Fortinet Fortigate Integration

From Swivel Knowledgebase
Revision as of 09:38, 18 May 2017 by Admin (talk | contribs) (1 revision imported)
Jump to: navigation, search


Introduction

This document describes steps to configure a Fortinet Fortigate with Swivel as the authentication server.


Prerequisites

Fortinet 3.x appliance and Fortinet 3.x integration script

or

Fortinet 4.x appliance and Fortinet 4.x integration script

Swivel 3.x

NAT/Public IP address if the Single Channel TURing image or other Dual channel images are to be displayed in the login page.


Baseline

Fortinet 3.x

Fortinet 4.x

Swivel 3.x


Architecture

Fortinet authenticates users through RADIUS, and uses Swivel as a RADIUS server.


Swivel Configuration

Configuring the RADIUS server

On the Swivel Administration console configure the RADIUS Server and NAS, see RADIUS Configuration


Enabling Session creation with username

To allow the TURing image, PINpad and other single channel images, under Server/Single Channel set Allow session request by username to Yes.


Fortinet Fortigate Configuration

Fortinet FortigateVersion 3.x Integration guide

Fortigate 3.x Integration Document


Fortinet Fortigate Version 4.x Integration guide

On the Fortigate Administration console select User/Remote/RADIUS, then click on Create New and enter the following information:

Name A descriptive name for the Swivel RADIUS servers

Primary Server Name/IP The IP or hostname of the Swivel server (Do not use a Swivel VIP in this field

Primary Server Secret The shared secret entered on the Swivel RADIUS NAS

Standby Server Name/IP The IP or hostname of a standby Swivel server (Do not use a Swivel VIP in this field

Standby Server Secret The shared secret entered on the standby Swivel RADIUS NAS

Authentication Scheme leave as Use Default Authentication Scheme unless Mobile App authentication or Check Password With Repository is used, in which case this should be set to use PAP.

By default the Fortigate and Swivel use port 1812for RADIUS authentication.


Fortigate Fortinet Create New RADIUS Server.jpg


On the Fortigate Administration console select User/User Group then select the required group, or create a new one, for Swivel Authentication then and under Remote authentication servers click on Add and select the Swivel Authentication server configured above. If not configured already the SSL-VPN access and any local user authentication can also be configured.

When multiple authentication servers are used, the Fortigate will use the username and password or One Time Code against each starting with local, until a successful authentication is made.


Fortigate Fortinet User Group.jpg


Test the RADIUS authentication

At this stage it should be possible to authenticate by SMS, hardware Token, Mobile Phone Client and Taskbar to verify that the RADIUS authentication is working for users. Browse to the SSL VPN login page, and enter Username and if being used, the password. From the Swivel Administration console select User Administration and the required user then View Strings, and select an appropriate authentication string or OTC for the user. At the SSL VPN login enter the required OTC. Check the Swivel logs for a RADIUS success or rejected message. If no RADIUS message is seen, check that the Swivel RADIUS server is started and that the correct ports are being used.


Additional Configuration Options

Swivel can also check a password in addition to the One Time Code using Check Password with repository, see Password How to Guide


Forticlient

The above authentication integration will also work with the Fortinet Fortigate Fortclient for Client VPN access.

Forticlient SSLVPN.png


Login Page Customisation

The above configuration will allow authentication to be made by SMS, Mobile App, Hardware Token, and the Swivel Taskbar utility. To allow single channel authentication such as TURing or Pinpad, or images for other forms of authentication such the the security string index, then the login page can be modified. It may also be possible to modify other pages such as the Login Challenge Page.

On the Fortigate Administration console select System/Config/Replacement Messages, then click on SSL VPN to reveal the SSL VPN login message, then click on the edit icon. Paste in the required login page modifications.

Note Single channel images usually require a NAT to be used to the Swivel server.

Modify the script to use the Swivel server details:

 //URL of radiusTuring page on the PINsafe server....
 var sUrl="https://192.168.1.3:8443/proxy/SCImage?username=";

For a Swivel appliance the following should be used with the Swivel server IP/DNS name for the NAT entry:

var sUrl="https://192.168.1.3:8443/proxy/SCImage?username=";

For a software only install see Software Only Installation


Testing

Browse to the VPN login page and test a Swivel authentication.


Example TURing login page

Fortigate 4 SSL VPN TURing.png


Example security string index login for Mobile or for SMS

Fortigate 4 SSL VPN Mobile Client Index.png


Troubleshooting

Check the Swivel logs for Turing images and RADIUS requests.


Image from PINsafe server absent


Login page modifications absent

This can be caused if the script has been altered with line feeds inserted in a text editor from wrap around text. View the login page source and see if it contains the page modifications, and are not being displayed correctly.


Known Issues and Limitations

None


Additional Information

Fortigate 4.x An older version of the Integration Document

For assistance in Swivel installation and configuration please firstly contact your reseller and then email Swivel Secure support at support@swivelsecure.com