Fortinet

## Requirements - Have a functional Active Directory - Have NPS protected by IRONCHIP - Have an MFA application created in the IRONCHIP platform

Radius

The first step is very simple, you need to create a radius server that points to the FORTINET IP.

To do this, on your AD server, open the NPS (Network Policy Server) configuration menu and create a new RADIUS client.

In the opened panel, you must enter the following details:

  1. Identifying name for RADIUS
  2. IP address of the FORTINET
  3. A secret key for RADIUS

Users and Groups

Access the FORTINET configuration panel through a web browser and the IP address of your FORTINET device.

Once here, go to User & Authentication > RADIUS Servers and add a new one

Fill in the requested data

  • Identifying name
  • IP of the server where you created RADIUS
  • RADIUS secret

To confirm that the connection was successful, click on Test Connectivity. If it shows "Successful," click on Test User Credentials and login with a user from your domain. If it fails, try modifying the Windows Server firewall (sometimes it doesn't allow the connection).

The next step is to create a group and users that refer to the domain in Fortinet.

To do this, go to User & Authentication > User Groups and add a new one.

Give it a name, select the Firewall option, and in remote groups select your RADIUS server.

To configure users, go to the User Definition tab and follow these steps for each user you want to create:

  1. Click on Create New
  2. Select Remote RADIUS User
  3. Enter the user in the format domain\username and select the previously created RADIUS server
  4. Disable Two-factor
  5. Enable the User Group option and select the created group

Configure the VPN

To configure the VPN, go to VPN > SSL-VPN Settings

Modify each field as follows:

  • Select the ports you will be using, such as the WAN or LAN port.
  • Change the port to avoid conflicts, we recommend using either 4443 or 10443.
  • It is not necessary to create a certificate, but you can create a self-signed one if needed.

If you scroll down to the end of the page, you will see two other fields to configure:

Create a new rule by clicking on create new and selecting your user group, give it full access. Click apply to finish.

Firewall Policy

The next step is to create a policy for the Firewall.

We go to the Policy & Objects tab, then Firewall Policy and perform the following configuration:

We assign a name to the policy.

In Incoming Interface we select the option SSL-VPN-tunnel-interface.

In Outgoing Interface we select the physical interface.

In Source we select the option all and it is also very important to select the group that we have created.

In Destination we select the option all.

In Service we select the option ALL.

Once all these parameters are configured, to continue we click on OK.

The last step should be to configure the Fortinet and radius connection timeout to 60 seconds so that users have time to complete an authentication. To do this, open a Fortinet terminal by clicking on the corresponding icon in the upper right corner and type:

FortiUrko # config user group

FortiUrko (group) # edit <<NAME OF PROTECTED USER GROUPS>>

FortiUrko (Guest-group) # set authtimeout 60

FortiUrko (Guest-group) # end

Esto permitirá que los usuarios del grupo asociado tengan 60 segundos para autenticarse.

Haga lo mismo para la conexión de RADIUS:

FortiUrko # config system global

FortiUrko (radius) # set remoteauthtimeout 60

FortiUrko (radius) # end

Ironchip Application

Checking its operation with Forticlient

Note: It is important that both the NPS server and Fortinet are started at the time of testing.

First, when accessing Forticlient, we select the option of REMOTE ACCESS.

In the following window, we choose the option to Configure VPN.

This will display a screen where we will enter all the data for the VPN. It is also important to respect the same user identification pattern established in the group and in the Ironchip management panel application.

After entering all the necessary data to make the connection, we must click on Save.

On the next screen we will see the name of the connection we previously gave, the username, and we just need to enter the password.

Then we click on Connect.

Note: It is important to have the computer's Firewall disabled at this point, as it does not allow the connection.

We will see a Security Alert window, read what it shows and click on the option Yes.

Once accepted, you must continue with the connection process. At this point, you will receive a message to authorize access through the Ironchip application. By accepting it, the connection process will be completed.

Once the connection is established, a window like this will appear with a brief description of the connection:

Video