6 or higher
Mozilla Firefox 1.5 or higher
Authentication Method RADIUS Authentication
Supported RADIUS Functionality for Fortinet Fortigate
RADIUS Authentication Encryption PAP
Authentication Method One-time password
Challenge-response
Static password
New PIN Mode User changeable Alphanumeric 4-8 digit PIN
User changeable Numeric 4-8 digit PIN
Server changeable Alphanumeric 4-8 digit PIN
Server changeable Numeric 4-8 digit PIN
Trademarks
CRYPTOCard, CRYPTO-Server, CRYPTO-Web, CRYPTO-Kit, CRYPTO-Logon, CRYPTO-VPN, CRYPTO-MAS
are either registered trademarks or trademarks of CRYPTOCard Corp.
Microsoft Windows and Windows XP/2000/2003/NT are registered trademarks of Microsoft
Corporation. All other trademarks, trade names, service marks, service names, product names, and
images mentioned and/or used herein belong to their respective owners.
Publication History
Date Changes October 27, 2006 Initial Draft
November 9, 2006 Global Draft
November 30, 2006 Minor Revision
http://www.fortinet.com/
Fortinet Fortigate OverviewPrerequisitesConfiguring Fortinet FortigateTrademarksPublication History