FortiAuthenticator 6.1.0 Cookbook

FortiAuthenticator - Cookbook
Version 6.1.0
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com
FORTINET VIDEO GUIDE

https://video.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com
FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/support-and-training/training.html
NSE INSTITUTE
https://training.fortinet.com
FORTIGUARD CENTER
https://fortiguard.com/
END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf
FEEDBACK
Email: [email protected]
December 16, 2020

FortiAuthenticator 6.1.0 Cookbook
23-610-616361-20201216
TABLE OF CONTENTS
Change Log 7
Certificate management 8
FortiAuthenticator as a Certificate Authority 8
Creating a new CA on the FortiAuthenticator 8
Installing the CA on the network 9
Creating a CSR on the FortiGate 13
Importing and signing the CSR on the FortiAuthenticator 15
Importing the local certificate to the FortiGate 15
Configuring the certificate for the GUI 16
Results 16
FortiAuthenticator certificate with SSL inspection 17
Creating an Intermediate CA on the FortiAuthenticator 19
Importing the signed certificate on the FortiGate 20
Configuring full SSL inspection 20
Results 22
FortiAuthenticator certificate with SSL inspection using an HSM 24
Configuring the NetHSM profile on FortiAuthenticator 25
Creating a local CA certificate using an HSM server 26
Creating an Intermediate CA on the FortiAuthenticator 29
Importing the signed certificate on the FortiGate 29
Configuring full SSL inspection 30
Results 32
FortiToken and FortiToken Mobile 34
FortiToken Mobile Push for SSL VPN 34
Adding a FortiToken to the FortiAuthenticator 35
Adding the user to the FortiAuthenticator 36
Creating the RADIUS client and policy on the FortiAuthenticator 38
Connecting the FortiGate to the RADIUS server 40
Configuring the SSL-VPN 42
Results 45
Guest Portals 49
FortiAuthenticator as Guest Portal for FortiWLC 49
Creating the FortiAuthenticator as RADIUS server on the FortiWLC 49
Creating the Captive Portal profile on the FortiWLC 50
Creating the security profile on the FortiWLC 51
Creating the QoS rule on the FortiWLC 52
Creating the ESS Profile on the FortiWLC 54
Creating FortiWLC as RADIUS client on the FortiAuthenticator 55
Creating the portal and access point on FortiAuthenticator 56
Creating the portal policy on FortiAuthenticator 57
Results 58
FortiAuthenticator 6.1.0 Cookbook 3

Fortinet Technologies Inc.
MAC authentication bypass 59
MAC authentication bypass with dynamic VLAN assignment 59
Configuring MAC authentication bypass on the FortiAuthenticator 59
Configuring the user group 60
Configuring RADIUS settings on FortiAuthenticator 60
Configuring the 3rd-party switch 62
Results 63
Self-service Portal 65
FortiAuthenticator user self-registration 65
Creating a self-registration user group 65
Enabling self-registration 66
Creating a new SMTP server 69
Results - Self-registration 70
Results - Administrator approval 72
VPNs 75
LDAP authentication for SSL VPN with FortiAuthenticator 75
Creating the user and user group on the FortiAuthenticator 75
Creating the LDAP directory tree on the FortiAuthenticator 77
Connecting the FortiGate to the LDAP server 77
Creating the LDAP user group on the FortiGate 79
Results 83
SMS two-factor authentication for SSL VPN 84
Creating an SMS user and user group on the FortiAuthenticator 85
Configuring the FortiAuthenticator RADIUS client 86
Configuring the FortiGate authentication settings 87
Creating the security policy for VPN access to the Internet 91
Results 91
WiFi authentication 95
Assigning WiFi users to VLANs dynamically 95
Configuring the FortiAuthenticator 96
Adding the RADIUS server to the FortiGate 97
Creating an SSID with dynamic VLAN assignment 98
Creating the VLAN interfaces 99
Creating security policies 103
Creating the FortiAP profile 104
Connecting and authorizing the FortiAP 106
Results 106
WiFi using FortiAuthenticator RADIUS with certificates 108
Creating a local CA on FortiAuthenticator 108
Creating a local service certificate on FortiAuthenticator 109
Configuring RADIUS EAP on FortiAuthenticator 109
Configuring RADIUS client on FortiAuthenticator 110
Configuring local user on FortiAuthenticator 111
Configuring local user certificate on FortiAuthenticator 111
Creating RADIUS server on FortiGate 112
Creating WiFi SSID on FortiGate 113

Exporting user certificate from FortiAuthenticator 117
Importing user certificate into Windows 10 117
Configuring Windows 10 wireless profile to use certificate 121
Results 126
WiFi RADIUS authentication with FortiAuthenticator 129
Creating users and user groups on the FortiAuthenticator 129
Registering the FortiGate as a RADIUS client on the FortiAuthenticator 130
Configuring FortiGate to use the RADIUS server 131
Creating SSID and set up authentication 132
Connecting and authorizing the FortiAP 133
Creating the security policy 136
Results 137
WiFi with WSSO using FortiAuthenticator RADIUS and Attributes 137
Registering the FortiGate as a RADIUS client on the FortiAuthenticator 138
Creating users on the FortiAuthenticator 138
Creating user groups on the FortiAuthenticator 139
Configuring the FortiGate to use the FortiAuthenticator as the RADIUS server 140
Configuring user groups on the FortiGate 141
Creating security policies 142
Configuring the SSID to RADIUS authentication 144
Results 145
LDAP Authentication 146
G Suite integration using LDAP 146
Generating the G Suite certificate 146
Importing the certificate to FortiAuthenticator 148
Configuring LDAP on the FortiAuthenticator 149
Troubleshooting 150
SAML Authentication 152
SAML IdP proxy for Azure 152
Configuring OAuth settings 152
Configuring the remote SAML server 153
Enabling the SAML SP FSSO Portal 153
Configuring an Azure realm 154
Configuring SAML IdP settings 154
Configuring the login page replacement message 155
Results 156
SAML IdP proxy for G Suite 156
Configuring OAuth settings 156
Configuring the remote SAML server 157
Enabling the SAML SP FSSO Portal 157
Configuring a G Suite Realm 158
Configuring IdP settings 158
Configuring the login page replacement message 159
Results 160
SAML FSSO with FortiAuthenticator and Okta 160
Configuring DNS and FortiAuthenticator's FQDN 160
Enabling FSSO and SAML on FortiAuthenticator 161
Configuring the Okta developer account IdP application 164

Importing the IdP certificate and metadata on FortiAuthenticator 166
Configuring FSSO on FortiGate 168
Office 365 SAML authentication using FortiAuthenticator with 2FA 175
Configure the remote LDAP server on FortiAuthenticator 176
Configure SAML settings on FortiAuthenticator 177
Configure two-factor authentication on FortiAuthenticator 178
Configure the domain and SAML SP in Microsoft Azure AD PowerShell 179
Configure Microsoft Azure AD Connect 181
Results 188

Change Log
Date Change Description
2020-03-28 Initial release.
2020-04-06 Added additional configuration information to FortiToken Mobile Push for SSL VPN on page 34.
2020-05-25 Added new configuration examples:

l FortiAuthenticator as Guest Portal for FortiWLC on page 49
l MAC authentication bypass with dynamic VLAN assignment on page 59
2020-06-17 Added SAML FSSO with FortiAuthenticator and Okta on page 160.
2020-08-27 Added Office 365 SAML authentication using FortiAuthenticator with 2FA on page 175.
2020-12-16 Updated Configuring the remote SAML server on page 157 in SAML IdP Proxy for G Suite.

Certificate management
This section describes managing certificates with the FortiAuthenticator device.

FortiAuthenticator can act as a certificate authority (CA) for the creation and signing of X.509 certificates, such as server
certificates for HTTPS and SSH, and client certificates for HTTPS, SSL, and IPsec VPN.
FortiAuthenticator as a Certificate Authority
For this recipe, you will configure the FortiAuthenticator as a Certificate Authority (CA). This will allow the
FortiAuthenticator to sign certificates that the FortiGate will use to secure administrator GUI access.
This scenario includes creating a certificate request on the FortiGate, downloading the certificate to the network’s
computers, and then importing it to the FortiAuthenticator. You will sign the certificate with the FortiAuthenticator’s own
certificate, then download and import the signed certificate back to the FortiGate.
The process of downloading the certificate to the network’s computers will depend on which web browser you use.
Internet Explorer and Chrome use one certificate store, while Firefox uses another. This configuration includes both
methods.
Creating a new CA on the FortiAuthenticator
To create a new CA:
1. On the FortiAuthenticator, go to Certificate Management > Certificate Authorities > Local CAs and create a new
CA.
Enter a Certificate ID, select Root CA certificate, and configure the key options as shown in the example.

2. Once created, highlight the certificate and select Export Certificate.
This will save a .crt file to your local drive.
Installing the CA on the network
The certificate must now be installed on the computers in your network as a trusted root CA. The steps below show
different methods of installing the certificate, depending on your browser.
Internet Explorer and Chrome
1. In Windows Explorer, right-click on the certificate and select Install Certificate. Open the certificate and follow the
Certificate Import Wizard.

2. Make sure to place the certificate in the Trusted Root Certification Authorities store.

3. Finish the Wizard and select Yes to confirm and install the certificate.

Firefox
1. In the web browser, go to Options > Privacy & Security > Certificates, and select View Certificates.
2. In the Authorities tab, select Import.

3. Find and open the root certificate.

You will be asked what purposes the certificate will be trusted to identify. Select all options and select OK.
Creating a CSR on the FortiGate
To create a CSR:
1. On the FortiGate, go to System > Certificates and select Generate to create a new certificate signing request
(CSR).

Enter a Certificate Name, the Internet facing IP address of the FortiGate, and a valid email address, then
configure the key options as shown in the example.
The Subject Alternative Name field must be configured with the internet facing IP address or FQDN in the
following format: IP:x.x.x.x or DNS:hostname.example.com.
2. Once created, the certificate will show a Status of Pending. Highlight the certificate and select Download.
This will save a .csr file to your local drive.

Importing and signing the CSR on the FortiAuthenticator
To import and sign the CSR:
1. Back on the FortiAuthenticator, go to Certificate Management > End Entities > Users and import the .csr
certificate created earlier.
Make sure to select the Certificate authority from the dropdown menu, and set the Hash algorithm to SHA-256, as
configured earlier.
2. Once imported, you should see that the certificate has been signed by the FortiAuthenticator, with a Status of
Active. Highlight the certificate and select Export Certificate.
This will save a .cer file to your local drive.
Importing the local certificate to the FortiGate
To import the local certificate:
1. Back on the FortiGate, go to System > Certificates, and select Local Certificate from the Import dropdown menu.
Browse to the .cer certificate, and select OK.

You should now see that the certificate's Status has changed from Pending to OK. You may have to refresh your
page to see the status change.
Configuring the certificate for the GUI
To configure the certificate:
1. On the FortiGate, go to System > Settings.

Under Administration Settings, set HTTPS server certificate to the certificate created/signed earlier, then select
Apply.
Results
Close and reopen your browser, and go to the FortiGate admin login page. If you click on the lock icon next to the
address bar, you should see that the certificate has been signed and verified by the FortiAuthenticator. As a result, no

certificate errors will appear.
FortiAuthenticator certificate with SSL inspection
For this recipe, you will create a certificate on the FortiGate, have it signed on the FortiAuthenticator, and configure the
FortiGate so that the certificate can be used for SSL deep inspection of HTTPS traffic.
Note that, for this configuration to work correctly, the FortiAuthenticator must be configured as a certificate authority
(CA), otherwise the certificate created in this recipe will not be trusted. For more information on how to do this, see
FortiAuthenticator as a Certificate Authority.
This scenario includes creating a certificate signing request (CSR), signing the certificate on the FortiAuthenticator, and
downloading the signed certificate back to the FortiGate. You will then create an SSL/SSH Inspection profile for full
SSL inspection, add the certificate created to the profile, and apply the profile to the policy allowing Internet access.
As an example, you will also have Application Control with Deep Inspection of Cloud Applications enabled. This will
apply inspection to HTTPS traffic. Note that you may use another security profile instead of Application Control.

To create a CSR:
(CSR).

Creating an Intermediate CA on the FortiAuthenticator
To create an Intermediate CA:
1. On the FortiAuthenticator, go to Certificate Management > Certificate Authorities > Local CAs and select Import.
Set Type to CSR to sign, enter a Certificate ID, and import the CSR file. Make sure to select the Certificate
authority from the dropdown menu, and set the Hash algorithm to SHA-256.
2. Once imported, you should see that the certificate has been signed by the FortiAuthenticator, showing a Status of
Active, and with the CA Type of Intermediate (non-signing) CA. Highlight the certificate and select Export
Certificate.

Importing the signed certificate on the FortiGate
To import the signed certificate:
1. Back on the FortiGate, go to System > Certificates, and select Import > Local Certificate.
Browse to the CRT file and select OK.
2. You should now see that the certificate has a Status of OK.
Configuring full SSL inspection
To configure full SSL inspection:
1. Go to Security Profiles > SSL/SSH Inspection, and create a new profile.

Enter a Name, select the certificate from the CA Certificate dropdown menu, and make sure Inspection Method is
set to Full SSL Inspection.

2. Add the certificate to your web browser's list of trusted certificates. End users will likely see certificate warnings
unless the certificate is installed in their browser.
3. Next go to Policy & Objects > IPv4 Policy and edit the policy that allows Internet access.
Under Security Profiles, enable SSL/SSH Inspection and select the custom profile created earlier.
Enable Application Control and set it to default.

Results
1. To test the certificate, open your web browser and attempt to navigate to an HTTPS website (in the example,
https://www.dropbox.com).
Click on the lock icon next to the address bar and click Show connection details.

2. You should now see that the certificate from the FortiGate (172.25.176.127) has signed and verified access to
the site. As a result, no certificate errors will appear.
Optionally select More Information.

FortiAuthenticator certificate with SSL inspection using an HSM

For this recipe, you will create a certificate on the FortiGate, have it signed on a FortiAuthenticator with a configured
HSM server, and configure the FortiGate so that the certificate can be used for SSL deep inspection of HTTPS traffic.
This example uses the Safenet Luna V7 HSM.
To set up the certificate with SSL inspection using an HSM:
1. Configuring the NetHSM profile on FortiAuthenticator on page 25

2. Creating a local CA certificate using an HSM server on page 26
3. Creating a CSR on the FortiGate on page 27
4. Creating an Intermediate CA on the FortiAuthenticator on page 29
5. Importing the signed certificate on the FortiGate on page 29
6. Configuring full SSL inspection on page 30
7. Results on page 32
In order for this configuration to work correctly, the FortiAuthenticator must be configured as a certificate authority (CA),
otherwise the certificate created in this recipe will not be trusted. For more information on how to do this, see Creating a
local CA certificate using an HSM server on page 26 and FortiAuthenticator as a Certificate Authority.
As an example, you will also have Application Control with Deep Inspection of Cloud Applications enabled. This will
apply inspection to HTTPS traffic. Note that you may use another security profile instead of Application Control.
Configuring the NetHSM profile on FortiAuthenticator
To configure a new the Safenet Luna HSM server:
1. In FortiAuthenticator, go to System > Administration > NetHSMs, and click Create New.

2. In the Create New HSM Server window, configure the following:
Name Enter a name for the HSM server.
Server IP/FQDN Enter the IP address or FQDN of the HSM server to which the
FortiAuthenticator will connect.
Partition Password Enter the key partition password from the HSM server.
Client IP Enter the address of the FortiAuthenticator interface that the HSM will see.
Upload server certificate Click Upload server certificate to select the certificate from your HSM.

3. Click OK to complete the setup.
To authorize FortiAuthenticator as a Safenet Luna HSM client:
1. Make sure the FortiAuthenticator client certificate uses the <FAC IP>.pem naming convention. For example:
172.16.68.47.pem
2. Upload the FortiAuthenticator client certificate to Safenet Luna HSM using SCP transfer.
scp [certificate filename] admin@[HSM address]:
3. Use SSH to connect to the HSM, then register your FortiAuthenticator, and associate it with a partition.
ssh -1 admin [HSM address]
client register -c [client name] -ip [client address]
client assignpartition -c [client name] -p [partition name]
4. Confirm the status of the NetHSM client. For example:
client show -c my_fac
ClientID: my_fac
IPAddress: 172.16.68.47
Partitions: my_partition
Creating a local CA certificate using an HSM server
Once you have configured the HSM server on FortiAuthenticator, you can create a local CA certificate using the HSM
server to sign requests. For more information on setting up a certificate authority, see FortiAuthenticator as a Certificate
Authority on page 8.

To create a new local CA certificate using HSM:
1. On FortiAuthenticator, go to Certificate Management > Certificate Authorities > Local CAs, and click Create
New.
2. Enter a name for the CA certificate, for example My_CA.

3. Select Root CA as the Certificate type.
4. Enable Use NetHSM, and choose an HSM server from the dropdown menu.
5. Configure the remaining settings as desired, and click OK to save your changes.
Once your CA certificate has been created, it can be exported and installed on your network. For more information
on setting up a certificate authority, see FortiAuthenticator as a Certificate Authority on page 8.
To create a CSR:
(CSR).


Creating an Intermediate CA on the FortiAuthenticator
To create an Intermediate CA:
1. On the FortiAuthenticator, go to Certificate Management > Certificate Authorities > Local CAs and select Import.
Set Type to CSR to sign, enter a Certificate ID, and import the CSR file.
2. Select the Certificate authority configured with the HSM from the dropdown menu, and set the Hash algorithm to
SHA-256. Click OK.
3. Once imported, you should see that the certificate has been signed by the FortiAuthenticator, showing a Status of
Active, and with the CA Type of Intermediate (non-signing) CA.
4. Highlight the certificate and select Export Certificate.
Importing the signed certificate on the FortiGate
To import the signed certificate:
1. Back on the FortiGate, go to System > Certificates and select Import > Local Certificate.
Browse to the .crt file, and select OK.

2. You should now see that the certificate has a Status of OK.
Configuring full SSL inspection
To configure full SSL inspection:
1. On the FortiGate, go to Security Profiles > SSL/SSH Inspection, and create a new profile.
Enter a Name, select the certificate from the CA Certificate dropdown menu, and make sure Inspection Method is
set to Full SSL Inspection.
2. Add the certificate to your web browser's list of trusted certificates. End users will likely see certificate warnings
unless the certificate is installed in their browser.

3. Next go to Policy & Objects > IPv4 Policy and edit the policy that allows Internet access.
4. Under Security Profiles, enable SSL/SSH Inspection and select the custom profile created earlier.
5. Enable Application Control and set it to default.

Results
1. To test the certificate, open your web browser and attempt to navigate to an HTTPS website (in the example,
https://www.dropbox.com).
Click on the lock icon next to the address bar, and click Show connection details.
2. You should now see that the certificate from the FortiGate has signed and verified access to the site. As a result, no
certificate errors will appear.

Optionally select More Information.

FortiToken and FortiToken Mobile
This section describes various authentication scenarios involving FortiToken, a disconnected one-time password (OTP)
generator that's either a physical device or a mobile token. Time-based token passcodes require that the
FortiAuthenticator clock is accurate. If possible, configure the system time to be synchronized with a network time
protocol (NTP) server.
To perform token-based authentication, the user must enter the token passcode. If the user’s username and password
are also required, this is called two-factor authentication.
FortiToken Mobile Push for SSL VPN
In this recipe, you set up FortiAuthenticator to function as a RADIUS server to authenticate SSL VPN users using
FortiToken Mobile Push two-factor authentication. With Push notifications enabled, the user can easily accept or deny
the authentication request.
For this configuration, you:
l Create a user on the FortiAuthenticator.
l Assign a FortiToken Mobile license to the user.
l Create the RADIUS client (FortiGate) on the FortiAuthenticator, and enable FortiToken Mobile Push notifications.

l Connect the FortiGate to the RADIUS server (FortiAuthenticator).

l Create an SSL VPN on the FortiGate, allowing internal access for remote users.
The following names and IP addresses are used:
l Username: gthreepwood
l User group: RemoteFTMGroup
l RADIUS server: OfficeRADIUS
l RADIUS client: OfficeServer
l SSL VPN user group: SSLVPNGroup
l FortiAuthenticator: 172.25.176.141
l FortiGate: 172.25.176.92
For the purposes of this recipe, a FortiToken Mobile free trial token is used. This recipe also assumes that the user has
already installed the FortiToken Mobile application on their smartphone. You can install the application for Android and
iOS. For details, see:
l FortiToken Mobile for Android
l FortiToken Mobile for iOS
Adding a FortiToken to the FortiAuthenticator
Before push notifications can be enabled, a Public IP/FQDN for FortiToken Mobile must be configured in System >
Administration > System Access.
If the FortiAuthenticator is behind a firewall, the public IP/FQDN will be an IP/port forwarding rule directed to one of the
FortiAuthenticator interfaces.
The interface that receives the approve/deny FTM push responses must have the FortiToken Mobile API service
enabled.
If FortiAuthenticator is not accessible to the Internet, you must create a VIP and policy on
FortiGate in order for mobile push to work. The VIP must point from an external port to
FortiAuthenticator at port 443.
Once configured, you can add your FortiToken.
To add a FortiToken:
1. On the FortiAuthenticator, go to Authentication > User Management > FortiTokens, and select Create New.
2. Set Token type to FortiToken Mobile, and enter the FortiToken Activation codes in the field provided.

Adding the user to the FortiAuthenticator
To add a user to FortiAuthenticator:
1. On the FortiAuthenticator, go to Authentication > User Management > Local Users, and select Create New.
Enter a Username (gthreepwood) and enter and confirm the user password.
Enable Allow RADIUS authentication, and select OK to access additional settings.
2. Enable Token-based authentication and select to deliver the token code by FortiToken. Select the FortiToken
added earlier from the FortiToken Mobile drop-down menu.
Set Delivery method to Email. This will automatically open the User Information section where you can enter the
user email address in the field provided.

3. Next, go to Authentication > User Management > User Groups, and select Create New.
Enter a Name (RemoteFTMUsers) and add gthreepwood to the group by moving the user from Available users to
Selected users.

4. The FortiAuthenticator sends the FortiToken Mobile activation to the user’s email address. If the email does not
appear in the inbox, check the spam folder.
The user activates their FortiToken Mobile through the FortiToken Mobile application by either entering the
activation code provided or by scanning the QR code attached.
For more information, see the FortiToken Mobile user instructions.
Creating the RADIUS client and policy on the FortiAuthenticator
To create the RADIUS client:
1. On the FortiAuthenticator, go to Authentication > RADIUS Service > Clients, and select Create New to add the
FortiGate as a RADIUS client.
2. Enter a Name (OfficeServer), the IP address of the FortiGate, and set a Secret.
The secret is a pre-shared secure password that the FortiGate will use to authenticate to the FortiAuthenticator.

3. Click OK.
To create the RADIUS policy:
1. Go to Authentication > RADIUS Service > Policies, and select Create New.

2. Enter the RADIUS policy name, description, and select the FortiGate RADIUS client.
3. Optionally, configure RADIUS attribute criteria.
4. Choose Password/OTP authentication as the authentication type.
5. Choose a username format (in this example: username@realm), and select the Local realm.
6. Set the authentication method to Mandatory two-factor authentication, and enable the Allow FortiToken Mobile
push notifications option.
7. Click Save and Exit.
Note the Username input format. This is the format that the user must use to enter their
username in the web portal, made up of their username and realm. In this example, the full
username for gthreepwood is gthreepwood@local.

Connecting the FortiGate to the RADIUS server
To connect the FortiGate to the RADIUS server:
1. On the FortiGate, go to User & Device > RADIUS Servers, and select Create New to connect to the RADIUS
server (FortiAuthenticator).
Enter a Name (OfficeRADIUS), the IP address of the FortiAuthenticator, and enter the Secret created before.
Select Test Connectivity to be sure you can connect to the RADIUS server. Then select Test User Credentials and
enter the credentials for gthreepwood.
Because the user has been assigned a FortiToken, the test should return stating that More validation is required.

The FortiGate can now connect to the FortiAuthenticator as the RADIUS client configured earlier.
2. Then go to User & Device > User Groups, and select Create New to map authenticated remote users to a user
group on the FortiGate.
Enter a Name (SSLVPNGroup) and select Add under Remote Groups.
Select OfficeRADIUS under the Remote Server drop-down menu, and leave the Groups field blank.
3. In the FortiGate CLI, increase the remote authentication timeout to 60 seconds.

#config system global

#set remoteauthtimeout 60
#end
Configuring the SSL-VPN
To configure the SSL-VPN:
1. On the FortiGate, go to VPN > SSL-VPN Portals, and edit the full-access portal.

Toggle Enable Split Tunneling so that it is disabled.
2. Go to VPN > SSL-VPN Settings.
Under Connection Settings set Listen on Interface(s) to wan1 and Listen on Port to 10443.
Under Tunnel Mode Client Settings, select Specify custom IP ranges. The IP Ranges should be set to SSLVPN_
TUNNEL_ADDR1 and the IPv6 version by default.
Under Authentication/Portal Mapping, select Create New.
Set the SSLVPNGroup user group to the full-access portal, and assign All Other Users/Groups to web-access —
this will grant all other users access to the web portal only.



3. Then go to Policy & Objects > IPv4 Policy and create a new SSL VPN policy.
Set Incoming Interface to the SSL-VPN tunnel interface and set Outgoing Interface to the Internet-facing
interface (in this case, wan1).
Set Source to the SSLVPNGroup user group and the all address.
Set Destination to all, Schedule to always, Service to ALL, and enable NAT.
Results
1. From a remote device, open a web browser and navigate to the SSL VPN web portal (https://<fortigate-ip>:10443).
2. Enter gthreepwood‘s credentials and select Login. Use the correct format (in this case, username@realm), as per
the client configuration on the FortiAuthenticator.

3. The FortiAuthenticator will then push a login request notification through the FortiToken Mobile application. Select
Approve.


Upon approving the authentication, gthreepwood is successfully logged into the SSL VPN portal.
4. On the FortiGate, go to Monitor > SSL-VPN Monitor to confirm the user’s connection.

Guest Portals
Guest Portals
This section contains information about creating and using guest portals.
FortiAuthenticator as Guest Portal for FortiWLC
In this recipe we will use FortiAuthenticator as Guest Portal for users getting wireless connection provided by FortiWLC.
Creating the FortiAuthenticator as RADIUS server on the FortiWLC
1. On the FortiWLC, go to Configuration > Security > RADIUS and select ADD and create two profiles. One to be
used for Authentication and one to be used for Accounting.
l RADIUS Profile name: Enter a name for the profile. Use a name that will indicate if the profile is used for
Authentication or Accounting.
l RADIUS IP: IP address of the FortiAuthenticator.
l RADIUS Secret: Shared secret between WLC and FortiAuthenticator.

Guest Portals
l RADIUS Port: Use 1812 for Authentication profile and 1813 when creating an Accounting profile.
Creating the Captive Portal profile on the FortiWLC
1. On the FortiWLC, go to Configuration > Security > Captive Portal, select the Captive Portal Profiles tab, and
ADD a new profile.
l CP Name: Enter a name for the profile.
l Authentication Type: RADIUS
l Primary Authentication:Your Authentication profile.
l Primary Accounting: Your Accounting profile.
l External Server: Fortinet-Connect
l External Portal: https://<fortiauthenticator-ip>/guests

Guest Portals
l Public IP of Controller: IP address that the FortiAuthenticator can use to communicate with the FortiWLC.
Creating the security profile on the FortiWLC
1. On the FortiWLC, go to Configuration > Security > Profile and ADD a new profile.
l Profile Name: Enter a name for the profile.
l Security Mode: Open
l Captive Portal: WebAuth
l Captive Portal Profile: Select the profile created earlier.
l Captive Portal Authentication Method: external

Guest Portals
l Passthrough Firewall Filter ID: An ID used to allow access to the portal before authentication using QoS rules.
Creating the QoS rule on the FortiWLC
1. On the FortiWLC, go to Configuration > Policies > QoS and select the QoS and Firewall Rules tab. Select ADD to
create two profiles.
For the first rule, allow the wireless client to access the FortiAuthenticator guest portal.
l ID: Rule number (in the example, 20).
l Destination IP: IP address of the FortiAuthenticator, and enable Match.
l Destination Netmask: 255.255.255.255
l Destination Port: 443, and enable Match.
l Network Protocol: 6, and enable Match.
l Firewall Filter ID: String from the security profile, and enable Match.

Guest Portals
l QoS Protocol: Other.
2. For the second rule, allow FortiAuthenticator to reach the clients.

l ID: Rule number (in the example, 21).
l Source IP: IP address of the FortiAuthenticator, and enable Match.
l Source Netmask: 255.255.255.255
l Source Port: 443, and enable Match.
l Network Protocol: 6, and enable Match.
l Firewall Filter ID: Use the Passthrough Firewall Filter ID string from the security profile, and enable Match.

Guest Portals
l QoS Protocol: Other.
Creating the ESS Profile on the FortiWLC
1. On the FortiWLC, go to Configuration > Wireless > ESS and ADD an ESS profile.
Configure the profile with an appropriate ESS Profile and SSID . Then select the Security Profile that contains the

Guest Portals
Captive Portal settings.
Creating FortiWLC as RADIUS client on the FortiAuthenticator
To create a RADIUS client:
1. On the FortiAuthenticator, go to Authentication > RADIUS Service > Clients and create a new client.

Set Client address to IP/Hostname and enter the IP address the FortiWLC will send its RADIUS requests from.

Guest Portals
Set the same Secret that was entered during the RADIUS configuration on the FortiWLC.
1. Go to Authentication > RADIUS Service > Policies, and create a new policy.
2. In RADIUS clients, select the FWLC client previously created.

3. In RADIUS attribute criteria, click Next. No RADIUS attribute criteria need to be specified in this configuration.
4. In Authentication type, select Password/OTP authentication. If EAP is being used for wireless authentication,
enable Accept EAP, along with the desired EAP types.
5. In Identity source, select the realm for which user authentication is needed.
6. In Authentication factors, select Verify all configured authentication factors.
7. Review the RADIUS response, and save the policy.
Creating the portal and access point on FortiAuthenticator
To create a portal:
1. On the FortiAuthenticator, go to Authentication > Portals > Portals, and create a new portal.

2. Enter a name for the portal, and click OK.

Guest Portals
To create an access point:
1. On FortiAuthenticator, go to Authentication > Portals > Access Points, and create a new access point.
2. Enter a name for the access point, and provide the client IP/Hostname from the FortiAP, and click OK.
Creating the portal policy on FortiAuthenticator
1. On the FortiAuthenticator, go to Authentication > Portals > Policies, and create a new policy.

Enter a name for the policy, select Allow captive portal access, and choose the previously configured
FortiWLC Portal.
2. In Portal selection criteria, configure the following:

a. Access points: Select the previously configured FortiAP access point.
b. RADIUS clients: Select the previously configured FortiWLC RADIUS client.
3. In Authentication type, select Password/OTP authentication and Local/remote user.

4. In Identity sources, select the realm for which the user authentication is needed.
5. In Authentication factors, select Verify all configured authentication factors.
6. Review the RADIUS response and save your changes.

Guest Portals
Results
1. Connect a client to the SSID created on the FortiWLC, then log in to the portal with the correct username and
password.
On the FortiAuthenticator, you can go to Authentication > User Management > Local Users to create local user
accounts.
2. To confirm the successful log in, on FortiAuthenticator, go to Logging > Log Access > Logs.
3. To confirm the successful log in, on FortiWLC, go to Monitor > Devices > All Stations and find the device showing
the authenticated user.

MAC authentication bypass
This section describes configuring MAC address bypass with FortiAuthenticator.
MAC authentication bypass with dynamic VLAN assignment
In this recipe, you will configure MAC authentication bypass (MAB) in a wired network with dynamic VLAN assignment.
The purpose of this recipe is to configure and demonstrate MAB with FortiAuthenticator, using a 3rd-party switch
(EX2200) to confirm cross-vendor interoperability. The recipe also demonstrates dynamic VLAN allocation without a
supplicant.
Configuring MAC authentication bypass on the FortiAuthenticator
1. Go to Authentication > User Management > MAC Devices and create a new MAC-based device.

Enter a name for the device along with the device's MAC address.
Alternatively, you can use the Import option to import this information from a CSV file.

Configuring the user group
1. Go to Authentication > User Management > User Groups and create a new user group.

Select MAC as the type, and add the newly created MAC device. Click OK.
2. Enter the RADIUS Attributes as shown in the image below.
RADIUS attributes can only be added after the group has been created.
Configuring RADIUS settings on FortiAuthenticator
1. Go to Authentication > RADIUS Service > Clients and create a new RADIUS client.

Configure the IP and shared secret from your switch, and click OK.

1. Go to Authentication > RADIUS Service > Policies and create a new RADIUS policy.

In RADIUS clients, enter a policy name, and add the previously configured RADIUS client.
RADIUS attribute criteria can be left blank.

2. In Authentication type, select MAC authentication bypass (MAB).
3. In Identity source, add the previously configured MAC group to Authorized groups.

4. Configure the RADIUS response to reject unauthorized requests, and click Save and exit.
Configuring the 3rd-party switch
The switch configuration provided below is intended for demonstration only. Your switch configuration is likely to differ
significantly.
set system services dhcp pool 10.1.2.0/24 address-range low 10.1.2.220
set system services dhcp pool 10.1.2.0/24 address-range high 10.1.2.230
set system services dhcp pool 10.1.2.0/24 domain-name fortiad.net
set system services dhcp pool 10.1.2.0/24 name-server 10.1.2.122
set system services dhcp pool 10.1.2.0/24 router 10.1.2.1
set system services dhcp pool 10.1.2.0/24 server-identifier 10.1.2.27
set interfaces ge-0/0/0 unit 0 family ethernet-switching #no vlan assigned to printer port,
this will be allocated based on Group attributes
set interfaces ge-0/0/11 unit 0 family ethernet-switching vlan members engineering
#interface used to communicate with FortiAuthenticator
set interfaces vlan unit 10 family inet address 10.1.2.27/24
set protocols dot1x authenticator authentication-profile-name profile1
set protocols dot1x authenticator interface ge-0/0/0.0 mac-radius restrict #forces mac
address as username over RADIUS
set access radius-server 10.1.2.29 secret "$9$kmfzIRSlvLhSLNVYZGk.Pf39"
set access profile profile1 authentication-order radius
set access profile profile1 radius authentication-server 10.1.2.29
set vlans engineering vlan-id 10
set vlans engineering l3-interface vlan.10
No configuration is required on the endpoint.

Results
1. Connect the wired device (in this case, the printer).
2. Using tcpdump, FortiAuthenticator shows receipt of an incoming authentication request (execute tcpdump
host 10.1.2.27 -nnvvXS):
tcpdump: listening on port1, link-type EN10MB (Ethernet), capture size 262144 bytes
17:36:19.110399 IP (tos 0x0, ttl 64, id 18417, offset 0, flags [none], proto UDP (17),
length 185)
10.1.2.27.60114 > 10.1.2.29.1812: [udp sum ok] RADIUS, length: 157
Access-Request (1), id: 0x08, Authenticator: b77fe0657747891fc8d53ae0ad2b0e7a
User-Name Attribute (1), length: 14, Value: 0022681af1a0 #Switch forces username
to be endpoint MAC address, no configuration needed on endpoint
0x0000: 3030 3232 3638 3161 6631 6130
NAS-Port Attribute (5), length: 6, Value: 70
0x0000: 0000 0046
EAP-Message Attribute (79), length: 19, Value: .
0x0000: 0200 0011 0130 3032 3236 3831 6166 3161
0x0010: 30
Message-Authenticator Attribute (80), length: 18, Value: .y{.j.%..9|es.'x
0x0000: a679 7b82 6344 2593 f639 7c65 73eb 2778
Acct-Session-Id Attribute (44), length: 24, value: 802.1x81fa002500078442
0x0000: 384f 322e 3178 3831 6661 3030 3235 3030
0x0010: 3037 3834 3432
NAS-Port-rd Attribute (87), length: 12, Value: ge-0/0/0.0
0x0000: 6765 2430 2f30 2f30 2e30
Calling-Station-Id Attribute (31), length: 19, value: 00-22-68-1a-fl-a0
0x0000: 3030 2032 3220 3638 2031 6120 6631 2461
0x0010: 30
Called-Station-Id Attribute (30), length: 19, Value: a8-40-e5-b0-21-80
0x0000: 6138 2464 3024 6535 2d62 302d 3231 2d38
0x0010: 30
NAS-Port-Type Attribute (61), length: 6, value: Ethernet
0x0000: 0000 000f
3. On the FortiAuthenticator, go to Logging > Log Access > Logs to verify the device authentication.
The Debug Log (at https://<fac-ip>/debug/radius) should also confirm successful authentication.
4. Continuing with the tcpdump, authentication is accepted from FortiAuthenticator and authorization attributes
returned to the switch:
17:36:19.115264 IP (tos Ox0, ttl 64, id 49111, offset 0, flags [none], proto UDP (17),
length 73)
10.1.2.29.1812 > 10.1.2.27.60114: (bad udp cksum 0x1880 -> 0x5ccel] RADIUS, length: 45
Access-Accept (2), id: 0x08, Authenticator: b5c7b1bb5a316fb483a622eaae58ccc2
Tunnel-Type Attribute (64), length: 6, Value: Tag[Unused] #13
0x0000: 0000 000d
Tunnel-Medium-Type Attribute (65), length: 6, Value: Tag[Unused] 802
0x0000: 0000 0006
Tunnel-Private-Group-ID Attribute (81), length: 13, Value: engineering

0x0000: 656e 6769 6e65 6572 696e 67

0x0000: 4500 0049 bfd7 0000 4011 a293 0a01 021d E..I....@ .......
0x0010: 0a01 021b 0714 ead2 0035 1880 0208 002d 5
0x0020: b5c7 blbb 5a31 6fb4 83a6 22ea ae58 ccc2 ....21o..."..X..
0x0030: 4006 0000 0000 4106 0000 0006 510d 656e @ A Q en
0x0040: 6769 6e65 6572 696e 67 gineering
5. Post-authentication DHCP transaction is picked up by FortiAuthenticator
The Switch CLI shows a successful dot1x session:
root# run show dotlx interface ge-0/0/0.0
802.1X Information:
Interface Role State MAC address User
ge-0/0/0.0 Authenticator Authenticated 00:22:68:1A:F1:A0 0022681af1a0
The MAC address interface has been dynamically placed into correct VLAN:
root# run show vlans engineering
Name Tag Interfaces
engineering 10
ge-0/0/0.0*, ge-0/0/11.0*
Additionally, the printer shows as available on the network:
root# run show arp interface vlan.10
MAC Address Address Name Interface Flags
00:0c:29:5b:90:68 10.1.2.29 10.1.2.29 vlan.10 none
6c:70:9f:d6:ae:al 10.1.2.220 10.1.2.220 vlan.10 none
b8:53:ac:4a:d5:f5 10.1.2.221 10.1.2.221 vlan.10 none
00:22:68:1a:fl:a0 10.1.2.224 10.1.2.224 vlan.10 none
a4:c3:61:24:b9:07 10.1.2.228 10.1.2.228 vlan.10 none
Total entries: 5
{master:0}[edit]
root* run ping 10.1.2.224
PING 10.1.2.224 (10.1.2.224): 56 data bytes
64 bytes from 10.1.2.224: icmp_seq=0 tt1=128 time=2.068 ms
--- 10.1.2.224 ping statistics ---

3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.068/2.334/2.699/0.267 ms

Self-service Portal
Self-service Portal
Configure general self-service portal options, including access control settings, self-registration options, replacement
messages, and device self-enrollment settings.
FortiAuthenticator user self-registration
For this recipe, you will configure the FortiAuthenticator self-service portal to allow users to add their own account and
create their own passwords.
Note that enabling and using administrator approval requires the use of an email server, or SMTP server. Since
administrators will approve requests by email, this recipe describes how to add an email server to your
FortiAuthenticator. You will create and use a new server instead of the unit’s default server.
Creating a self-registration user group
To create a self-registration user group:
1. Go to Authentication > User Management > User Groups and create a new user group for self-registering users.
Enter a Name and select OK. Users will be added to this group once they register through the self-registration

Self-service Portal
portal.
Enabling self-registration
To enable self-registration:
1. Go to Authentication > Self service Portal > General.

Enter a Site name, add an Email signature that you would like appended to the end of outgoing emails, and select
OK.
2. Then go to Authentication > Self-service Portal > Self-registration and select Enable.
Enable Require administrator approval and Enable email to freeform addresses, and enter the administrator’s
email address in the field provided.

Self-service Portal
Enable Place registered users into a group, select the user group created earlier, and configure basic account
information to be sent to the user by Email.
Open the Required Field Configuration dropdown and enable First name, Last name, and Email address.

Self-service Portal

Self-service Portal
Creating a new SMTP server
To create a new SMTP server:
1. Go to System > Messaging > SMTP Servers and create a new email server for your users.
Enter a Name, the IP address of the FortiAuthenticator, and leave the default port value (25).
Enter the administrator’s email address, Account username, and Password.
Note that, for the purpose of this recipe, Secure connection will not be set to STARTTLS as a signed CA
certificate would be required.
2. Once created, highlight the new server and select Set as Default.
The new SMTP server will now be used for future user registration.

Self-service Portal
Results - Self-registration
1. When the user visits the login page, https://<FortiAuthenticator-IP>/auth/register/, they can click the Register
button, where they will be prompted to enter their information.
They will need to enter and confirm a Username, Password, First name, Last name, and Email address. These
are the only required fields, as configured in the FortiAuthenticator earlier.
Select Submit.
2. The user's registration is successful, and their information has been sent to the administrator for approval.
3. When the administrator has enabled the user’s account, the user will receive an activation welcome email.
The user's login information will be listed.

Self-service Portal
4. Select the link and log in to the user's portal.
5. The user is now logged into their account where they can review their information.
As recommended in the user’s welcome email, the user may change their password. However, this is optional.

Self-service Portal
Results - Administrator approval
1. After receiving the user’s registration request, in the FortiAuthenticator as the administrator, go to Authentication
> User Management > Local Users. The user has been added, but their Status is listed as Not Activated.
2. In the administrator’s email account, open the user’s Approval Required email. The user’s full name will appear in
the email’s subject, along with their username in the email’s body.
Select the link to approve or deny the user.

Self-service Portal
3. The link will take you to the New User Approval page, where you can review the user’s information and either
approve or deny the user’s full registration.
Select Approve.
4. The user has now been approved and activated by the administrator.
This can be confirmed by going back to Authentication > User Management > Local Users. The user’s Status has
changed to Enabled.

Self-service Portal
5. You can also go to Logging > Log Access > Logs to view the successful login of the user and more information.

VPNs
VPNs
This section contains information about creating and using a virtual private network (VPN).
LDAP authentication for SSL VPN with FortiAuthenticator
This recipe describes how to set up FortiAuthenticator to function as an LDAP server for FortiGate SSL VPN
authentication. It involves adding users to FortiAuthenticator, setting up the LDAP server on the FortiAuthenticator, and
then configuring the FortiGate to use the FortiAuthenticator as an LDAP server.
Creating the user and user group on the FortiAuthenticator
To create the user and user group:
1. On the FortiAuthenticator, go to Authentication > User Management > Local Users and select Create New.
Enter a name for the user, enter and confirm a password, and be sure to disable Allow RADIUS authentication —
RADIUS authentication is not required for this recipe.
Set Role as User, and select OK. New options will appear.

VPNs
Make sure to enable Allow LDAP browsing — the user will not be able to connect to the FortiGate otherwise.
2. Create another user with the same settings. Later, you will use jgarrick on the FortiGate to query the LDAP
directory tree on FortiAuthenticator, and you will use bwayne credentials to connect to the VPN tunnel.
3. Next go to Authentication > User Management > User Groups, and create a user group for the FortiGate users.
Add the desired users to the group.

VPNs
Creating the LDAP directory tree on the FortiAuthenticator
To create the LDAP directory tree:
1. Go to Authentication > LDAP Service > Directory Tree, and create a Distinguished Name (DN). A DN is made up
of Domain Components (DC).
Both the users and user group created earlier are the User ID (UID) and the Common Name (CN) in the LDAP
Directory Tree.
Create an Organizational Unit (OU), and a Common Name (CN). Under the cn=HeadOffice entry, add UIDs for the
users.
If you mouse over a user, you will see the full DN of the LDAP server.
Later, you will use jgarrick on the FortiGate to query the LDAP directory tree on FortiAuthenticator, and you will
use bwayne credentials to connect to the VPN tunnel.
Connecting the FortiGate to the LDAP server
To connect the FortiGate to the LDAP server:
1. On the FortiGate, go to User & Device > LDAP Servers, and select Create New.
Enter a name for the LDAP server connection.
Set Server IP/Name to the IP of the FortiAuthenticator, and set the Common Name Identifier to uid.
Set Distinguished Name to dc=fortinet,dc=com, and set the Bind Type to Regular.
Enter the user DN for jgarrick of the LDAP server, and enter the user's Password.
The DN is an account that the FortiGate uses to query the LDAP server.

VPNs
2. Select Test Connectivity to determine a successful connection.

Then select Test User Credentials to query the LDAP directory using jgarrick's credentials. The query is successful.

VPNs
Creating the LDAP user group on the FortiGate
To create the LDAP user group:
1. Go to User & Device > User Groups, and select Create New.

Enter a name for the user group. Under Remote Groups select Add.
2. Select LDAPserver under the Remote Server dropdown.

In the new Add Group Match window, right-click HeadOffice under the Groups tab, and select Add Selected. The
group will be added to the Selected tab. Select OK.

VPNs
3. LDAPserver has been added to the LDAP group. Select OK.
To configure the SSL-VPN:
1. On the FortiGate, go to VPN > SSL-VPN Portals, and edit the full-access portal.

Disable Split Tunneling.

VPNs
Under Connection Settings set Listen on Port to 10443.

Under Tunnel Mode Client Settings, select Specify custom IP ranges and set it to SSLVPN_TUNNEL_ADDR1.

VPNs
3. Assign the LDAPgroup user group to the full-access portal, and assign All Other Users/Groups to the desired
portal. Select Apply.
4. Select the prompt at the top of the screen to create a new SSL-VPN policy, including the LDAPgroup, as shown.

VPNs
Results
1. From a remote device, access the SSL VPN Web Portal.

Enter valid LDAP credentials (in the example, bwayne).
2. The user is now successfully logged into the SSL VPN Portal.
3. On the FortiGate, go to Monitor > SSL-VPN Monitor to confirm the connection.

VPNs
4. On the FortiAuthenticator, go to Logging > Log Access > Logs and confirm the connection.
SMS two-factor authentication for SSL VPN
In this recipe, you will create an SSL VPN with two-factor authentication consisting of a username, password, and an
SMS token.
When a user attempts to connect to this SSL VPN, they are prompted to enter their username and password. After
successfully entering their credentials, they receive an SMS message on their mobile phone containing a 6-digit number
(called the FortiToken code). They must also enter this number to get access to the internal network and the Internet.

VPNs
Although this recipe uses the FortiGuard Messaging Service, it will also work with any compatible SMS service you
configure as an SMS Gateway.
Creating an SMS user and user group on the FortiAuthenticator
To create an SMS user and user group:
1. On the FortiAuthenticator, go to Authentication > User Management > Local Users and add/modify a user to
include SMS Token-based authentication and a Mobile number using the preferred SMS gateway as shown.
The Mobile number must be in the following format:
+[international-number]
Enable Allow RADIUS authentication.
2. Go to Authentication > User Management > User Groups and add the above user to a new SMS user group (in the

VPNs
example, SMSgroup).
Configuring the FortiAuthenticator RADIUS client
1. On the FortiAuthenticator, go to Authentication > RADIUS Service > Clients, and select Create New.
2. Enter a Name, the IP address of the FortiGate, and set a Secret.
3. Click OK.

3. Optionally, configure RADIUS attribute criteria.
4. Choose Password/OTP authentication as the authentication type.

VPNs
5. Choose a username format (in this example: username@realm), select the Local realm, and add the SMSgroup
as a filter.
6. Set the authentication method to Mandatory two-factor authentication.

7. Click Save and Exit.
Configuring the FortiGate authentication settings
To configure the FortiGate authentication settings:
1. On the FortiGate, go to User & Device > RADIUS Servers and create the connection to the FortiAuthenticator
RADIUS server, using its IP address and pre-shared secret.
Use Test Connectivity to make sure that the FortiGate can communicate with the FortiAuthenticator.

VPNs
2. Next, go to User & Device > User Groups and create a RADIUS user group called RADIUSgroup.
Set the Type to Firewall and add the RADIUS server to the Remote groups table.

VPNs
Configure the SSL-VPN settings:
Under Connection Settings, set Listen on Port to 10443. Under Tunnel Mode Client Settings, select Specify
custom IP ranges and set IP Ranges to the SSL VPN tunnel address range.
Assign the RADIUSgroup user group to the full-access portal, and assign All Other Users/Groups to the desired
portal.

VPNs

VPNs
Creating the security policy for VPN access to the Internet
To create the security profile:
1. Go to Policy & Objects > IPv4 Policy and create a new SSL-VPN policy, including the RADIUSgroup, as shown.
Results
In this example, we will use the web portal to access the SSL VPN and test the two-factor authentication.
To test two-factor authentication:
1. Open a browser and navigate to the SSL VPN web portal, in this case https://172.25.176.127:10443.
Enter a valid username and password and select Login. You should be prompted to enter a FortiToken Code.

VPNs
2. The FortiToken Code should have been sent to your mobile phone as a text message containing a 6-digit number.
Enter the number into the SSL VPN login portal and select Login.

VPNs

VPNs
3. You should now have access to the SSL VPN tunnel.
4. To verify that the user has connected to the tunnel, on the FortiGate, go to Monitor > SSL-VPN Monitor.
5. On the FortiAuthenticator, go to Logging > Log Access > Logs to confirm the user's connection.

WiFi authentication
WiFi authentication
This section describes configuring WiFi authentication with FortiAuthenticator.
Assigning WiFi users to VLANs dynamically
Virtual LANs (VLANs) are used to assign wireless users to different networks without requiring the use of multiple SSIDs.
Each user’s VLAN assignment is stored in the user database of the RADIUS server that authenticates the users.
This example creates dynamic VLANs for the Techdoc and Marketing departments. The RADIUS server is a
FortiAuthenticator. It is assumed a user group on the FortiAuthenticator has already been created (in this example,
employees).
config certificate ca
edit {name}
# CA certificate.
set name {string} Name. size[79]
set ca {string} CA certificate as a PEM file.
set range {global | vdom} Either global or VDOM IP address range for the CA cer-
tificate.
global Global range.
vdom VDOM IP address range.
set source {factory | user | bundle} CA certificate source type.
factory Factory installed certificate.
user User generated certificate.
bundle Bundle file certificate.
set trusted {enable | disable} Enable/disable as a trusted CA.
set scep-url {string} URL of the SCEP server. size[255]
set auto-update-days {integer} Number of days to wait before requesting an updated
CA certificate (0 - 4294967295, 0 = disabled). range[0-4294967295]

WiFi authentication
Configuring the FortiAuthenticator

3. Do not configure RADIUS attribute criteria.
4. Choose Password/OTP authentication as the authentication type and enable all EAP types.
5. Choose a username format (in this example: username@realm), select the Local realm.
Add the employees user group as a filter.
6. Set the authentication method to Password only authentication.
7. Review the RADIUS response, and click Save and Exit.
To create the local user accounts:
1. Next go to Authentication > User Management > Local Users and create local user accounts as needed.
2. For each user, add the following RADIUS attributes which specify the VLAN information to be sent to the FortiGate.

WiFi authentication
The Tunnel-Private-Group-Id attribute specifies the VLAN ID.

In this example, jsmith is assigned VLAN 100 and twhite is assigned VLAN 200.
Adding the RADIUS server to the FortiGate
To add the RADIUS server to the FortiGate:
1. On the FortiGate, go to User & Device > RADIUS Servers and select Create New.
Enter the FortiAuthenticator IP address and the server Secret entered on the FortiAuthenticator earlier.
Select Test Connectivity to confirm the successful connection.

WiFi authentication
Creating an SSID with dynamic VLAN assignment
To create an SSID with dynamic VLAN assignment:
1. On the FortiGate, go to WiFi & Switch Controller > SSID and create a new SSID.
Set up DHCP service.
2. Select WPA2 Enterprise security and select your RADIUS server for authentication.
Enable Dynamic VLAN Assignment.

WiFi authentication
3. Then open the CLI Console and enter the following command to assignment and set the VLAN ID to 10. This
VLAN is used when RADIUS does not assign a VLAN:
config wireless-controller vap
edit example-wifi
set vlanid 10
next
end
Creating the VLAN interfaces
To create the VLAN interfaces:
1. Go to Network > Interfaces.
Create the VLAN interface for default VLAN-10 and set up DHCP service.

WiFi authentication
2. Then create two more VLAN interfaces: one for marketing-100 and another for techdoc-200, both with
DHCP service.

WiFi authentication

WiFi authentication

WiFi authentication
Creating security policies
To create the security policies:
1. Go to Policy & Objects > IPv4 Policy.

Create a policy that allows outbound traffic from marketing-100 to the Internet.
2. Under Logging Options, enable logging for All Sessions.
3. Create another policy that allows outbound traffic from techdoc-200 to the Internet.

WiFi authentication
For this policy too, under Logging Options, enable logging for All Sessions.
Creating the FortiAP profile
To create the FortiAP profile:
1. Go to WiFi & Switch Controller > FortiAP Profiles.

Create a new profile for your FortiAP model and select the new SSID for both Radio 1 and Radio 2.

WiFi authentication

WiFi authentication
Connecting and authorizing the FortiAP
To connect and authorize the FortiAP:
1. Go to Network > Interfaces and edit an unused interface.

Set an IP/Network Mask and enable CAPWAP under Administrative Access > IPv4.
Enable DHCP Server.
Now connect the FortiAP unit to the this interface and apply power.
2. Go to WiFi & Switch Controller > Managed FortiAPs.
Right-click on the FortiAP unit and select Authorize.
Once authorized, right-click on the FortiAP unit again and select Assign Profile and select the FortiAP profile
created earlier.
Results
The SSID will appear in the list of available wireless networks on the users’ devices.
Both twhite and jsmith can connect to the SSID with their credentials and access the Internet.
If a certificate warning message appears, accept the certificate.
1. Go to FortiView > Policies.
Note that traffic for jsmith and twhite will pass through different policies. In this example, the marketing-100-
internet policy is displayed, indicating that jsmith has connected to the WiFi.

WiFi authentication
2. Double-click to drill-down, where the user's identity (including username, source IP, and device address) is
confirmed.
3. When twhite has connected to the WiFi network, go to FortiView > Policies and drill-down. The user, and techdoc-
200-internet policy, is confirmed.

WiFi authentication
WiFi using FortiAuthenticator RADIUS with certificates
This recipe will walk you through the configuration of FortiAuthenticator as the RADIUS server for a FortiGate wireless
controller. WPA2-Enterprise with 802.1X authentication can be used to authenticate wireless users with
FortiAuthenticator. 802.1X utilizes the Extensible Authentication Protocol (EAP) to establish a secure tunnel between
participants involved in an authentication exchange.
EAP-TLS is the most secure form of wireless authentication because it replaces the client username/password with a
client certificate. Every end user, including the authentication server, that participates in EAP-TLS must possess at least
two certificates:
1. A client certificate signed by the certificate authority (CA)
2. A copy of the CA root certificate.
This recipe specifically focuses on the configuration of the FortiAuthenticator, FortiGate, and Windows 10 computer.
Creating a local CA on FortiAuthenticator
The FortiAuthenticator will act as the certificate authority for all certificates authenticated for client access. To enable
this functionality, a self-signed root CA certificate must be generated.
To create the local CA:
1. On the FortiAuthenticator, go to Certificate Management > Certificate Authorities > Local CAs and select Create
New.
Configure the fields as required.

WiFi authentication
Creating a local service certificate on FortiAuthenticator
In order for the FortiAuthenticator to use a certificate in mutual authentication (supported by EAP‐
TLS), a local services
certificate has to be created on behalf of the FortiAuthenticator.
To create the local service certificate:
1. Go to Certificate Management > End Entities > Local Services and select Create New. Complete the information
in the fields pertaining to your organization.
Configuring RADIUS EAP on FortiAuthenticator
In order for the FortiAuthenticator to present the newly created Local Services certificate as its authentication to the
WiFi client, the RADIUS-‐ EAP must be configured to use this certificate.

WiFi authentication
To configure RADIUS EAP on FortiAuthenticator:
1. Go to Authentication > RADIUS Service > EAP, and select Create New.
2. Select the corresponding Local Services certificate in the EAP Server Certificate section.
3. Choose the Local CA certificate previous configured in the Local CAs section.
Configuring RADIUS client on FortiAuthenticator
The FortiAuthenticator has to be configured to allow RADIUS clients to make authorization requests to it.

4. Set the authentication type as Password/OTP authentication, and enable Accept EAP with only EAP-TTLS
selected.
EAP-TLS should be the only EAP type selected to prevent fallback to a less secure version of authentication if a
certificate is not presented by the WiFi client.

WiFi authentication
6. Set the authentication method to Password only authentication.

7. Review the RADIUS response, and click Save and Exit.
Configuring local user on FortiAuthenticator
The authentication of the WiFi client will be tied to a user account on the FortiAuthenticator. In this scenario, a local
user will be configured but remote users associated with LDAP can be configured as well.
To configure a local user:
1. Go to Authentication > User Management > Local Users and select Create New.
Fill out applicable user information.
Configuring local user certificate on FortiAuthenticator
The certificate created locally on the FortiAuthenticator will be associated with the local user. It is important to note that
the Name (CN) must match the username exactly of the user that is registered in the FortiAuthenticator (in the
example, eap-user).
To configure the local user certificate:
1. Go to Certificate Management > End Entities > Users and select Create New.
Fill out applicable user information to map the certificate to the correct user.

WiFi authentication
Creating RADIUS server on FortiGate
In order to proxy the authentication request from the wireless client, the FortiGate will need to have a RADIUS server to
submit the authentication request to.
To create the RADIUS server on FortiGate:
1. On the FortiGate, go to User & Device > RADIUS Servers and select Create New. Enter a Name, the
FortiAuthenticator’s IP address, and the same Secret set on the FortiAuthenticator.

WiFi authentication
Creating WiFi SSID on FortiGate
In order for the WiFi client to connect using its certificate a SSID has to be configured on the FortiGate to accept this
type of authentication.

WiFi authentication
To create the WiFi SSID:
1. Go to WiFi & Switch Controller > SSID and create an SSID with DHCP for clients.
2. Set the following WiFi Settings, assigning the RADIUS Server configured earlier.

WiFi authentication
3. Then go to WiFi & Switch Controller > FortiAP Profiles and edit your FortiAP default profile.
Select the new SSID for both Radio 1 and Radio 2.

WiFi authentication
4. Then go to Policy & Objects > IPv4 Policy and create a policy that allows outbound traffic from the EAP-TLS
wireless interface to the Internet.

WiFi authentication
Exporting user certificate from FortiAuthenticator
In order for the WiFi client to authenticate with the RADIUS server, the user certificate created in the FortiAuthenticator
must first be exported.
To export the FortiAuthenticator user certificate:
1. On the FortiAuthenticator, go to Certificate Management > End Entities > Users. Select the certificate and select
Export Key and Cert.
2. In the Export User Certificate and Key File dialog, enter and confirm a Passphrase. This password will be used
when importing the certificate into a Windows 10 computer. Select OK.
3. Select Download PKCS#12 file to pull this certificate to the Widows 10 computer. Select Finish.
Importing user certificate into Windows 10
To import the user certificate:
1. On the Windows 10 computer, double-click the downloaded certificate file from the FortiAuthenticator.
This will launch the Certificate Import Wizard. Select Next.

WiFi authentication
2. Make sure the correct certificate is shown in the File name section in the File to Import window. Select Next.

WiFi authentication
3. Enter the Password created on the FortiAuthenticator during the export of the certificate.
Select Mark this key as exportable and leave the remaining options to default. Select Next.

WiFi authentication
4. In the Certificate Store, choose the Place all certificates in the following store.
Select Browse and choose Personal. Select Next, and then Finish.
A dialog box will show up confirming the certificate was imported successfully.

WiFi authentication
Configuring Windows 10 wireless profile to use certificate
Create a new wireless SSID for this secure connection, in this case EAP-TLS.
To create a wireless SSID:
1. On Windows 10, got to Control Panel > Network and Sharing Center > Set up a new connection or network >
Manually connect to a wireless network. Enter a Network name and set Security type to WPA2-Enterprise. The
Encryption type is set to AES.

WiFi authentication
2. Once created, you have the option to modify the wireless connection. Select Change connection settings.

WiFi authentication
3. In the Security tab, set Choose a network authentication method to Microsoft: Smart card or other certificates,
and select Settings.

WiFi authentication
4. Enable both Use a certificate on this computer and Use simple certificate selection.
Note that, for simplification purposes, Verify the server's identity by validating the certificate has been disabled.
However EAP-‐ TLS allows the client to validate the server as well as the server validate the client. To enable this,
you will need to import the CA from the FortiAuthenticator to the Windows 10 computer and make sure that it is
enabled as a Trusted Root Certification Authority.
Select OK for all dialog windows to confirm all settings. The configuration for the Windows 10 computer has been
completed and the user should be able to authenticate to WiFi via the certificate without using their username and
password.

WiFi authentication

WiFi authentication
Results
1. On the user's device, attempt to connect to the WiFi. Select the user's certificate and select OK.
2. On the FortiAuthenticator, go to Logging > Log Access > Logs to confirm the successful authentication.

WiFi authentication
3. On the FortiGate, go to Monitor > WiFi Client Monitor to view various information about the client.
You can also go to Log & Report > Forward Traffic to view more log details.

WiFi authentication

WiFi authentication
WiFi RADIUS authentication with FortiAuthenticator
In this example, you use a RADIUS server to authenticate your WiFi clients.
The RADIUS server is a FortiAuthenticator that is used authenticate users who belong to the employees user group.
Creating users and user groups on the FortiAuthenticator
To create users and user groups:
1. Go to Authentication > User Management > Local Users and create a user account.
2. Then go to Authentication > User Management > User Groups and create a local user group (employees), adding

WiFi authentication
the newly created user.
Registering the FortiGate as a RADIUS client on the FortiAuthenticator

4. Set the authentication type as Password/OTP authentication, and enable all EAP types.
Add the user group employees as a filter.
6. Review the remaining configurations, and click Save and Exit.

WiFi authentication
Configuring FortiGate to use the RADIUS server
To configure FortiGate to use the RADIUS server:
1. Go to User & Device > RADIUS Servers and add the FortiAuthenticator as a RADIUS server.

WiFi authentication
Creating SSID and set up authentication
To create an SSID and set up authentication:
1. Go to WiFi & Switch Controller > SSID and define your wireless network.
2. Set up DHCP for your clients.

WiFi authentication
3. Configure WPA2 Enterprise security that uses the RADIUS server.
Connecting and authorizing the FortiAP
To connect and authorize the FortiAP:
1. Go to Network > Interfaces and configure a dedicated interface for the FortiAP.

Under Administrative Access, enable PING and CAPWAP, and enable DHCP Server.
Under Networked Devices, enable Device Detection.

WiFi authentication
2. Connect the FortiAP unit to the interface. Then go to WiFi & Switch Controller > Managed FortiAPs. Notice the
Status is showing Waiting for Authorization.
When the FortiAP is listed, select and Authorize it.
3. The FortiAP is now Online. The Status may take a few minutes to update.
4. Go to WiFi & Switch Controller > FortiAP Profiles and edit the profile.

This example uses a FortiAP-S 221E, so the FAPS221E-default profile applies.
For each radio, make sure to select your SSID .

WiFi authentication

WiFi authentication
Creating the security policy
To create the security policy:
1. Go to Policy & Objects > IPv4 Policy and add a policy that allows WiFi users to access the Internet.
2. Under Logging Options, enable Log Allowed Traffic and All Sessions.

WiFi authentication
Results
1. Connect to the example-staff network and browse Internet sites.

On the FortiGate, go to Monitor > WiFi Client Monitor to see that clients connect and authenticate.
WiFi with WSSO using FortiAuthenticator RADIUS and Attributes
This is an example of wireless single sign-on (WSSO) with a FortiGate and FortiAuthenticator. The WiFi users are
teachers and students at a school. These users each belong to a user group, either teachers (smaguire) or students
(whunting). The FortiAuthenticator performs user authentication and passes the user group name to the FortiGate so
that the appropriate security policy is applied.
This recipe assumes that an SSID and a FortiAP are configured on the FortiGate unit. In this configuration, you will be
changing the existing SSID’s WiFi settings so authentication is provided by the RADIUS server.
For this example, the student security policy applies a more restrictive web filter.

WiFi authentication
Registering the FortiGate as a RADIUS client on the FortiAuthenticator

4. Set the authentication type as Password/OTP authentication, and enable all EAP types.
6. Review the remaining configurations, and click Save and Exit.
Creating users on the FortiAuthenticator
To create users:
1. Go to Authentication > User Management > Local Users and select Create New.
Create one teacher user (smaguire) and another student user (whunting).

WiFi authentication
2. Note that, after you create the users, RADIUS Attributes appears as an option.
If your configuration involves multiple users, it is more efficient to add RADIUS attributes in their respective user
groups, in the next step.
Creating user groups on the FortiAuthenticator
To create user groups:
1. Go to Authentication > User Management > User Groups and create two user groups: teachers and students.
Add the users to their respective groups.

WiFi authentication
2. Once created, edit both user groups and select Add Attribute.
3. Add the Fortinet-Group-Name RADIUS attribute to each group, which specifies the user group name to be sent to
the FortiGate.
Configuring the FortiGate to use the FortiAuthenticator as the RADIUS server
To configure the FortiGate to use the FortiAuthenticator RADIUS server:
1. On the FortiGate, go to User & Device > RADIUS Servers and select Create New.
Enter a Name, the Internet-facing IP address of the FortiAuthenticator, and enter the same Primary Server Secret
entered on the FortiAuthenticator.

WiFi authentication
Configuring user groups on the FortiGate
To configure user groups on the FortiGate:
1. Go to User & Device > User Groups and create two groups named the same as the ones created on the
FortiAuthenticator.

WiFi authentication
Do not add any members to either group.
Creating security policies
To create a security policy:
1. Go to Policy & Objects > IPv4 Policy and select Create New.

Create two policies (student-wifi and teacher-wifi) with WiFi-to-Internet access: one policy with Source set to the
students user group, and the other set to teachers. Make sure to add the SSID address (example-wifi) to both
policies also.

WiFi authentication
The student policy has a more restrictive Web Filter profile enabled.

WiFi authentication
Configuring the SSID to RADIUS authentication
To configure the SSID to RADIUS authentication:
1. Go to WiFi & Switch Controller > SSID and edit your pre-existing SSID interface.
Under WiFi Settings, set Security Mode to WPA2 Enterprise, set Authentication to RADIUS Server, and add the
RADIUS server configured on the FortiGate earlier from the dropdown menu.

WiFi authentication
Results
1. Connect to the WiFi network as a student.
2. Then on the FortiGate go to Monitor > Firewall User Monitor. From here you can verify the user, the user group,
and that the WSSO authentication method was used.

LDAP Authentication
LDAP Authentication
This section describes configuring LDAP authentication.
G Suite integration using LDAP
This article explains how to integrate the FortiAuthenticator with G Suite Secure LDAP using client authentication
through a certificate. You will use the LDAP in Google DB to authenticate end users for 802.1X and VPN.
1. Generating the G Suite certificate on page 146
2. Importing the certificate to FortiAuthenticator on page 148
3. Configuring LDAP on the FortiAuthenticator on page 149
4. Troubleshooting on page 150
Generating the G Suite certificate
You must first generate certificates to authenticate the LDAP client with Secure LDAP service.
To generate certificate authentication:
1. From the Google Admin console, go to Apps > LDAP.

2. Select one of the clients in the list.
3. Click the Authentication card.

LDAP Authentication
4. Click GENERATE NEW CERTIFICATE, then click the download icon to download the certificate.
5. Upload the certificate to your client, and configure the application.
Depending on the type of LDAP client, configuration may require LDAP access credentials. See Generate access
credentials.
Once you have uploaded the certificate to your client, G Suite will generate a client certificate and key.
Example:
l Cert: Google_2022_09_09_72372.crt
l Key: Google_2022_09_09_72372.key
Store the certificate and key in a safe place.

By default, FortiAuthenticator will not trust the certificate issued by Google. You must install a Google Trusted CA to
match the chain group, which can be downloaded at https://pki.goog/.

LDAP Authentication
l GS Root R2
Importing the certificate to FortiAuthenticator
This series of steps can be performed on the primary FortiAuthenticator.
To import the trusted CA certificate:
1. Go to Certificate Management > Certificate Authorities > Trusted CAs > Import.

2. Enter a Certificate ID, upload a file, and click OK.
Results:
You can now import the LDAP certificate generated by G Suite.
To import the client authentication certificate:
1. Go to Certificate Management > End Entities > Local Services > Import.

2. Select Certificate and Private Key as the Type.
3. Enter the Certificate ID, choose the files for the previously saved certificate and private key files, and select OK.
4.
Results:

LDAP Authentication
Configuring LDAP on the FortiAuthenticator
Now you can finish the LDAPS configuration using client authentication through certificate.
1. Go to Authentication > Remote Auth. Servers > LDAP > Create New, and enter the following information:
a. Enter a name.
b. For Primary server name/IP enter ldap.google.com, and set the port to 636.
c. Enter the base distinguished name.
d. For the Username attribute, enter uid.
e. Select the option to obtain group memberships from Group attribute.
f. Enable Secure Connection and select either LDAPS or STARTTLS as the Protocol, and select the Google
CA certificate.
g. Enable Use Client Certificate for TLS Authentication, and select the LDAP certificate.
2. Select OK.
If required, you can now import users by clicking the Go button next to the Import users dropdown. This is not a
required step, but can be done in cases where you want to include additional information to their accounts or assign
FortiTokens.

LDAP Authentication
Troubleshooting
Missing option to use client certificate for TLS authentication
Use Client Certificate for TLS Authentication is only supported in FortiAuthenticator 6.0.1 and higher.

LDAP Authentication
Certificate error messages
The following is an example of an incorrect Trusted CA certificate entry. Please verify that you have followed the steps
included in Generating the G Suite certificate on page 146.

SAML Authentication
SAML Authentication
This section describes configuring SAML authentication.
SAML IdP proxy for Azure
This recipe describes how to set up FortiAuthenticator as a SAML IdP proxy for Microsoft Azure.
To configure FortiAuthenticator as a SAML IdP proxy for Azure:
1. Configuring OAuth settings on page 152

2. Configuring the remote SAML server on page 153
3. Enabling the SAML SP FSSO Portal on page 153
4. Configuring an Azure realm on page 154
5. Configuring SAML IdP settings on page 154
6. Configuring the login page replacement message on page 155
Configuring OAuth settings
To configure remote OAuth settings:
1. On FortiAuthenticator, go to Remote Auth. Servers > OAUTH, and click Create New.

2. Provide a name for the server and select Azure Directory as the OAuth source.
3. Enter the client ID and client key from the SAML application on your Azure account.
4. Click OK to save your changes.

SAML Authentication
Configuring the remote SAML server
To configure the remote SAML server:
1. Go to Remote Auth. Servers > SAML, and click Create New.

The server name must match the one created in https://portal.azure.com/. For example, if the name in Azure is set
as AZIdP, the SAML server should also use AZIdP (case sensitive).
2. For the Entity ID, click the dropdown menu and select the Azure IdP option.
3. Import the IdP metadata from Azure. To download and import the Azure federation metadata:
a. In Azure, go to Azure Active Directory > App Registrations and select the application being used for
SAML authentications for your FortiAuthenticator.
b. In Endpoints, select the federation metadata document, enter the URL into the browser, and save it as an
XML file.
c. Click Import IDP metadata/certificate, and upload the federation metadata file.
4. In Group Membership, select Cloud and choose the previously created Azure OAuth server.
5. At the top of the page, select Proxy as the Type, and copy the Portal URL to be used later when customizing the
replacement message.
Enabling the SAML SP FSSO Portal
To enable the SAML SP FSSO Portal:
1. Go to Fortinet FSSO Methods > SSO > Portal Services and enable the SAML portal.
2. Go to Fortinet FSSO Methods > SSO > SAML Authentication and create a new SAML server.
Select the previously created remote SAML server and click OK.

SAML Authentication
Configuring an Azure realm
To create an Azure realm and add it to the IdP:
1. Go to Authentication > User Management > Realms

2. Click Create New.
3. Add the details of the Azure realm, and click OK.
Configuring SAML IdP settings
To configure general settings:
1. Go to Authentication > SAML IdP > General.

2. Enable the SAML identity provider portal and enter the following:
a. Server address: Enter the FortiAuthenticator FQDN.
b. Realms: Add the realm associated with the remote server for Azure IdP.
c. Default IdP certificate: Select a default certificate to use.
To configure service provider settings:
1. Go to Authentication > SAML IdP > Service Providers and create a new reference for the service
provider that you will be using as your SAML client.
The name can be anything you want.
2. Enter the SP information from the client you will be using as the SAML service provider.
3. Download the IdP metadata.
This can be used to set up the SAML IdP configuration in your SAML SP client (if allowed by your client).
4. Under SAML Attribute click Create New, and enter a SAML Attribute name that your SAML SP is
expecting to identify the user. Select a User Attribute for this selection. If you're unsure of which attribute
to pick, select SAML Username.

SAML Authentication
Configuring the login page replacement message
To configure the login page replacement message:
1. Go to Authentication > SAML IdP > Replacement Messages.

2. On the Login Page replacement message, click the Restore Defaults dropdown and choose idp-server-and-proxy.
3. In the text/html editor, scroll down until you see the [proxy_portal_url] placeholder and replace it with the
previously saved proxy portal URL.
4. Click Save.

SAML Authentication
Results
To test Azure login through the SP:
1. Enter in the portal login URL from the service provider in a new browser.
You are redirect you to the FAC's IdP-server and proxy page.
2. Click on the link below the login options to be redirected to Microsoft's login page.
SAML IdP proxy for G Suite
This recipe describes how to set up FortiAuthenticator as a SAML IdP proxy for Google G Suite.
To configure FortiAuthenticator as a SAML IdP proxy for G Suite:
1. Configuring OAuth settings on page 156

2. Configuring the remote SAML server on page 157
3. Enabling the SAML SP FSSO Portal on page 157
4. Configuring a G Suite Realm on page 158
5. Configuring IdP settings on page 158
6. Configuring the login page replacement message on page 159
Configuring OAuth settings
To configure remote OAuth settings:
1. On FortiAuthenticator, go to Remote Auth. Servers > OAUTH, and click Create New.

2. Provide a name for the server and select G Suite Directory as the OAuth source.
3. Enter the G-suite admin, and upload the Service account key file from the SAML application on your G Suite
account.

SAML Authentication
Configuring the remote SAML server
To configure the remote SAML server:
1. Go to Remote Auth. Servers > SAML, and click Create New.

The server name must match the one created in G Suite. For example, if the name in G Suite is set as GSIdP, the
SAML server should also use GSIdP (case sensitive).
2. Import the IdP metadata obtained from the SAML app on G Suite.
3. In Group Membership, select Cloud and choose the previously created G Suite OAuth server.
4. At the top of the page, select Proxy as the Type, and copy the Portal URL to be used later when customizing the
replacement message.
Enabling the SAML SP FSSO Portal
To enable the SAML SP FSSO Portal:
1. Go to Fortinet FSSO Methods > SSO > Portal Services and enable the SAML portal.
2. Go to Fortinet FSSO Methods > SSO > SAML Authentication and create a new SAML server.
Select the previously created remote SAML server and click OK.

SAML Authentication
Configuring a G Suite Realm
To create a G Suite Realm and add it to the IdP:
1. Go to Authentication > User Management > Realms.

2. Click Create New.
3. Add the details of the G Suite realm, and click OK.
Configuring IdP settings
To configure general settings:
1. Go to Authentication > SAML IdP > General.

2. Enable the SAML identity provider portal and enter the following:
a. Server address: Enter the FortiAuthenticator FQDN.
b. Realms: Add the realm associated with the remote server for G Suite.
c. Default IdP certificate: Select a default certificate to use.
To configure service provider settings:
1. Go to Authentication > SAML IdP > Service Providers and create a new reference for the service
provider that you will be using as your SAML client.
The name can be anything you want.
2. Enter the SP information from the client you will be using as the SAML service provider.
3. Download the IdP metadata.
This can be used to set up the SAML IdP configuration in your SAML SP client (if allowed by your client).
4. Under SAML Attribute click Create New, and enter a SAML Attribute name that your SAML SP is
expecting to identify the user. Select a User Attribute for this selection. If you're unsure of which attribute
to pick, select SAML Username.

SAML Authentication
Configuring the login page replacement message
To configure the login page replacement message:
1. Go to Authentication > SAML IdP > Replacement Messages.

2. On the Login Page replacement message, click the Restore Defaults dropdown and choose idp-server-and-proxy.
3. In the text/html editor, scroll down until you see the [proxy_portal_url] placeholder and replace it with the
previously saved proxy portal URL.
4. Click Save.

SAML Authentication
Results
To test G Suite login through the SP:
1. Enter in the portal login URL from the service provider in a new browser.
You are redirect you to the FAC's IdP-server and proxy page.
2. Click on the link below the login options to be redirected to Google's login page.
SAML FSSO with FortiAuthenticator and Okta
In this example, you will provide a Security Assertion Markup Language (SAML) FSSO cloud authentication solution
using FortiAuthenticator as the service provider (SP) and Okta, a cloud-based user directory, as the identity provider
(IdP).
Okta is a secure authentication and identity-access management service that offer secure SSO solutions. Okta can be
implemented with a variety of technologies and services including Office 365, G Suite, Dropbox, AWS, and more.
A user will start by attempting to make an unauthenticated web request. The FortiGate’s captive portal will offload the
authentication request to the FortiAuthenticator’s SAML SP portal, which in turn redirects that client/browser to the
SAML IdP login page. Assuming the user successfully logs into the portal, a positive SAML assertion will be sent back to
the FortiAuthenticator, converting the user’s credentials into those of an FSSO user.
In this example configuration, the FortiGate has a DMZ IP address of 192.168.50.1, and the FortiAuthenticator has
the Port1 IP address of 192.168.50.100. Note that, for testing purposes, the FortiAuthenticator’s IP and FQDN have
been added to the host’s file of trusted host names; this is not necessary for a typical network.
This configuration assumes that you have already created an Okta developer account.
Configuring DNS and FortiAuthenticator's FQDN
1. On FortiAuthenticator, go to System > Dashboard > Status. In the System Information widget, select the edit
icon next to Device FQDN .
Enter a domain name (in this example, fac.school.net). This will help identify where the FortiAuthenticator is

SAML Authentication
located in the DNS hierarchy.

2. Enter the same name for the Host Name. This is so you can add the unit to the FortiGate's DNS list so that the
local DNS lookup of this FQDN can be resolved.
3. On FortiGate, open the CLI Console and enter the following command using the FortiAuthenticator host name and
internet-facing IP address.
config system dns-database
edit school.net
config dns-entry
edit 1
set hostname fac.school.net
set ip 192.168.50.100
next
end
set domain school.net
next
Enabling FSSO and SAML on FortiAuthenticator
1. On FortiAuthenticator, go to Fortinet SSO Methods > SSO > General and set FortiGate SSO options. Make sure
to Enable authentication.
Enter a Secret key and select OK to apply your changes. This key will be used on FortiGate to add the
FortiAuthenticator as the FSSO server.

SAML Authentication
2. Go to Fortinet SSO Methods > SSO > Portal Services and select Enable SAML portal.
3. Next, go to Authentication > Remote Auth. Servers > SAML, and click Create New. Enter Okta as the name.
You will not yet be able to save these settings, as the IdP information - IdP entity ID, IdP
single sign-on URL, and IdP certificate fingerprint - must be entered. These fields will be
filled out later once the IdP application configuration is complete Okta.

SAML Authentication

SAML Authentication
Configuring the Okta developer account IdP application
1. Open a browser, go to the Applications tab and select Add Application.
2. Select Create New App and create a new application using the SAML 2.0 sign on method.
3. Enter a custom app name, and select Next. You may upload an app logo if you wish.
The name entered here is the name of the portal that users will log into.
4. Under A - SAML Settings, set Single sign on URL and Audience URL (SP Entity ID) to the ACS and Entity
URLs (respectively) from FortiAuthenticator.
Users will be required to provide their email address as their username, and their first and last names (as seen in
the example).
Before continuing, select Download Okta Certificate. This will be imported to the FortiAuthenticator later.

SAML Authentication
In the section below, configure a Group attribute to match on FortiAuthenticator. The word Group (case-
sensitive) must be entered in Text-based list under Obtain Group Membership from: SAML assertions inside the
remote SAML setup configuration on FortiAuthenticator. Regex matching is the most flexible option for group
matching. The below example matches all groups of a single user.
5. In the last step, confirm that you are an Okta customer, and set the App type to an internal app. Select Finish.

SAML Authentication
6. Once created, open the Sign On tab and download the Identity Provider metadata.
7. Finally, open the Assignments tab and select Assign > Assign to people.
Assign the users you wish to add to the application. This will permit the user to log in to the application's portal.
Save your changes, and select Done.
Importing the IdP certificate and metadata on FortiAuthenticator
1. On FortiAuthenticator, go to Authentication > Remote Auth. Servers > SAML, and import the IdP metadata and
certificate downloaded from Okta.
This will automatically fill in the IdP fields. Select OK to save your changes.

SAML Authentication
2. Enable SAML single logout and add the IdP single logout URL under the Single Logout section of the Okta
Remote SAML Server.
For example, if your Okta organization is "facschool" then the IdP single logout URL: entry would be
https://facschool.okta.com/login/default.
3. Go to Fortinet SSO Methods > SSO > FortiGate Filtering, and create a new FortiGate filter.

Enter a name and the FortiGate's DMZ-interface IP address, and click OK.
Once created, enable Forward FSSO information for users from the following subset of users/groups/containers
only. Select Create New to create SSO group filtering objects that match each group inside Okta, and select OK to
apply all changes.

SAML Authentication
The names entered for the filter must be the same as the group names created in Okta.
Failing to enter the exact same names will result in the SSO information not being pushed
to FortiGate.
Configuring FSSO on FortiGate
To configure FSSO on FortiGate:
1. On FortiGate, go to Security Fabric > Fabric Connectors.

Create a new FSSO agent connector to the FortiAuthenticator.
2. Select Apply & Refresh. The SAML user groups name has been successfully pushed to FortiGate from
FortiAuthenticator, appearing when you select View .

SAML Authentication
Select View and make sure that the FSSO group has been pushed to FortiGate.
3. Go to User & Device > User Groups and create a new user group.
Enter a name, set Type to Fortinet Single Sign-On (FSSO), and add the FSSO group as a Member.

SAML Authentication
Configure automatic redirect
To configure automatic redirect on FortiGate:
In order to automatically redirect the user to the initial website after authentication, erase the existing HTML code and
replace it with the following HTML code on the FortiGate in System > Replacement Messages > Authentication >
Login Page.
Replace <FortiAuthenticator-FQDN> with the DNS name of the FortiAuthenticator.
<html>
<head>
<meta charset="UTF-8">
<meta http-equiv="refresh" content="1;url=https://<FortiAuthenticator-FQDN>/saml-sp/Ok-

ta/login/?user_continue_url=%%PROTURI%%&userip=%%USER_IP%%">
<script type="text/javascript">
window.location.href="https://<FortiAuthenticator-FQDN>/saml-sp/Okta/login/?user_con-
tinue_url=%%PROTURI%%&userip=%%USER_IP%%"
</script>
<title>
Page Redirection
<title>
<head>
<body>
If you are not redirected automatically,
<a href="https://<FortiAuthenticator-FQDN>/saml-sp/Okta/login/?user_continue_url-
l=%%PROTURI%%&userip=%%USER_IP%%">
login
</a>
<body>
<html>

SAML Authentication
Configure address objects and policies
To configure addresses objects and policies on FortiGate:
1. Go to Policy & Objects > Addresses and add the FortiAuthenticator as an address object.
2. Create the FQDN objects below.

l *.okta.com
l *.mtls.okta.com
l *.oktapreview.com
l *.mtls.oktapreview.com
l *.oktacdn.com
l *.okta-emea.com
l *.mtls.okta-emea.com
l *.kerberos.okta.com
l *.kerberos.okta-emea.com
l *.kerberos.oktapreview.com
As these are FQDNs, make sure to set Type to FQDN .
3. Create an Address group and name it Okta Bypass and add the FQDNs you created above into the Okta Bypass
address group.
4. Go to Policy & Objects > IPv4 Policy and create all policies shown in the examples below: a policy for DNS, for
access to the FortiAuthenticator, for Okta bypass, and for FSSO including the SAML user group.
Allow access to the FortiAuthenticator on the DMZ from the LAN:

SAML Authentication
Add the following three policies in order:

SAML Authentication

SAML Authentication
In the SSO_Internet_Access policy, add the Firewall Guest-group and the Okta FSSO group that is received from
FortiAuthenticator. The Guest-group redirects the initial Internet access request from the browser to Okta. Once
the user is authenticated the browser will automatically redirect to the website from the initial HTTP/HTTPS
request matching the Okta SSO group.

SAML Authentication
Office 365 SAML authentication using FortiAuthenticator with 2FA
FortiAuthenticator can act as the SAML IdP for an Office 365 SP using FortiToken served directly by FortiAuthenticator
or from FortiToken Cloud for two-factor authentication.
The configuration outlined in this guide assumes that you have already configured your FortiAuthenticator with
FortiToken Cloud. For more information on how to do this, please see the FortiAuthenticator Administration Guide.

SAML Authentication
To configure Office 365 SAML authentication using FortiAuthenticator with two-factor authentication:
1. Configure the remote LDAP server on FortiAuthenticator on page 176

2. Configure SAML settings on FortiAuthenticator on page 177
3. Configure two-factor authentication on FortiAuthenticator on page 178
4. Configure the domain and SAML SP in Microsoft Azure AD PowerShell on page 179
5. Configure Microsoft Azure AD Connect on page 181
Configure the remote LDAP server on FortiAuthenticator
To configure the LDAP server:
1. Go to Authentication > Remote Auth. Servers > LDAP and click Create New.

2. Configure the following settings:
a. Name: Provide a name for the remote LDAP server.
b. Primary server name/IP: Enter the IP address for the AD (Active Directory) source.
c. Base distinguished name: Configure the based distinguished name for your AD source.
d. Bind type: Select Regular.
e. Username/Password: Enter the username and password for your AD source.
The remaining settings can be left in their default state.

SAML Authentication
To configure the Active Directory realm:
1. Go to Authentication > User Management > Realms and click Create New.

2. Configure a name for the realm and select your LDAP server as the User source.
Configure SAML settings on FortiAuthenticator
To configure FortiAuthenticator IdP settings:
1. Go to Authentication > SAML IdP > General and click Enable SAML Identity Provider portal.

a. Server address: The IP address or FQDN of the FortiAuthenticator.
b. Realms: Select the previously created LDAP realm.
c. Default IdP certificate: Choose a certificate. The default can be used if desired.
The remaining settings can be left in their default state.
To configure the service provider settings on FortiAuthenticator:
1. Go to Authentication > SAML IdP > Service Providers and click Create New.

a. SP Name: enter a name for your service provider.
b. IdP Prefix: Click Generate prefix to create a new IdP prefix.
c. Server certificate: Select the certificate to be used in your configuration or choose Use default setting in
SAML IdP General page.
d. SP entity ID: Enter urn:federation:MicrosoftOnline.
e. SP ACS (login) URL: Enter https://login.microsoftonline.com/login.srf.
f. SP SLS (logout) URL: Enter https://login.microsoftonline.com/login.srf.
g. Participate in single logout: Can be enabled if you wish this SP to participate in SAML single logout.
3. In the Assertion Attributes section, configure the following settings:
a. Subject NameID: Select user mS-DS-Consistency Guid.
b. Format: Select urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.
Press Enter and then SAML attributes can be created.

SAML Authentication
4. In the Debugging Options section click Create New to create a SAML attribute with the following settings:
a. SAML attribute: Enter IDPEmail.
b. User attribute: In the dropdown, select userPrincipalName under Remote LDAP server.
Configure two-factor authentication on FortiAuthenticator
To configure a remote user sync rule:
1. Go to Authentication > User Management > Remote User Sync Rules, and click Create New.
a. Name: Enter a name for the sync rule (e.g. AD).
b. Remote LDAP: Select your remote LDAP server.
3. Configure the token-based sync priority settings under Synchronization Attributes by enabling and ordering the
authentication sync priorities.
This example scenario uses FortiToken Cloud for two-factor authentication, so the priority is FortiToken Cloud
followed by None (users are synced explicitly with no token-based authentication).

SAML Authentication
4. Select or create a user group to associate users with from the dropdown menu.
5. The remaining settings can be configured to your preference or left in their default state.
6. Click OK to save your changes when completed.
To configure remote users with two-factor authentication:
1. Go to Authentication > User Management > Remote Users and Import users from your Active Directory account.
2. Edit a user and enable Token-based authentication, and select FortiToken > Cloud as the delivery method.
Configure the domain and SAML SP in Microsoft Azure AD PowerShell
FortiAuthenticator currently supports use with Microsoft Azure Active Directory Module for Windows PowerShell.
To configure the domain and SAML SP using Microsoft Azure AD PowerShell:
1. Launch the Microsoft Azure Active Directory Module for Windows PowerShell.
2. Enter the following command in PowerShell:
Install-Module -Name MSonline.
Accept the next two default ("Y") prompts for installing the NuGet Provider and installing from PSGallery.
1. If you are using Windows 2016 or earlier, you must first enable TLS 1.2 enforcement for
Azure AD Connect. For instructions on enabling TLS 1.2 eforcement, see Azure AD
Connect: TLS 1.2 enforcement for Azure Active Directory Connect.
3. Enter the following command:

Connect-MsolService .

SAML Authentication
The Microsoft Sign in window opens. Login with your Azure ID.
4. Add a federated domain by entering the following command.
New-MsolDomain -Name <your domain> -Authentication Federated
5. Obtain the DNS record and create a new text record in your domain provider to allow the domain to be verified. To
obtain the DNS record, use the following command:
Get-MsolDomainVerificationDns -DomainName ftnt.xyz -Mode DnsTxtRecord

SAML Authentication
From the output, copy the Text field results and create a new text record in your domain with a 60 minute interval.
6. Configure the domain as a SAML service provider.

You can create these variables inside a text editor and then copy and paste them into a PowerShell window.
$domain = "<your domain>"
$cert = "<your certificate. This can be obtained by downloading your
certificate from FortiAuthenticator and opening it with a text editor.>"
$protocol = "SAMLP"
$IssuerUrl = "<The IdP entity ID from FortiAuthenticator>"
$LogonUrl = "<The IdP single sign-on URL from FortiAuthenticator>"
$LogoffUrl = "<The IdP single logout URL from FortiAuthenticator>"
Once completed, enter the following command into PowerShell to verify the domain:
Confirm-MsolDomain -DomainName $domain - SigningCertificate $cert -
PreferredAuthenticationProtocol $protocol -IssuerUri $IssuerUrl -
PassiveLogOnUri $LogonURL -LogOffUri $LogOffUrl
The return text from the above command should read "AvailableImmediately The domain has been successfully
verified for your account."
Configure Microsoft Azure AD Connect
You will first need to download Azure AD Connect from Microsoft on your Active Directory Domain Controller.

SAML Authentication
To configure Microsoft Azure AD Connect:
1. Launch Microsoft Azure Active Directory Connect to create a synchronization service to sync attributes from Active
Directory to Office365.
2. Select Customize to begin a customized installation, and click Install.

SAML Authentication
3. On the User sign-in page, select Do not configure, and click Next.

SAML Authentication
4. On the Connect to Azure AD page, enter your Azure AD global administrator credentials, and click Next.

SAML Authentication
5. Select your Active Directory Forest, and click Add Directory. Create your on-premise AD admin user account.
When finished, click Next. If completed successfully, you will see your domain has been verified.
Click Next again.

SAML Authentication

SAML Authentication
6. Click Next on the remaining pages in the configuration wizard, and click Install on the Ready to configure page.
7. Once the installation is complete, you are presented with the Configuration complete page which provides a
summary of the configuration changes.

SAML Authentication
Results
Once configured, Active Directory synchronized users can sign in to Office 365 using two-factor authentication from
FortiAuthenticator.

SAML Authentication
To sign in to Office 365 using FortiAuthenticator with two-factor authentication:
1. Navigate to Office 365 and click Sign in or Switch to a different account.

2. Enter a user account with domain and click Sign in.
3. Authentication is redirected to FortiAuthenticator. Enter your user credentials, and click Login.
Enter your 2FA token or approve the access request from your FortiToken push request.

SAML Authentication
Once approved you are logged in to your Office 365 account.

Copyright© 2020 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in
the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be
trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and
other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding
commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s
General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such
event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be
limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or
development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and
guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most
current version of the publication shall be applicable.

FortiAuthenticator 6.1.0 Cookbook

Uploaded by

Copyright:

Available Formats

FortiAuthenticator 6.1.0 Cookbook

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FortiAuthenticator 6.1.0 Cookbook

Uploaded by

Copyright:

Available Formats

FortiAuthenticator - Cookbook

FORTINET VIDEO GUIDE

CUSTOMER SERVICE & SUPPORT

FORTINET TRAINING & CERTIFICATION PROGRAM

END USER LICENSE AGREEMENT

December 16, 2020

FortiAuthenticator 6.1.0 Cookbook 3

FortiAuthenticator 6.1.0 Cookbook 4

FortiAuthenticator 6.1.0 Cookbook 5

FortiAuthenticator 6.1.0 Cookbook 6

Date Change Description

2020-03-28 Initial release.

2020-05-25 Added new configuration examples:

l MAC authentication bypass with dynamic VLAN assignment on page 59

2020-06-17 Added SAML FSSO with FortiAuthenticator and Okta on page 160.

FortiAuthenticator 6.1.0 Cookbook 7

This section describes managing certificates with the FortiAuthenticator device.

FortiAuthenticator as a Certificate Authority

Creating a new CA on the FortiAuthenticator

To create a new CA:

FortiAuthenticator 6.1.0 Cookbook 8

2. Once created, highlight the certificate and select Export Certificate.

This will save a .crt file to your local drive.

Installing the CA on the network

Internet Explorer and Chrome

FortiAuthenticator 6.1.0 Cookbook 9

FortiAuthenticator 6.1.0 Cookbook 10

FortiAuthenticator 6.1.0 Cookbook 11

2. In the Authorities tab, select Import.

FortiAuthenticator 6.1.0 Cookbook 12

3. Find and open the root certificate.

Creating a CSR on the FortiGate

FortiAuthenticator 6.1.0 Cookbook 13

This will save a .csr file to your local drive.

FortiAuthenticator 6.1.0 Cookbook 14

Importing and signing the CSR on the FortiAuthenticator

To import and sign the CSR:

This will save a .cer file to your local drive.

Importing the local certificate to the FortiGate

To import the local certificate:

FortiAuthenticator 6.1.0 Cookbook 15

Configuring the certificate for the GUI

To configure the certificate:

1. On the FortiGate, go to System > Settings.

FortiAuthenticator 6.1.0 Cookbook 16

certificate errors will appear.

FortiAuthenticator certificate with SSL inspection

FortiAuthenticator 6.1.0 Cookbook 17

Creating a CSR on the FortiGate

FortiAuthenticator 6.1.0 Cookbook 18

This will save a .csr file to your local drive.

Creating an Intermediate CA on the FortiAuthenticator

To create an Intermediate CA:

This will save a .crt file to your local drive.

FortiAuthenticator 6.1.0 Cookbook 19

Importing the signed certificate on the FortiGate

To import the signed certificate:

Configuring full SSL inspection

To configure full SSL inspection:

1. Go to Security Profiles > SSL/SSH Inspection, and create a new profile.