Fortinet Fortigate Integration
Contents
Introduction
This document describes steps to configure a Fortinet Fortigate with Swivel as the authentication server.
Prerequisites
Fortinet 3.x appliance and Fortinet 3.x integration script
or
Fortinet 4.x appliance and Fortinet 4.x integration script
Swivel 3.x
NAT/Public IP address if the Single Channel TURing image or other Dual channel images are to be displayed in the login page.
Baseline
Fortinet 3.x
Fortinet 4.x
Fortinet 6.x
Swivel 3.x
Swivel 4.x
Architecture
Fortinet authenticates users through RADIUS, and uses Swivel as a RADIUS server.
Swivel Configuration
Configuring the RADIUS server
On the Swivel Administration console configure the RADIUS Server and NAS, see RADIUS Configuration
Enabling Session creation with username
To allow the TURing image, PINpad and other single channel images, under Server/Single Channel set Allow session request by username to Yes.
Fortinet Fortigate Configuration
Fortinet FortigateVersion 3.x Integration guide
Fortinet Fortigate Version 4.x Integration guide
On the Fortigate Administration console select User/Remote/RADIUS, then click on Create New and enter the following information:
Name A descriptive name for the Swivel RADIUS servers
Primary Server Name/IP The IP or hostname of the Swivel server (Do not use a Swivel VIP in this field)
Primary Server Secret The shared secret entered on the Swivel RADIUS NAS
Standby Server Name/IP The IP or hostname of a standby Swivel server (Do not use a Swivel VIP in this field)
Standby Server Secret The shared secret entered on the standby Swivel RADIUS NAS
Authentication Scheme leave as Use Default Authentication Scheme unless Mobile App authentication or Check Password With Repository is used, in which case this should be set to use PAP.
By default the Fortigate and Swivel use port 1812 for RADIUS authentication.
On the Fortigate Administration console select User/User Group then select the required group, or create a new one, for Swivel Authentication then and under Remote authentication servers click on Add and select the Swivel Authentication server configured above. If not configured already the SSL-VPN access and any local user authentication can also be configured.
When multiple authentication servers are used, the Fortigate will use the username and password or One Time Code against each starting with local, until a successful authentication is made.
Fortinet Fortigate Version 6.x Integration guide
The images below show the steps to follow for a successful integration between swivel and fortinet products running version 6. Make sure to follow the first steps for integration with v4 products.
For further information regarding Fortinet FortiOS 6: https://docs.fortinet.com/uploaded/files/4328/fortios-v6.0.0-release-notes.pdf
Select Radius Servers, create a Swivel Radius Server to bind to the the Appliance and test the connection. After create a user group for Swivel.
Edit Policy and fill all the entries. Destination might have more entries for different network and sub nets ranges.
Go to SSL VPN settings and check the settings. Default for listening will be port 10443. The DNS #2 can also have a resolution DNS specific for the customer's environment.
Test the RADIUS authentication
At this stage it should be possible to authenticate by SMS, hardware Token, Mobile Phone Client and Taskbar to verify that the RADIUS authentication is working for users. Browse to the SSL VPN login page, and enter Username and if being used, the password. From the Swivel Administration console select User Administration and the required user then View Strings, and select an appropriate authentication string or OTC for the user. At the SSL VPN login enter the required OTC. Check the Swivel logs for a RADIUS success or rejected message. If no RADIUS message is seen, check that the Swivel RADIUS server is started and that the correct ports are being used.
Additional Configuration Options
Swivel can also check a password in addition to the One Time Code using Check Password with repository, see Password How to Guide
Forticlient
The above authentication integration will also work with the Fortinet Fortigate Fortclient for Client VPN access.
Login Page Customisation
The above configuration will allow authentication to be made by SMS, Mobile App, Hardware Token, and the Swivel Taskbar utility. To allow single channel authentication such as TURing or Pinpad, or images for other forms of authentication such the the security string index, then the login page can be modified. It may also be possible to modify other pages such as the Login Challenge Page.
On the Fortigate Administration console select System/Config/Replacement Messages, then click on SSL VPN to reveal the SSL VPN login message, then click on the edit icon. Paste in the required login page modifications.
Note Single channel images usually require a NAT to be used to the Swivel server.
Modify the script to use the Swivel server details:
//URL of radiusTuring page on the PINsafe server.... var sUrl="https://192.168.1.3:8443/proxy/SCImage?username=";
For a Swivel appliance the following should be used with the Swivel server IP/DNS name for the NAT entry:
var sUrl="https://192.168.1.3:8443/proxy/SCImage?username=";
For a software only install see Software Only Installation
Testing
Browse to the VPN login page and test a Swivel authentication.
Example TURing login page
Example security string index login for Mobile or for SMS
Troubleshooting
Check the Swivel logs for Turing images and RADIUS requests.
Image from PINsafe server absent
Login page modifications absent
This can be caused if the script has been altered with line feeds inserted in a text editor from wrap around text. View the login page source and see if it contains the page modifications, and are not being displayed correctly.
Known Issues and Limitations
None
Additional Information
For assistance in Swivel installation and configuration please firstly contact your reseller and then email Swivel Secure support at support@swivelsecure.com
