RSA ACE (SecurID) servers
SecurID is a two-factor system produced by the company RSA that uses one-time password (OTP) authentication. This system consists of the following:
- Portable tokens that users carry
- RSA ACE/Server
- Agent host (the FortiGate)
When using SecurID, users carry a small device or "token" that generates and displays a pseudo-random password. According to RSA, each SecurID authenticator token has a unique 64-bit symmetric key that is combined with a powerful algorithm to generate a new code every 60 seconds. The token is time-synchronized with the SecurID RSA ACE/Server.
The RSA ACE/Server is the SecurID system's management component. It stores and validates the information about the SecurID tokens allowed on your network. Alternately, the server can be an RSA SecurID 130 appliance.
The agent host is the server on your network. In this case, this is the FortiGate, which intercepts user logon attempts. The agent host gathers the user ID and password entered from the SecurID token and sends the information to the RSA ACE/Server for validation. If valid, the RSA ACE/Server returns a reply indicating that it is a valid logon and FortiOS allows the user access to the network resources specified in the associated security policy.
Configuring SecurID with FortiOS consists of the following:
- Configure the RSA and RADIUS servers to work with each other. See RSA server documentation.
- Do one of the following:
- Configure the RADIUS server in FortiOS.
- Create a SecurID user group.
- Create a SecurID user.
- Configure authentication with SecurID.
The following instructions are based on RSA ACE/Server 5.1 and RSA SecurID 130 appliance. They assume that you have successfully completed all external RSA and RADIUS server configuration.
In this example, the RSA server is on the internal network and has an IP address of 192.128.100.000. The FortiOS internal interface address is 192.168.100.3. The RADIUS shared secret is fortinet123, and the RADIUS server is at IP address 192.168.100.202.
To configure the RSA SecurID 130 appliance:
- Log on to the SecurID IMS console.
- Go to RADIUS > RADIUS clients, then select Add New.
Setting
Description
RADIUS Client Basics
Client Name
FortiGate
Associated RSA Agent
FortiGate
RADIUS Client Settings
IP Address
Enter the FortiOS internal interface. In this example, it is 192.168.100.3.
Make / Model
Select Standard Radius.
Shared Secret
Enter the RADIUS shared secret. In this example, it is fortinet123.
Accounting
Leave unselected.
Client Status
Leave unselected.
- Configure your FortiGate as a SecurID client:
- Click Save.
To configure the FortiGate as an agent host on the RSA ACE/Server:
- On the RSA ACE/Server, go to Start > Programs > RSA ACE/Server, then Database Administration - Host Mode.
- From the Agent Host menu, select Add Agent Host.
- Configure the following:
Setting
Description
Name
FortiGate
Network Address
Enter the FortiOS internal interface. In this example, it is 192.168.100.3.
Secondary Nodes
You can optionally enter other IP addresses that resolve to the FortiGate.
For more information, see the RSA ACE/Server documentation.
To configure the RADIUS server in FortiOS:
- Go to User & Authentication > RADIUS Servers, then click Create New.
- Configure the following:
Setting
Description
Name
RSA
Authentication method
Select Default.
Primary Server
IP/Name
192.168.100.102. You can click Test to ensure the IP address is correct and that FortiOS can contact the RADIUS server.
Secret
fortinet123
- Click OK.
To create a SecurID user group:
- Go to User & Authentication > User Groups. Click Create New.
- Configure the following:
Setting
Description
Name
RSA_group
Type
Firewall
- In Remote Groups, click Add, then select the RSA server.
- Click OK.
To create a SecurID user:
- Go to User & Authentication > User Definition. Click Create New.
- Configure the following:
Setting
Description
User Type
Remote RADIUS User
Type
wloman
RADIUS Server
RSA
Contact Info
(Optional) Enter email or SMS information.
User Group
RSA_group
- Click Create.
You can test the configuration by entering the diagnose test authserver radius RSA auto wloman 111111111
command. The series of 1s is the OTP that your RSA SecurID token generates that you enter for access.
Configuring authentication with SecurID
You can use the SecurID user group in several FortiOS features that authenticate by user group:
- Security policy
- IPsec VPN XAuth
- PPTP VPN
- SSL VPN
Unless stated otherwise, the following examples use default values.
Security policy
The example creates a security policy that allows HTTP, FTP, and POP3 traffic from the internal interface to WAN1. If these interfaces are not available in FortiOS, substitute other similar interfaces.
To configure a security policy with SecurID authentication:
- Go to Policy & Objects > Firewall Policy.
- Click Create New.
- Configure the following:
Setting
Description
Incoming Interface
internal
Source Address
all
Source User(s)
RSA_group
Outgoing Interface
wan1
Destination Address
all
Schedule
always
Service
HTTP, FTP, POP3
Action
ACCEPT
NAT
On
Shared Shaper
If you want to limit traffic or guarantee minimum bandwidth for traffic that uses the SecurID security policy, enable and use the default shaper, guarantee-100kbps.
Log Allowed Traffic
Enable if you want to generate usage reports on traffic that this policy has authenticated.
- Click OK.
IPsec VPN XAuth
In VPN > IPsec Wizard, select the SecurID user group on the Authentication page. The SecurID user group members must enter their SecurID code to authenticate.
PPTP VPN
When configuring PPTP in the CLI, set usrgrp
to the SecurID user group.
SSL VPN
You must map the SecurID user group to the portal that will serve SecurID users and include the SecurID user group in the security policy's Source User(s) field.
To map the SecurID group to an SSL VPN portal:
- Go to VPN > SSL-VPN Settings.
- Under Authentication/Portal Mapping, click Create New.
- Configure the following:
Setting
Description
Users/Groups
RSA_group
Portal
Select the desired portal.
- Click OK.