Difference between revisions of "Fortinet Fortigate Integration"

From Swivel Knowledgebase
Jump to: navigation, search
(Fortinet Fortigate Version 4.x Integration guide)
Line 62: Line 62:
 
'''Name''' A descriptive name for the Swivel RADIUS servers
 
'''Name''' A descriptive name for the Swivel RADIUS servers
  
'''Primary Server Name/IP''' The IP or hostname of the Swivel server (Do not use a Swivel [[VIP]] in this field
+
'''Primary Server Name/IP''' The IP or hostname of the Swivel server (Do not use a Swivel [[VIP]] in this field)
  
 
'''Primary Server Secret''' The shared secret entered on the Swivel RADIUS NAS
 
'''Primary Server Secret''' The shared secret entered on the Swivel RADIUS NAS
  
'''Standby Server Name/IP''' The IP or hostname of a standby Swivel server (Do not use a Swivel [[VIP]] in this field
+
'''Standby Server Name/IP''' The IP or hostname of a standby Swivel server (Do not use a Swivel [[VIP]] in this field)
  
 
'''Standby Server Secret''' The shared secret entered on the standby Swivel RADIUS NAS
 
'''Standby Server Secret''' The shared secret entered on the standby Swivel RADIUS NAS
Line 72: Line 72:
 
'''Authentication Scheme''' leave as Use Default Authentication Scheme unless Mobile App authentication or Check Password With Repository is used, in which case this should be set to use PAP.
 
'''Authentication Scheme''' leave as Use Default Authentication Scheme unless Mobile App authentication or Check Password With Repository is used, in which case this should be set to use PAP.
  
By default the Fortigate and Swivel use port 1812for RADIUS authentication.
+
By default the Fortigate and Swivel use port 1812 for RADIUS authentication.
  
  

Revision as of 12:31, 14 August 2018


Introduction

This document describes steps to configure a Fortinet Fortigate with Swivel as the authentication server.


Prerequisites

Fortinet 3.x appliance and Fortinet 3.x integration script

or

Fortinet 4.x appliance and Fortinet 4.x integration script

Swivel 3.x

NAT/Public IP address if the Single Channel TURing image or other Dual channel images are to be displayed in the login page.


Baseline

Fortinet 3.x

Fortinet 4.x

Swivel 3.x


Architecture

Fortinet authenticates users through RADIUS, and uses Swivel as a RADIUS server.


Swivel Configuration

Configuring the RADIUS server

On the Swivel Administration console configure the RADIUS Server and NAS, see RADIUS Configuration


Enabling Session creation with username

To allow the TURing image, PINpad and other single channel images, under Server/Single Channel set Allow session request by username to Yes.


Fortinet Fortigate Configuration

Fortinet FortigateVersion 3.x Integration guide

Fortigate 3.x Integration Document


Fortinet Fortigate Version 4.x Integration guide

On the Fortigate Administration console select User/Remote/RADIUS, then click on Create New and enter the following information:

Name A descriptive name for the Swivel RADIUS servers

Primary Server Name/IP The IP or hostname of the Swivel server (Do not use a Swivel VIP in this field)

Primary Server Secret The shared secret entered on the Swivel RADIUS NAS

Standby Server Name/IP The IP or hostname of a standby Swivel server (Do not use a Swivel VIP in this field)

Standby Server Secret The shared secret entered on the standby Swivel RADIUS NAS

Authentication Scheme leave as Use Default Authentication Scheme unless Mobile App authentication or Check Password With Repository is used, in which case this should be set to use PAP.

By default the Fortigate and Swivel use port 1812 for RADIUS authentication.


Fortigate Fortinet Create New RADIUS Server.jpg


On the Fortigate Administration console select User/User Group then select the required group, or create a new one, for Swivel Authentication then and under Remote authentication servers click on Add and select the Swivel Authentication server configured above. If not configured already the SSL-VPN access and any local user authentication can also be configured.

When multiple authentication servers are used, the Fortigate will use the username and password or One Time Code against each starting with local, until a successful authentication is made.


Fortigate Fortinet User Group.jpg

Fortinet Fortigate Version 6.x Integration guide

The images show the steps to follow for a successfull integration between swivel and fortinet products running version6.

For further information regarding Fortinet FortiOS 6: https://docs.fortinet.com/uploaded/files/4328/fortios-v6.0.0-release-notes.pdf

FORTI001.png

FORTI002.png

FORTI003.png

FORTI004.png


Test the RADIUS authentication

At this stage it should be possible to authenticate by SMS, hardware Token, Mobile Phone Client and Taskbar to verify that the RADIUS authentication is working for users. Browse to the SSL VPN login page, and enter Username and if being used, the password. From the Swivel Administration console select User Administration and the required user then View Strings, and select an appropriate authentication string or OTC for the user. At the SSL VPN login enter the required OTC. Check the Swivel logs for a RADIUS success or rejected message. If no RADIUS message is seen, check that the Swivel RADIUS server is started and that the correct ports are being used.


Additional Configuration Options

Swivel can also check a password in addition to the One Time Code using Check Password with repository, see Password How to Guide


Forticlient

The above authentication integration will also work with the Fortinet Fortigate Fortclient for Client VPN access.

Forticlient SSLVPN.png


Login Page Customisation

The above configuration will allow authentication to be made by SMS, Mobile App, Hardware Token, and the Swivel Taskbar utility. To allow single channel authentication such as TURing or Pinpad, or images for other forms of authentication such the the security string index, then the login page can be modified. It may also be possible to modify other pages such as the Login Challenge Page.

On the Fortigate Administration console select System/Config/Replacement Messages, then click on SSL VPN to reveal the SSL VPN login message, then click on the edit icon. Paste in the required login page modifications.

Note Single channel images usually require a NAT to be used to the Swivel server.

Modify the script to use the Swivel server details:

 //URL of radiusTuring page on the PINsafe server....
 var sUrl="https://192.168.1.3:8443/proxy/SCImage?username=";

For a Swivel appliance the following should be used with the Swivel server IP/DNS name for the NAT entry:

var sUrl="https://192.168.1.3:8443/proxy/SCImage?username=";

For a software only install see Software Only Installation


Testing

Browse to the VPN login page and test a Swivel authentication.


Example TURing login page

Fortigate 4 SSL VPN TURing.png


Example security string index login for Mobile or for SMS

Fortigate 4 SSL VPN Mobile Client Index.png


Troubleshooting

Check the Swivel logs for Turing images and RADIUS requests.


Image from PINsafe server absent


Login page modifications absent

This can be caused if the script has been altered with line feeds inserted in a text editor from wrap around text. View the login page source and see if it contains the page modifications, and are not being displayed correctly.


Known Issues and Limitations

None


Additional Information

Fortigate 4.x An older version of the Integration Document

For assistance in Swivel installation and configuration please firstly contact your reseller and then email Swivel Secure support at support@swivelsecure.com