symantec vip integration guide for ... - broadcom inc

Symantec VIP Integration Guide for Fortinet FortiGate VPN


Table of Contents

About integrating Fortinet FortiGate VPN with Symantec VIP........................................................3Scope of Document......................................................................................................................................................... 3Audience............................................................................................................................................................................3VIP Features Checklist.................................................................................................................................................... 3Authentication Workflow................................................................................................................................................. 4

Configuring the FortiGate VPN...........................................................................................................6Meet the prerequisites..................................................................................................................................................... 6

Ensuring First-Factor Authentication...........................................................................................................................6Installing and Configuring VIP Enterprise Gateway................................................................................................... 6

Create a RADIUS Server..................................................................................................................................................7Configure the Timeout.....................................................................................................................................................9Configure a User Group.................................................................................................................................................. 9Add the User Group to IPv4 Security Policy................................................................................................................ 9Configure Authentication and Portal Mapping........................................................................................................... 10Test the Integration........................................................................................................................................................ 10

Testing Hardware and VIP Access Credential Authentication..................................................................................10Testing SMS/Voice Authentication............................................................................................................................ 11Testing VIP Access Push Authentication..................................................................................................................11

Troubleshooting..................................................................................................................................12Copyright Statement.......................................................................................................................... 13

2


About integrating Fortinet FortiGate VPN with Symantec VIP

The traditional user name and password authentication is no longer enough to meet today's evolving security threatsand regulatory requirements. However, users demand an easy-to-use authentication solution. What is needed today isstronger and smarter authentication to secure corporate data and applications, while offering greater ease of use.

Symantec Valuation and ID Protection (VIP) is a cloud-based authentication service that enables enterprises to securelyaccess online transactions, meet compliance standards, and reduce fraud risk. VIP provides an additional layer ofprotection beyond the standard user name and password through a wide variety of additional authentication capabilitiesincluding:

• Two-factor authentication – dynamic, one-time-use security codes generated by a user's VIP credential in the form ofmobile apps, desktop software, security tokens, and security cards

• Out-of-band authentication – dynamic, one-time-use security codes delivered by phone call, by SMS text messageor email, or by push notifications sent to a registered mobile device

• Risk-based authentication – real-time analysis of user and device characteristics including device IDs, devicefingerprints and reputation, IP geolocation, and global network intelligence

VIP is based on OATH open standards, an industry-wide consortium working with other groups to promote widespreadstrong authentication. Because the service is hosted by Symantec, enterprises engage one solution to support multipleenterprise, partner, and customer-facing applications requiring strong authentication. Intended for administrators, thisguide helps you prepare for VIP integration by providing a comprehensive outline for planning, decision making, and taskprioritization for a successful deployment.

Users generate a security code on a VIP credential that they register with Symantec’s VIP Service. They use that securitycode, along with their user name and password, to gain access to the resources protected by Fortinet

® FortiGate VPN.

Scope of DocumentThis document describes how to integrate CA SiteMinder with VIP Enterprise Gateway to enable two-factor authenticationfor users who access your protected resources.

Symantec’s Validation and ID Protection (VIP) Enterprise Gateway enables your organization's employees and associatesto use the strong authentication capabilities that VIP Services provides, along with their enterprise directory authenticationcredentials.

AudienceThis document is intended to help system administrators of VIP Enterprise Gateway when working with third-partysoftware such as CA SiteMinder to enable two-factor authentication capabilities.

VIP Features ChecklistVIP Supported Features lists the VIP Enterprise Gateway features that are supported with FortiGate VPN.

Table 1: VIP Supported Features

VIP Feature Support

First-factor authenticationAD/LDAP password through VIP Enterprise Gateway YesVIP PIN No

3


VIP Feature Support

Second-factor authenticationVIP Access Push YesSMS YesVoice YesSelective Strong authenticationEnd user-based(A user is challenged for additional authentication based on user role)

No

Risk-based(Intelligent Authentication)

No

Target resource-based(A user is challenged for additional authentication based on resource access)

No

General authenticationMulti-domain YesAnonymous user name YesLegacy authentication provider integration (delegation) YesAD password reset YesIntegration MethodVIP JavaScript(JavaScript is used for push and out-of-band (OOB) authentication such as SMS and Voice)

No

VIP Login NoSOAP Web Service APIs NoRADIUS Yes

Authentication WorkflowThis section describes how the integration of Symantec VIP with FortiGate VPN authenticates a user's accessof protected resources. This workflow describes the integration for the User ID– LDAP Password–Security Codeauthentication method.

4


1. The user enters a user name, password, and a security code in the FortiGate VPN login page.2. FortiGate VPN sends the user name, password, and the security code to VIP Enterprise Gateway.3. As the first part of the two-factor authentication process, the VIP Enterprise Gateway Validation server authenticates

the user name and the password against your user store. For example, if AD/LDAP is the user store, the Validationserver authenticates the user name and the password against AD/LDAP.After successful authentication, the user store sends an authentication response to the VIP Enterprise GatewayValidation server.

4. As the second part of the two-factor authentication process, the VIP Enterprise Gateway Validation serverauthenticates the user name and the security code with VIP Service.After successful authentication, VIP Service sends an authentication response to the VIP Enterprise GatewayValidation server.

5. If the user name and the security code are successfully authenticated, the VIP Enterprise Gateway returns an Access-Accept Authentication response to the FortiGate VPN.

6. Based on the Access-Accept Authentication response, FortiGate VPN grants the user access to the protectedresource.

5


Configuring the FortiGate VPN

You must complete the following tasks to configure the FortiGate VPN and integrate it with Symantec VIP:

• Meet the prerequisites• Create a RADIUS Server• Configure the Timeout• Configure a User Group• Add the User Group to IPv4 Security Policy• Configure Authentication and Portal Mapping• Test the Integration

Meet the prerequisitesBefore you integrate FortiGate VPN with Symantec VIP for second-factor authentication, you must ensure that first-factorauthentication is working, and also install and configure VIP Enterprise Gateway, as described in the following sections:

• Ensuring First-Factor Authentication• Installing and Configuring VIP Enterprise Gateway

Ensuring First-Factor AuthenticationYou must make sure that the first-factor authentication is working. That is, ensure that you configure FortiGate with LDAP,and a user is able to log into FortiGate with a user name and a password. For more information, refer to the FortiGatedocumentation.

Installing and Configuring VIP Enterprise GatewayIn general, you must complete the following steps to install and configure VIP Enterprise Gateway:

1. Add the Validation server as follows:– If you have installed the pre-9.8 version of VIP Enterprise Gateway, add the Validation server for the UserID –

LDAP Password – Security code authentication method.– If you have installed VIP Enterprise Gateway version 9.8 or later, perform the following steps:

• Log in to VIP Enterprise Gateway and click the Validation tab.• Click Add Server. The Add RADIUS Validation server dialog box is displayed.

6


• In the Vendor drop-down list, select Fortinet.• In the Application Name drop-down list, select the vendor’s application that you use, FortiGate VPN.• In the Authentication Mode drop-down list, select the UserID – LDAP Password – Security code mode that

you want to use for first and second-factor authentication.In this authentication mode, VIP Enterprise Gateway validates the first-factor (user name and password) withyour User Store, such as AD/LDAP. VIP Enterprise Gateway validates the second-factor (user name andsecurity code) with VIP Service.

• Click Continue to add the Validation server.– By default, FortiGate VPN listens on port 1812. You cannot configure FortiGate VPN to listen on a different port.

Therefore, ensure that you set the Validation server port to 1812. For configuration procedures, refer to VIPEnterprise Gateway Installation and Configuration Guide.

Create a RADIUS ServerFortiGate VPN communicates with a RADIUS server during the user authentication process.

Perform the following steps to create a RADIUS server:

1. Log into the FortiGate VPN admin console.2. In the left pane, go to User & Device > RADIUS Servers, and click Create New. The New RADIUS Server page is

displayed.

7


3. Update the following fields:

Field Description

Name Enter a name to identify the RADIUS server.Primary Server IP/Name Enter the domain name or the IP address of the primary RADIUS server.Primary Server Secret Enter the shared secret of the primary RADIUS server that is used for encryption.

A shared secret is a password, a passphrase or something similar that is known only to the entitiesinvolved in a secure communication. This shared secret must match the shared secret that you setearlier in the VIP Enterprise Gateway Validation server.

Secondary Server IP/Name Optionally, if you plan to configure a secondary RADIUS server, enter the domain name or IP addressof the secondary RADIUS server.A secondary RADIUS server is useful as a backup server if there is no authentication response fromthe primary RADIUS server.

Secondary Server Secret If you configure a secondary RADIUS server, enter the shared secret of the secondary RADIUSserver.

Authentication Method Click Specify. In the newly displayed Method field, select PAP.Password Authentication Protocol (PAP) uses password to validate a user before allowing themaccess to server resources. In this protocol, two entities share a password in advance and use thepassword for authentication.

NAS IP Leave this field blank. Network Access Server (NAS) is an attribute of the RADIUS server.Include in every User Group Select this option if you want to automatically include the RADIUS server in all user groups. This

option is useful if all the users will be authenticating with the RADIUS server.4. Next to the Primary Server Secret field, click Test Connectivity.

If you have provided valid Primary Server details, a connection success message is displayed.5. If you have configured the Secondary Server Secret field, click Test Connectivity next to this field.6. Click OK to save the new RADIUS server details.

8


Configure the TimeoutFortiGate VPN has a default timeout of 5 seconds. If you plan to configure your FortiGate VPN with VIP Access Push andSMS/Voice authentication, then the default timeout of 5 seconds is insufficient for the user to respond to the push/SMS/voice notification. Ideally, you should reset the timeout to a minimum of 60 seconds.

Perform the following steps to configure the timeout:

1. In the FortiGate VPN admin console, click admin > CLI Console. The Command Line Interface (CLI) window isdisplayed.

2. In the CLI window, execute the following commands:#config system global

#set remoteauthtimeout 60

#end

Configure a User GroupPerform the following steps to create a user group and add users:

1. In the FortiGate VPN admin console, go to User & Device > User Group, and click Create New. The New UserGroup page is displayed.

2. In the Name field, provide a unique name to identify the user group.3. In the Type field, select the type of user group that you want to create. For example, Firewall.4. Under Remote groups, click Create New. The Add Group Match page is displayed.5. In the Remote Server drop-down list, select the RADIUS server that you created earlier in Create a RADIUS Server.6. Leave the Groups drop-down list empty and click OK.7. In the New User Group page, click OK to complete the creation of a new user group.

Add the User Group to IPv4 Security PolicyPerform the following steps to add the user group that you created in the earlier task to your organization's IPv4 securitypolicy:

1. In the FortiGate VPN admin console, go to Policy & Objects > IPv4 Policy. Your organization's existing IPv4 securitypolicies are displayed.

2. Click + (plus icon) next to the IPv4 policy that you want to update, and then click in the Source column of that policy.The Select Entries pane is displayed.

3. In the Select Entries pane, click the User tab and select the user group that you created earlier in Configure a UserGroup.

4. Click OK to add the user group and save the changes to the IPv4 policy.

9


Configure Authentication and Portal MappingThis section describes the procedure to map a user group to a portal access method. For example, the user group thatyou created earlier can be allowed web-access, full-access, and so on. Perform the following steps:

1. In the FortiGate VPN admin console, go to VPN > SSL-VPN Settings.2. Scroll down to the Authentication/Portal Mapping section, and click Create New. The Authentication/Portal Mapping

page is displayed.

3. In the User/Groups field, click + and from the displayed entries, select the user group that you created in Configure aUser Group.

4. In the Portal drop-down list, select the type of portal access allowed for users in the user group. For example, full-access. For details on types of portal access, refer to the documentation available with your FortiGate VPN.

5. Click Apply to save the portal mapping for the user group.

Test the IntegrationThis section describes the procedures for testing the integration of FortiGate VPN with Symantec VIP. You can test theintegration for the User ID – LDAP Password – Security Code authentication method that you use in your enterprise. Anauthentication method can use the following verification mechanisms:

• Hardware and VIP Access Credential: The security code generated on your hardware or VIP Access credential isused along with the user name and password to access the protected resources. Testing Hardware and VIP AccessCredential Authentication

• SMS/Voice: If you have configured Out-of-Band (OOB) authentication in the VIP Enterprise Gateway Validation serverand in VIP Manager, then a security code is sent to the registered mobile device over SMS or Voice. This security codeis used along with the user name and password to access the protected resources. Testing SMS/Voice Authentication

• VIP Access Push: For users who have installed VIP Access on their registered mobile devices, VIP Service sendsa VIP Access Push notification message to the mobile device. The user must tap Allow on the device to perform thesecond-factor authentication and complete the sign-in. Testing VIP Access Push Authentication

Testing Hardware and VIP Access Credential AuthenticationIf you are using hardware or VIP Access credential authentication with the User ID – LDAP Password – Security Codeauthentication method, then perform the following steps:

1. Log into the resource protected by FortiGate VPN.2. On the login page, do the following:

10


– Enter your user name.– Enter your password followed by the security code that you generate on your hardware or VIP Access credential.– Enter the portal IP address.– Click Apply.

After successful authentication, you can access the protected resources.

Testing SMS/Voice AuthenticationIf you have integrated SMS or Voice authentication with the User ID – LDAP Password – Security Code authenticationmethod, then perform the following steps:


– Enter your user name.– Enter your password.– Enter the portal IP address.– Click Apply.

If the credentials are correct, you will receive a security code over SMS or Voice on your registered mobile deviceand the Challenge page is displayed.

3. In the Challenge page, enter the security code that you received on your device and click Sign In.After successful authentication, you can access the protected resources.

Testing VIP Access Push AuthenticationIf you have integrated VIP Access Push authentication with the User ID – LDAP Password – Security Codeauthentication method, then perform the following steps:


– Enter your user name.– Enter your password.– Enter the portal IP address.– Click Apply.

If the credentials are correct, you will receive a VIP Access Push notification on your registered mobile device.3. Tap Allow on your device.

After successful authentication, you can access the protected resources.

11


Troubleshooting

The following are some of the common issues that you may encounter during integration, along with typical solutions.

Table 2: Troubleshooting Issues

Issues Solutions

End user authentication fails. The Enterprise Gateway Validationserver log file contains the error message, Authentication failedwith incorrect LDAP static password.

Verify one of the following:• The password may be locked or it may have expired. Reset

the password.• Make sure that the RADIUS shared secret set in the VIP

Enterprise Gateway Validation server and the application arethe same.

Authentication fails even before you get the SMS/ Voice securitycode or the push notification on your registered mobile device.

Make sure that when configuring the RADIUS server of theapplication, you set the timeout field to a minimum of 60 seconds.For the steps to configure the timeout field, see Configure theTimeout.

12


Copyright Statement

Broadcom, the pulse logo, Connecting everything, and Symantec are among the trademarks of Broadcom.

Copyright ©2020 Broadcom. All Rights Reserved.

The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. For more information, please visitwww.broadcom.com.

Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliability,function, or design. Information furnished by Broadcom is believed to be accurate and reliable. However, Broadcom doesnot assume any liability arising out of the application or use of this information, nor the application or use of any product orcircuit described herein, neither does it convey any license under its patent rights nor the rights of others.

13

http://www.broadcom.com

symantec vip integration guide for ... - broadcom inc

Documents