0% found this document useful (0 votes)

262 views132 pages

FortiAuthenticator-6 0 0-Cookbook

Uploaded by

Darko Spunky

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

262 views132 pages

FortiAuthenticator-6 0 0-Cookbook

Uploaded by

Darko Spunky

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 132

FortiAuthenticator - Cookbook

Version 6.0.0
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com

FORTINET VIDEO GUIDE

https://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/support-and-training/training.html

NSE INSTITUTE
https://training.fortinet.com

FORTIGUARD CENTER
https://fortiguard.com/

END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: [email protected]

October 25, 2019

FortiAuthenticator 6.0.0 Cookbook
23-600-570505-20191025
TABLE OF CONTENTS

Change Log 5
Certificate management 6
FortiAuthenticator as a Certificate Authority 6
Creating a new CA on the FortiAuthenticator 6
Installing the CA on the network 8
Creating a CSR on the FortiGate 12
Importing and signing the CSR on the FortiAuthenticator 13
Importing the local certificate to the FortiGate 14
Configuring the certificate for the GUI 14
Results 15
FortiAuthenticator Certificate with SSL Inspection 16
Creating a CSR on the FortiGate 16
Creating an Intermediate CA on the FortiAuthenticator 18
Importing the signed certificate on the FortiGate 18
Configuring full SSL inspection 19
Results 21
FortiToken and FortiToken Mobile 23
FortiToken Mobile Push for SSL VPN 23
Adding a FortiToken to the FortiAuthenticator 24
Adding the user to the FortiAuthenticator 24
Creating the RADIUS client on the FortiAuthenticator 28
Connecting the FortiGate to the RADIUS server 29
Configuring the SSL VPN 32
Results 34
Self-service Portal 38
FortiAuthenticator user self-registration 38
Creating a self-registration user group 38
Enabling self-registration 39
Creating a new SMTP server 42
Results - Self-registration 42
Results - Administrator approval 45
VPNs 48
LDAP authentication for SSL VPN with FortiAuthenticator 48
Creating the user and user group on the FortiAuthenticator 48
Creating the LDAP directory tree on the FortiAuthenticator 50
Connecting the FortiGate to the LDAP server 50
Creating the LDAP user group on the FortiGate 51
Configuring the SSL VPN 53
Results 56
SMS two-factor authentication for SSL VPN 57
Creating an SMS user and user group on the FortiAuthenticator 58
Configuring the FortiAuthenticator RADIUS client 59
Configuring the FortiGate authentication settings 60
Configuring the SSL VPN 62

FortiAuthenticator 6.0.0 Cookbook 3

Fortinet Technologies Inc.
Creating the security policy for VPN access to the Internet 64
Results 64
WiFi authentication 68
Assigning WiFi users to VLANs dynamically 68
Configuring the FortiAuthenticator 69
Adding the RADIUS server to the FortiGate 70
Creating an SSID with dynamic VLAN assignment 71
Creating the VLAN interfaces 73
Creating security policies 77
Creating the FortiAP profile 78
Connecting and authorizing the FortiAP 80
Results 80
WiFi using FortiAuthenticator RADIUS with certificates 82
Creating a local CA on FortiAuthenticator 82
Creating a local service certificate on FortiAuthenticator 83
Configuring RADIUS EAP on FortiAuthenticator 84
Configuring RADIUS client on FortiAuthenticator 85
Configuring local user on FortiAuthenticator 86
Configuring local user certificate on FortiAuthenticator 87
Creating RADIUS server on FortiGate 88
Creating WiFi SSID on FortiGate 89
Exporting user certificate from FortiAuthenticator 93
Importing user certificate into Windows 10 93
Configuring Windows 10 wireless profile to use certificate 97
Results 102
WiFi RADIUS authentication with FortiAuthenticator 105
Creating users and user groups on the FortiAuthenticator 106
Registering the FortiGate as a RADIUS client on the FortiAuthenticator 107
Configuring FortiGate to use the RADIUS server 108
Creating SSID and set up authentication 110
Connecting and authorizing the FortiAP 111
Creating the security policy 114
Results 115
WiFi with WSSO using FortiAuthenticator RADIUS and Attributes 115
Registering the FortiGate as a RADIUS client on the FortiAuthenticator 115
Creating users on the FortiAuthenticator 116
Creating user groups on the FortiAuthenticator 118
Configuring the FortiGate to use the FortiAuthenticator as the RADIUS server 120
Configuring user groups on the FortiGate 121
Creating security policies 122
Configuring the SSID to RADIUS authentication 124
Results 124
LDAP Authentication 126
G Suite integration using LDAP 126
Generating the G Suite certificate 126
Importing the certificate to FortiAuthenticator 127
Configuring LDAP on the FortiAuthenticator 129
Troubleshooting 131

FortiAuthenticator 6.0.0 Cookbook 4

Fortinet Technologies Inc.
Change Log

Date Change Description

2019-09-05 Initial release.

20109-10-25 Added G Suite integration using LDAP on page 126.

FortiAuthenticator 6.0.0 Cookbook 5

Fortinet Technologies Inc.
Certificate management

Certificate management

This section describes managing certificates with the FortiAuthenticator device.

FortiAuthenticator can act as a certificate authority (CA) for the creation and signing of X.509 certificates, such as server
certificates for HTTPS and SSH, and client certificates for HTTPS, SSL, and IPsec VPN.

FortiAuthenticator as a Certificate Authority

For this recipe, you will configure the FortiAuthenticator as a Certificate Authority (CA). This will allow the
FortiAuthenticator to sign certificates that the FortiGate will use to secure administrator GUI access.
This scenario includes creating a certificate request on the FortiGate, downloading the certificate to the network’s
computers, and then importing it to the FortiAuthenticator. You will sign the certificate with the FortiAuthenticator’s own
certificate, then download and import the signed certificate back to the FortiGate.
The process of downloading the certificate to the network’s computers will depend on which web browser you use.
Internet Explorer and Chrome use one certificate store, while Firefox uses another. This configuration includes both
methods.

Creating a new CA on the FortiAuthenticator

1. On the FortiAuthenticator, go to Certificate Management > Certificate Authorities > Local CAs and create a
new CA.
Enter a Certificate ID, select Root CA certificate, and configure the key options as shown in the example.

FortiAuthenticator 6.0.0 Cookbook 6

Fortinet Technologies Inc.
Certificate management

2. Once created, highlight the certificate and select Export Certificate.

FortiAuthenticator 6.0.0 Cookbook 7

Fortinet Technologies Inc.
Certificate management

This will save a .crt file to your local drive.

Installing the CA on the network

The certificate must now be installed on the computers in your network as a trusted root CA. The steps below show
different methods of installing the certificate, depending on your browser.

Internet Explorer and Chrome

1. In Windows Explorer, right-click on the certificate and select Install Certificate. Open the certificate and follow the
Certificate Import Wizard.

2. Make sure to place the certificate in the Trusted Root Certification Authorities store.

FortiAuthenticator 6.0.0 Cookbook 8

Fortinet Technologies Inc.
Certificate management

3. Finish the Wizard and select Yes to confirm and install the certificate.

FortiAuthenticator 6.0.0 Cookbook 9

Fortinet Technologies Inc.
Certificate management

Firefox

1. In the web browser, go to Options > Privacy & Security > Certificates and select View Certificates.

2. In the Authorities tab, select Import.

FortiAuthenticator 6.0.0 Cookbook 10

Fortinet Technologies Inc.
Certificate management

3. Find and open the root certificate.

You will be asked what purposes the certificate will be trusted to identify. Select all options and select OK.

FortiAuthenticator 6.0.0 Cookbook 11

Fortinet Technologies Inc.
Certificate management

Creating a CSR on the FortiGate

1. On the FortiGate, go to System > Certificates and select Generate to create a new certificate signing request
(CSR).
Enter a Certificate Name, the Internet facing IP address of the FortiGate, and a valid email address, then
configure the key options as shown in the example.
The Subject Alternative Name field must be configured with the internet facing IP address or FQDN in the
following format: IP:x.x.x.x or DNS:hostname.example.com.

2. Once created, the certificate will show a Status of Pending. Highlight the certificate and select Download.

FortiAuthenticator 6.0.0 Cookbook 12

Fortinet Technologies Inc.
Certificate management

This will save a .csr file to your local drive.

Importing and signing the CSR on the FortiAuthenticator

1. Back on the FortiAuthenticator, go to Certificate Management > End Entities > Users and import the .csr
certificate created earlier.
Make sure to select the Certificate authority from the drop-down menu and set the Hash algorithm to SHA-
256, as configured earlier.

2. Once imported, you should see that the certificate has been signed by the FortiAuthenticator, with a Status of
Active. Highlight the certificate and select Export Certificate.

FortiAuthenticator 6.0.0 Cookbook 13

Fortinet Technologies Inc.
Certificate management

This will save a .cer file to your local drive.

Importing the local certificate to the FortiGate

1. Back on the FortiGate, go to System > Certificates and select Local Certificate from the Import drop-down
menu.
Browse to the .cer certificate and select OK.

You should now see that the certificate's Status has changed from Pending to OK. You may have to refresh your
page to see the status change.

Configuring the certificate for the GUI

1. On the FortiGate, go to System > Settings.

Under Administration Settings, set HTTPS server certificate to the certificate created/signed earlier, then

FortiAuthenticator 6.0.0 Cookbook 14

Fortinet Technologies Inc.
Certificate management

select Apply.

Results

Close and reopen your browser, and go to the FortiGate admin login page. If you click on the lock icon next to the
address bar, you should see that the certificate has been signed and verified by the FortiAuthenticator. As a result, no
certificate errors will appear.

FortiAuthenticator 6.0.0 Cookbook 15

Fortinet Technologies Inc.
Certificate management

FortiAuthenticator Certificate with SSL Inspection

For this recipe, you will create a certificate on the FortiGate, have it signed on the FortiAuthenticator, and configure the
FortiGate so that the certificate can be used for SSL deep inspection of HTTPS traffic.
Note that, for this configuration to work correctly, the FortiAuthenticator must be configured as a certificate authority
(CA), otherwise the certificate created in this recipe will not be trusted. For more information on how to do this, see
FortiAuthenticator as a Certificate Authority.
This scenario includes creating a certificate signing request (CSR), signing the certificate on the FortiAuthenticator, and
downloading the signed certificate back to the FortiGate. You will then create an SSL/SSH Inspection profile for full
SSL inspection, add the certificate created to the profile, and apply the profile to the policy allowing Internet access.
As an example, you will also have Application Control with Deep Inspection of Cloud Applications enabled. This
will apply inspection to HTTPS traffic. Note that you may use another security profile instead of Application Control.

Creating a CSR on the FortiGate

FortiAuthenticator 6.0.0 Cookbook 16

Fortinet Technologies Inc.
Certificate management

2. Once created, the certificate will show a Status of Pending. Highlight the certificate and select Download.

This will save a .csr file to your local drive.

FortiAuthenticator 6.0.0 Cookbook 17

Fortinet Technologies Inc.
Certificate management

Creating an Intermediate CA on the FortiAuthenticator

1. On the FortiAuthenticator, go to Certificate Management > Certificate Authorities > Local CAs and select
Import.
Set Type to CSR to sign, enter a Certificate ID, and import the CSR file. Make sure to select the Certificate
authority from the drop-down menu and set the Hash algorithm to SHA-256.

2. Once imported, you should see that the certificate has been signed by the FortiAuthenticator, showing a Status of
Active, and with the CA Type of Intermediate (non-signing) CA. Highlight the certificate and select Export
Certificate.

This will save a .crt file to your local drive.

Importing the signed certificate on the FortiGate

1. Back on the FortiGate, go to System > Certificates and select Import > Local Certificate.
Browse to the CRT file and select OK.

FortiAuthenticator 6.0.0 Cookbook 18

Fortinet Technologies Inc.
Certificate management

2. You should now see that the certificate has a Status of OK.

Configuring full SSL inspection

1. Go to Security Profiles > SSL/SSH Inspection and create a new profile.

Enter a Name, select the certificate from the CA Certificate drop-down menu, and make sure Inspection
Method is set to Full SSL Inspection.

2. Add the certificate to your web browser's list of trusted certificates. End users will likely see certificate warnings
unless the certificate is installed in their browser.
3. Next go to Policy & Objects > IPv4 Policy and edit the policy that allows Internet access.
Under Security Profiles, enable SSL/SSH Inspection and select the custom profile created earlier.
Enable Application Control and set it to default.

FortiAuthenticator 6.0.0 Cookbook 19

Fortinet Technologies Inc.
Certificate management

FortiAuthenticator 6.0.0 Cookbook 20

Fortinet Technologies Inc.
Certificate management

Results

1. To test the certificate, open your web browser and attempt to navigate to an HTTPS website (in the example,
https://www.dropbox.com).
Click on the lock icon next to the address bar and click Show connection details.

2. You should now see that the certificate from the FortiGate (172.25.176.127) has signed and verified access to the
site. As a result, no certificate errors will appear.

FortiAuthenticator 6.0.0 Cookbook 21

Fortinet Technologies Inc.
Certificate management

Optionally select More Information.

FortiAuthenticator 6.0.0 Cookbook 22

Fortinet Technologies Inc.
FortiToken and FortiToken Mobile

FortiToken and FortiToken Mobile

This section describes various authentication scenarios involving FortiToken, a disconnected one-time password (OTP)
generator that's either a physical device or a mobile token. Time-based token passcodes require that the
FortiAuthenticator clock is accurate. If possible, configure the system time to be synchronized with a network time
protocol (NTP) server.
To perform token-based authentication, the user must enter the token passcode. If the user’s username and password
are also required, this is called two-factor authentication.

FortiToken Mobile Push for SSL VPN

In this recipe, you set up FortiAuthenticator to function as a RADIUS server to authenticate SSL VPN users using
FortiToken Mobile Push two-factor authentication. With Push notifications enabled, the user can easily accept or deny
the authentication request.
For this configuration, you:
l Create a user on the FortiAuthenticator.
l Assign a FortiToken Mobile license to the user.
l Create the RADIUS client (FortiGate) on the FortiAuthenticator, and enable FortiToken Mobile Push notifications.
l Connect the FortiGate to the RADIUS server (FortiAuthenticator).
l Create an SSL VPN on the FortiGate, allowing internal access for remote users.
The following names and IP addresses are used:

FortiAuthenticator 6.0.0 Cookbook 23

Fortinet Technologies Inc.
FortiToken and FortiToken Mobile

l Username: gthreepwood
l User group: RemoteFTMGroup
l RADIUS server: OfficeRADIUS
l RADIUS client: OfficeServer
l SSL VPN user group: SSLVPNGroup
l FortiAuthenticator: 172.25.176.141
l FortiGate: 172.25.176.92
For the purposes of this recipe, a FortiToken Mobile free trial token is used. This recipe also assumes that the user has
already installed the FortiToken Mobile application on their smartphone. You can install the application for Android and
iOS. For details, see:
l FortiToken Mobile for Android
l FortiToken Mobile for iOS

Adding a FortiToken to the FortiAuthenticator

1. On the FortiAuthenticator, go to Authentication > User Management > FortiTokens, and select Create New.
2. Set Token type to FortiToken Mobile, and enter the FortiToken Activation codes in the field provided.

Adding the user to the FortiAuthenticator

1. On the FortiAuthenticator, go to Authentication > User Management > Local Users, and select Create New.
Enter a Username (gthreepwood) and enter and confirm the user password.
Enable Allow RADIUS authentication, and select OK to access additional settings.

FortiAuthenticator 6.0.0 Cookbook 24

Fortinet Technologies Inc.
FortiToken and FortiToken Mobile

2. Enable Token-based authentication and select to deliver the token code by FortiToken. Select the FortiToken
added earlier from the FortiToken Mobile drop-down menu.
Set Delivery method to Email. This will automatically open the User Information section where you can enter
the user email address in the field provided.

FortiAuthenticator 6.0.0 Cookbook 25

Fortinet Technologies Inc.
FortiToken and FortiToken Mobile

3. Next, go to Authentication > User Management > User Groups, and select Create New.
Enter a Name (RemoteFTMUsers) and add gthreepwood to the group by moving the user from Available users
to Selected users.

FortiAuthenticator 6.0.0 Cookbook 26

Fortinet Technologies Inc.
FortiToken and FortiToken Mobile

4. The FortiAuthenticator sends the FortiToken Mobile activation to the user’s email address. If the email does not
appear in the inbox, check the spam folder.
The user activates their FortiToken Mobile through the FortiToken Mobile application by either entering the
activation code provided or by scanning the QR code attached.

FortiAuthenticator 6.0.0 Cookbook 27

Fortinet Technologies Inc.
FortiToken and FortiToken Mobile

For more information, see the FortiToken Mobile user instructions.

Creating the RADIUS client on the FortiAuthenticator

1. On the FortiAuthenticator, go to Authentication > RADIUS Service > Clients, and select Create New to add
the FortiGate as a RADIUS client.
2. Enter a Name (OfficeServer), the IP address of the FortiGate, and set a Secret. The secret is a pre-shared secure
password that the FortiGate will use to authenticate to the FortiAuthenticator.
3. Set Authentication method to Enforce two-factor authentication and check the Enable FortiToken Mobile
push notifications authentication checkbox.

FortiAuthenticator 6.0.0 Cookbook 28

Fortinet Technologies Inc.
FortiToken and FortiToken Mobile

4. Set Realms to local | Local users, and add RemoteFTMUsers to the Groups filter.

Note the Username input format. This is the format that the user must use to enter their
username in the web portal, made up of their username and realm. In this example, the
full username for gthreepwood is "gthreepwood@local".

Connecting the FortiGate to the RADIUS server

1. On the FortiGate, go to User & Device > RADIUS Servers, and select Create New to connect to the RADIUS
server (FortiAuthenticator).
Enter a Name (OfficeRADIUS), the IP address of the FortiAuthenticator, and enter the Secret created before.
Select Test Connectivity to be sure you can connect to the RADIUS server. Then select Test User Credentials
and enter the credentials for gthreepwood.

FortiAuthenticator 6.0.0 Cookbook 29

Fortinet Technologies Inc.
FortiToken and FortiToken Mobile

Because the user has been assigned a FortiToken, the test should return stating that More validation is
required.

FortiAuthenticator 6.0.0 Cookbook 30

Fortinet Technologies Inc.
FortiToken and FortiToken Mobile

The FortiGate can now connect to the FortiAuthenticator as the RADIUS client configured earlier.
2. Then go to User & Device > User Groups, and select Create New to map authenticated remote users to a user
group on the FortiGate.
Enter a Name (SSLVPNGroup) and select Add under Remote Groups.
Select OfficeRADIUS under the Remote Server drop-down menu, and leave the Groups field blank.

FortiAuthenticator 6.0.0 Cookbook 31

Fortinet Technologies Inc.
FortiToken and FortiToken Mobile

Configuring the SSL VPN

1. On the FortiGate, go to VPN > SSL-VPN Portals, and edit the full-access portal.

Toggle Enable Split Tunneling so that it is disabled.

2. Go to VPN > SSL-VPN Settings.
Under Connection Settings set Listen on Interface(s) to wan1 and Listen on Port to 10443.
Under Tunnel Mode Client Settings, select Specify custom IP ranges. The IP Ranges should be set to
SSLVPN_TUNNEL_ADDR1 and the IPv6 version by default.
Under Authentication/Portal Mapping, select Create New.
Set the SSLVPNGroup user group to the full-access portal, and assign All Other Users/Groups to web-
access — this will grant all other users access to the web portal only.

FortiAuthenticator 6.0.0 Cookbook 32

Fortinet Technologies Inc.
FortiToken and FortiToken Mobile

FortiAuthenticator 6.0.0 Cookbook 33

Fortinet Technologies Inc.
FortiToken and FortiToken Mobile

3. Then go to Policy & Objects > IPv4 Policy and create a new SSL VPN policy.
Set Incoming Interface to the SSL-VPN tunnel interface and set Outgoing Interface to the Internet-facing
interface (in this case, wan1).
Set Source to the SSLVPNGroup user group and the all address.
Set Destination to all, Schedule to always, Service to ALL, and enable NAT.

Results

1. From a remote device, open a web browser and navigate to the SSL VPN web portal (https://<fortigate-ip>:10443).
2. Enter gthreepwood‘s credentials and select Login. Use the correct format (in this case, username@realm), as
per the client configuration on the FortiAuthenticator.

FortiAuthenticator 6.0.0 Cookbook 34

Fortinet Technologies Inc.
FortiToken and FortiToken Mobile

3. The FortiAuthenticator will then push a login request notification through the FortiToken Mobile application. Select
Approve.

FortiAuthenticator 6.0.0 Cookbook 35

Fortinet Technologies Inc.
FortiToken and FortiToken Mobile

FortiAuthenticator 6.0.0 Cookbook 36

Fortinet Technologies Inc.
FortiToken and FortiToken Mobile

Upon approving the authentication, gthreepwood is successfully logged into the SSL VPN portal.

3. On the FortiGate, go to Monitor > SSL-VPN Monitor to confirm the user’s connection.

FortiAuthenticator 6.0.0 Cookbook 37

Fortinet Technologies Inc.
Self-service Portal

Self-service Portal

Configure general self-service portal options, including access control settings, self-registration options, replacement
messages, and device self-enrollment settings.

FortiAuthenticator user self-registration

For this recipe, you will configure the FortiAuthenticator self-service portal to allow users to add their own account and
create their own passwords.
Note that enabling and using administrator approval requires the use of an email server, or SMTP server. Since
administrators will approve requests by email, this recipe describes how to add an email server to your
FortiAuthenticator. You will create and use a new server instead of the unit’s default server.

Creating a self-registration user group

1. Go to Authentication > User Management > User Groups and create a new user group for self-registering
users.
Enter a Name and select OK. Users will be added to this group once they register through the self-registration

FortiAuthenticator 6.0.0 Cookbook 38

Fortinet Technologies Inc.
Self-service Portal

portal.

Enabling self-registration

1. Go to Authentication > Self-service Portal > General.

Enter a Site name, add an Email signature that you would like appended to the end of outgoing emails, and
select OK.

FortiAuthenticator 6.0.0 Cookbook 39

Fortinet Technologies Inc.
Self-service Portal

2. Then go to Authentication > Self-service Portal > Self-registration and select Enable.
Enable Require administrator approval and Enable email to freeform addresses, and enter the
administrator’s email address in the field provided.
Enable Place registered users into a group, select the user group created earlier, and configure basic account
information to be sent to the user by Email.
Open the Required Field Configuration drop-down and enable First name, Last name, and Email address.

FortiAuthenticator 6.0.0 Cookbook 40

Fortinet Technologies Inc.
Self-service Portal

FortiAuthenticator 6.0.0 Cookbook 41

Fortinet Technologies Inc.
Self-service Portal

Creating a new SMTP server

1. Go to System > Messaging > SMTP Servers and create a new email server for your users.
Enter a Name, the IP address of the FortiAuthenticator, and leave the default port value (25).
Enter the administrator’s email address, Account username, and Password.
Note that, for the purpose of this recipe, Secure connection will not be set to STARTTLS as a signed CA
certificate would be required.

2. Once created, highlight the new server and select Set as Default.
The new SMTP server will now be used for future user registration.

Results - Self-registration

1. When the user visits the login page, https://<FortiAuthenticator-IP>/auth/register/, they can click the Register
button, where they will be prompted to enter their information.

FortiAuthenticator 6.0.0 Cookbook 42

Fortinet Technologies Inc.
Self-service Portal

They will need to enter and confirm a Username, Password, First name, Last name, and Email address.
These are the only required fields, as configured in the FortiAuthenticator earlier.
Select Submit.

2. The user's registration is successful, and their information has been sent to the administrator for approval.

3. When the administrator has enabled the user’s account, the user will receive an activation welcome email.
The user's login information will be listed.

FortiAuthenticator 6.0.0 Cookbook 43

Fortinet Technologies Inc.
Self-service Portal

4. Select the link and log in to the user's portal.

5. The user is now logged into their account where they can review their information.
As recommended in the user’s welcome email, the user may change their password. However, this is optional.

FortiAuthenticator 6.0.0 Cookbook 44

Fortinet Technologies Inc.
Self-service Portal

Results - Administrator approval

1. After receiving the user’s registration request, in the FortiAuthenticator as the administrator, go to Authentication
> User Management > Local Users. The user has been added, but their Status is listed as Not Activated.

2. In the administrator’s email account, open the user’s Approval Required email. The user’s full name will appear
in the email’s subject, along with their username in the email’s body.
Select the link to approve or deny the user.

FortiAuthenticator 6.0.0 Cookbook 45

Fortinet Technologies Inc.
Self-service Portal

3. The link will take you to the New User Approval page, where you can review the user’s information and either
approve or deny the user’s full registration.
Select Approve.

4. The user has now been approved and activated by the administrator.

This can be confirmed by going back to Authentication > User Management > Local Users. The user’s Status
has changed to Enabled.

FortiAuthenticator 6.0.0 Cookbook 46

Fortinet Technologies Inc.
Self-service Portal

5. You can also go to Logging > Log Access > Logs to view the successful login of the user and more information.

FortiAuthenticator 6.0.0 Cookbook 47

Fortinet Technologies Inc.
VPNs

VPNs

This section contains information about creating and using a virtual private network (VPN).

LDAP authentication for SSL VPN with FortiAuthenticator

This recipe describes how to set up FortiAuthenticator to function as an LDAP server for FortiGate SSL VPN
authentication. It involves adding users to FortiAuthenticator, setting up the LDAP server on the FortiAuthenticator, and
then configuring the FortiGate to use the FortiAuthenticator as an LDAP server.

Creating the user and user group on the FortiAuthenticator

1. On the FortiAuthenticator, go to Authentication > User Management > Local Users and select Create New.
Enter a name for the user, enter and confirm a password, and be sure to disable Allow RADIUS authentication
— RADIUS authentication is not required for this recipe.
Set Role as User, and select OK. New options will appear.
Make sure to enable Allow LDAP browsing — the user will not be able to connect to the FortiGate otherwise.

FortiAuthenticator 6.0.0 Cookbook 48

Fortinet Technologies Inc.
VPNs

2. Create another user with the same settings. Later, you will use jgarrick on the FortiGate to query the LDAP
directory tree on FortiAuthenticator, and you will use bwayne credentials to connect to the VPN tunnel.
3. Next go to Authentication > User Management > User Groups, and create a user group for the FortiGate
users. Add the desired users to the group.

FortiAuthenticator 6.0.0 Cookbook 49

Fortinet Technologies Inc.
VPNs

Creating the LDAP directory tree on the FortiAuthenticator

1. Go to Authentication > LDAP Service > Directory Tree, and create a Distinguished Name (DN). A DN is made
up of Domain Components (DC).
Both the users and user group created earlier are the User ID (UID) and the Common Name (CN) in the LDAP
Directory Tree.
Create an Organizational Unit (OU), and a Common Name (CN). Under the cn=HeadOffice entry, add UIDs for
the users.
If you mouse over a user, you will see the full DN of the LDAP server.

Later, you will use jgarrick on the FortiGate to query the LDAP directory tree on FortiAuthenticator, and you will
use bwayne credentials to connect to the VPN tunnel.

Connecting the FortiGate to the LDAP server

1. On the FortiGate, go to User & Device > LDAP Servers, and select Create New.
Enter a name for the LDAP server connection.
Set Server IP/Name to the IP of the FortiAuthenticator, and set the Common Name Identifier to uid.
Set Distinguished Name to dc=fortinet,dc=com, and set the Bind Type to Regular.
Enter the user DN for jgarrick of the LDAP server, and enter the user's Password.
The DN is an account that the FortiGate uses to query the LDAP server.

FortiAuthenticator 6.0.0 Cookbook 50

Fortinet Technologies Inc.
VPNs

2. Select Test Connectivity to determine a successful connection.

Then select Test User Credentials to query the LDAP directory using jgarrick's credentials. The query is
successful.

Creating the LDAP user group on the FortiGate

1. Go to User & Device > User Groups, and select Create New.

Enter a name for the user group. Under Remote Groups select Add.

FortiAuthenticator 6.0.0 Cookbook 51

Fortinet Technologies Inc.
VPNs

2. Select LDAPserver under the Remote Server dropdown.

In the new Add Group Match window, right-click HeadOffice under the Groups tab, and select Add Selected.
The group will be added to the Selected tab. Select OK.

3. LDAPserver has been added to the LDAP group. Select OK.

FortiAuthenticator 6.0.0 Cookbook 52

Fortinet Technologies Inc.
VPNs

Configuring the SSL VPN

1. On the FortiGate, go to VPN > SSL-VPN Portals, and edit the full-access portal.

Disable Split Tunneling.

2. Go to VPN > SSL-VPN Settings.
Under Connection Settings set Listen on Port to 10443.

FortiAuthenticator 6.0.0 Cookbook 53

Fortinet Technologies Inc.
VPNs

Under Tunnel Mode Client Settings, select Specify custom IP ranges and set it to SSLVPN_TUNNEL_
ADDR1.
Under Authentication/Portal Mapping, select Create New.

3. Assign the LDAPgroup user group to the full-access portal, and assign All Other Users/Groups to the desired
portal. Select Apply.

FortiAuthenticator 6.0.0 Cookbook 54

Fortinet Technologies Inc.
VPNs

4. Select the prompt at the top of the screen to create a new SSL-VPN policy, including the LDAPgroup, as shown.

FortiAuthenticator 6.0.0 Cookbook 55

Fortinet Technologies Inc.
VPNs

Results

1. From a remote device, access the SSL VPN Web Portal.

Enter valid LDAP credentials (in the example, bwayne).

2. The user is now successfully logged into the SSL VPN Portal.

3. On the FortiGate, go to Monitor > SSL-VPN Monitor to confirm the connection.

FortiAuthenticator 6.0.0 Cookbook 56

Fortinet Technologies Inc.
VPNs

4. On the FortiAuthenticator, go to Logging > Log Access > Logs and confirm the connection.

SMS two-factor authentication for SSL VPN

In this recipe, you will create an SSL VPN with two-factor authentication consisting of a username, password, and an
SMS token.
When a user attempts to connect to this SSL VPN, they are prompted to enter their username and password. After
successfully entering their credentials, they receive an SMS message on their mobile phone containing a 6-digit number
(called the FortiToken code). They must also enter this number to get access to the internal network and the Internet.
Although this recipe uses the FortiGuard Messaging Service, it will also work with any compatible SMS service you
configure as an SMS Gateway.

FortiAuthenticator 6.0.0 Cookbook 57

Fortinet Technologies Inc.
VPNs

Creating an SMS user and user group on the FortiAuthenticator

1. On the FortiAuthenticator, go to Authentication > User Management > Local Users and add/modify a user to
include SMS Token-based authentication and a Mobile number using the preferred SMS gateway as shown.
The Mobile number must be in the following format:
+[international-number]
Enable Allow RADIUS authentication.

2. Go to Authentication > User Management > User Groups and add the above user to a new SMS user group

FortiAuthenticator 6.0.0 Cookbook 58

Fortinet Technologies Inc.
VPNs

(in the example, SMSgroup).

Configuring the FortiAuthenticator RADIUS client

1. Go to Authentication > RADIUS Service > Clients and create a new RADIUS client.
Enter a Name for the RADIUS client (the FortiGate) and enter its IP address (in the example, 172.20.121.56).

FortiAuthenticator 6.0.0 Cookbook 59

Fortinet Technologies Inc.
VPNs

Choose to Enforce two-factor authentication and add the SMS user group to the Realms group filter as shown.

Configuring the FortiGate authentication settings

1. On the FortiGate, go to User & Device > RADIUS Servers and create the connection to the FortiAuthenticator
RADIUS server, using its IP address and pre-shared secret.
Use Test Connectivity to make sure that the FortiGate can communicate with the FortiAuthenticator.

FortiAuthenticator 6.0.0 Cookbook 60

Fortinet Technologies Inc.
VPNs

2. Next, go to User & Device > User Groups and create a RADIUS user group called RADIUSgroup.
Set the Type to Firewall and add the RADIUS server to the Remote groups table.

FortiAuthenticator 6.0.0 Cookbook 61

Fortinet Technologies Inc.
VPNs

Configuring the SSL VPN

1. Go to VPN > SSL-VPN Settings.
Under Connection Settings, set Listen on Port to 10443. Under Tunnel Mode Client Settings, select
Specify custom IP ranges and set IP Ranges to the SSL VPN tunnel address range.
Under Authentication/Portal Mapping, select Create New.
Assign the RADIUSgroup user group to the full-access portal, and assign All Other Users/Groups to the
desired portal.

FortiAuthenticator 6.0.0 Cookbook 62

Fortinet Technologies Inc.
VPNs

FortiAuthenticator 6.0.0 Cookbook 63

Fortinet Technologies Inc.
VPNs

Creating the security policy for VPN access to the Internet

1. Go to Policy & Objects > IPv4 Policy and create a new SSL-VPN policy, including the RADIUSgroup, as
shown.

Results

In this example, we will use the web portal to access the SSL VPN and test the two-factor authentication.
1. Open a browser and navigate to the SSL VPN web portal, in this case https://172.25.176.127:10443.
Enter a valid username and password and select Login. You should be prompted to enter a FortiToken Code.

FortiAuthenticator 6.0.0 Cookbook 64

Fortinet Technologies Inc.
VPNs

2. The FortiToken Code should have been sent to your mobile phone as a text message containing a 6-digit
number.
Enter the number into the SSL VPN login portal and select Login.

FortiAuthenticator 6.0.0 Cookbook 65

Fortinet Technologies Inc.
VPNs

FortiAuthenticator 6.0.0 Cookbook 66

Fortinet Technologies Inc.
VPNs

3. You should now have access to the SSL VPN tunnel.

4. To verify that the user has connected to the tunnel, on the FortiGate, go to Monitor > SSL-VPN Monitor.

5. On the FortiAuthenticator, go to Logging > Log Access > Logs to confirm the user's connection.

FortiAuthenticator 6.0.0 Cookbook 67

Fortinet Technologies Inc.
WiFi authentication

WiFi authentication

This section describes configuring WiFi authentication with FortiAuthenticator.

Assigning WiFi users to VLANs dynamically

Virtual LANs (VLANs) are used to assign wireless users to different networks without requiring the use of multiple SSIDs.
Each user’s VLAN assignment is stored in the user database of the RADIUS server that authenticates the users.
This example creates dynamic VLANs for the Techdoc and Marketing departments. The RADIUS server is a
FortiAuthenticator. It is assumed a user group on the FortiAuthenticator has already been created (in this example,
employees).
config certificate ca
edit {name}
# CA certificate.
set name {string} Name. size[79]
set ca {string} CA certificate as a PEM file.
set range {global | vdom} Either global or VDOM IP address range for the CA cer-
tificate.
global Global range.
vdom VDOM IP address range.
set source {factory | user | bundle} CA certificate source type.
factory Factory installed certificate.
user User generated certificate.
bundle Bundle file certificate.
set trusted {enable | disable} Enable/disable as a trusted CA.
set scep-url {string} URL of the SCEP server. size[255]

FortiAuthenticator 6.0.0 Cookbook 68

Fortinet Technologies Inc.
WiFi authentication

set auto-update-days {integer} Number of days to wait before requesting an updated

CA certificate (0 - 4294967295, 0 = disabled). range[0-4294967295]

Configuring the FortiAuthenticator

1. On the FortiAuthenticator, go to Authentication > RADIUS Service > Clients and register the FortiGate as a
client.
Enable all EAP types, set Realm to local, and apply the employees user group.

2. Next go to Authentication > User Management > Local Users and create local user accounts as needed.

FortiAuthenticator 6.0.0 Cookbook 69

Fortinet Technologies Inc.
WiFi authentication

3. For each user, add the following RADIUS attributes which specify the VLAN information to be sent to the FortiGate.
The Tunnel-Private-Group-Id attribute specifies the VLAN ID.
In this example, jsmith is assigned VLAN 100 and twhite is assigned VLAN 200.

Adding the RADIUS server to the FortiGate

1. On the FortiGate, go to User & Device > RADIUS Servers and select Create New.
Enter the FortiAuthenticator IP address and the server Secret entered on the FortiAuthenticator earlier.

FortiAuthenticator 6.0.0 Cookbook 70

Fortinet Technologies Inc.
WiFi authentication

Select Test Connectivity to confirm the successful connection.

Creating an SSID with dynamic VLAN assignment

1. On the FortiGate, go to WiFi & Switch Controller > SSID and create a new SSID.
Set up DHCP service.

FortiAuthenticator 6.0.0 Cookbook 71

Fortinet Technologies Inc.
WiFi authentication

2. Select WPA2 Enterprise security and select your RADIUS server for authentication.
Enable Dynamic VLAN Assignment.

FortiAuthenticator 6.0.0 Cookbook 72

Fortinet Technologies Inc.
WiFi authentication

3. Then open the CLI Console and enter the following command to assignment and set the VLAN ID to 10. This
VLAN is used when RADIUS does not assign a VLAN:
config wireless-controller vap
edit example-wifi
set vlanid 10
next
end

Creating the VLAN interfaces

1. Go to Network > Interfaces.
Create the VLAN interface for default VLAN-10 and set up DHCP service.

FortiAuthenticator 6.0.0 Cookbook 73

Fortinet Technologies Inc.
WiFi authentication

2. Then create two more VLAN interfaces: one for marketing-100 and another for techdoc-200, both with
DHCP service.

FortiAuthenticator 6.0.0 Cookbook 74

Fortinet Technologies Inc.
WiFi authentication

FortiAuthenticator 6.0.0 Cookbook 75

Fortinet Technologies Inc.
WiFi authentication

FortiAuthenticator 6.0.0 Cookbook 76

Fortinet Technologies Inc.
WiFi authentication

Creating security policies

1. Go to Policy & Objects > IPv4 Policy.

Create a policy that allows outbound traffic from marketing-100 to the Internet.

2. Under Logging Options, enable logging for All Sessions.

3. Create another policy that allows outbound traffic from techdoc-200 to the Internet.

FortiAuthenticator 6.0.0 Cookbook 77

Fortinet Technologies Inc.
WiFi authentication

For this policy too, under Logging Options, enable logging for All Sessions.

Creating the FortiAP profile

1. Go to WiFi & Switch Controller > FortiAP Profiles.

Create a new profile for your FortiAP model and select the new SSID for both Radio 1 and Radio 2.

FortiAuthenticator 6.0.0 Cookbook 78

Fortinet Technologies Inc.
WiFi authentication

FortiAuthenticator 6.0.0 Cookbook 79

Fortinet Technologies Inc.
WiFi authentication

Connecting and authorizing the FortiAP

1. Go to Network > Interfaces and edit an unused interface.

Set an IP/Network Mask and enable CAPWAP under Administrative Access > IPv4.
Enable DHCP Server.
Now connect the FortiAP unit to the this interface and apply power.
2. Go to WiFi & Switch Controller > Managed FortiAPs.
Right-click on the FortiAP unit and select Authorize.
Once authorized, right-click on the FortiAP unit again and select Assign Profile and select the FortiAP profile
created earlier.

Results

The SSID will appear in the list of available wireless networks on the users’ devices.
Both twhite and jsmith can connect to the SSID with their credentials and access the Internet.
If a certificate warning message appears, accept the certificate.
1. Go to FortiView > Policies.
Note that traffic for jsmith and twhite will pass through different policies. In this example, the marketing-100-
internet policy is displayed, indicating that jsmith has connected to the WiFi.

FortiAuthenticator 6.0.0 Cookbook 80

Fortinet Technologies Inc.
WiFi authentication

2. Double-click to drill-down, where the user's identity (including username, source IP, and device address) is
confirmed.

3. When twhite has connected to the WiFi network, go to FortiView > Policies and drill-down. The user, and
techdoc-200-internet policy, is confirmed.

FortiAuthenticator 6.0.0 Cookbook 81

Fortinet Technologies Inc.
WiFi authentication

WiFi using FortiAuthenticator RADIUS with certificates

This recipe will walk you through the configuration of FortiAuthenticator as the RADIUS server for a FortiGate wireless
controller. WPA2-Enterprise with 802.1X authentication can be used to authenticate wireless users with
FortiAuthenticator. 802.1X utilizes the Extensible Authentication Protocol (EAP) to establish a secure tunnel between
participants involved in an authentication exchange.
EAP-TLS is the most secure form of wireless authentication because it replaces the client username/password with a
client certificate. Every end user, including the authentication server, that participates in EAP-TLS must possess at least
two certificates:
1. A client certificate signed by the certificate authority (CA)
2. A copy of the CA root certificate.
This recipe specifically focuses on the configuration of the FortiAuthenticator, FortiGate, and Windows 10 computer.

Creating a local CA on FortiAuthenticator

The FortiAuthenticator will act as the certificate authority for all certificates authenticated for client access. To enable
this functionality, a self-signed root CA certificate must be generated.
1. On the FortiAuthenticator, go to Certificate Management > Certificate Authorities > Local CAs and select
Create New. Configure the fields as required.

FortiAuthenticator 6.0.0 Cookbook 82

Fortinet Technologies Inc.
WiFi authentication

Creating a local service certificate on FortiAuthenticator

In order for the FortiAuthenticator to use a certificate in mutual authentication (supported by EAP‐
TLS), a local services
certificate has to be created on behalf of the FortiAuthenticator.
1. Go to Certificate Management > End Entities > Local Services and select Create New. Complete the
information in the fields pertaining to your organization.

FortiAuthenticator 6.0.0 Cookbook 83

Fortinet Technologies Inc.
WiFi authentication

Configuring RADIUS EAP on FortiAuthenticator

In order for the FortiAuthenticator to present the newly created Local Services certificate as its authentication to the
WiFi client, the RADIUS-‐ EAP must be configured to use this certificate.
1. Go to Authentication > RADIUS Service > EAP and select Create New. Select the corresponding Local
Services certificate in the EAP Server Certificate section. Choose the Local CA certificate previous configured in the

FortiAuthenticator 6.0.0 Cookbook 84

Fortinet Technologies Inc.
WiFi authentication

Local CAs section.

Configuring RADIUS client on FortiAuthenticator

The FortiAuthenticator has to be configured to allow RADIUS clients to make authorization requests to it.
1. Go to Authentication > RADIUS Service > Clients and select Create New.
Enter a Name, enter the FortiGate’s IP address, and enter a Secret. Set the Authentication method to
Password-only authentication and set Username input format to username@realm.
EAP-TLS should be the only EAP type selected to prevent fallback to a less secure version of authentication if a

FortiAuthenticator 6.0.0 Cookbook 85

Fortinet Technologies Inc.
WiFi authentication

certificate is not presented by the WiFi client.

Configuring local user on FortiAuthenticator

The authentication of the WiFi client will be tied to a user account on the FortiAuthenticator. In this scenario, a local
user will be configured but remote users associated with LDAP can be configured as well.
1. Go to Authentication > User Management > Local Users and select Create New. Fill out applicable user
information.

FortiAuthenticator 6.0.0 Cookbook 86

Fortinet Technologies Inc.
WiFi authentication

Configuring local user certificate on FortiAuthenticator

The certificate created locally on the FortiAuthenticator will be associated with the local user. It is important to note that
the Name (CN) must match the username exactly of the user that is registered in the FortiAuthenticator (in the
example, eap-user).
1. Go to Certificate Management > End Entities > Users and select Create New. Fill out applicable user
information to map the certificate to the correct user.

FortiAuthenticator 6.0.0 Cookbook 87

Fortinet Technologies Inc.
WiFi authentication

Creating RADIUS server on FortiGate

In order to proxy the authentication request from the wireless client, the FortiGate will need to have a RADIUS server to
submit the authentication request to.
1. On the FortiGate, go to User & Device > RADIUS Servers and select Create New. Enter a Name, the
FortiAuthenticator’s IP address, and the same Secret set on the FortiAuthenticator.

FortiAuthenticator 6.0.0 Cookbook 88

Fortinet Technologies Inc.
WiFi authentication

Select Test Connectivity to confirm the successful connection.

Creating WiFi SSID on FortiGate

In order for the WiFi client to connect using its certificate a SSID has to be configured on the FortiGate to accept this
type of authentication.

FortiAuthenticator 6.0.0 Cookbook 89

Fortinet Technologies Inc.
WiFi authentication

1. Go to WiFi & Switch Controller > SSID and create an SSID with DHCP for clients.

2. Set the following WiFi Settings, assigning the RADIUS Server configured earlier.

FortiAuthenticator 6.0.0 Cookbook 90

Fortinet Technologies Inc.
WiFi authentication

3. Then go to WiFi & Switch Controller > FortiAP Profiles and edit your FortiAP default profile.
Select the new SSID for both Radio 1 and Radio 2.

FortiAuthenticator 6.0.0 Cookbook 91

Fortinet Technologies Inc.
WiFi authentication

4. Then go to Policy & Objects > IPv4 Policy and create a policy that allows outbound traffic from the EAP-TLS
wireless interface to the Internet.

FortiAuthenticator 6.0.0 Cookbook 92

Fortinet Technologies Inc.
WiFi authentication

Exporting user certificate from FortiAuthenticator

In order for the WiFi client to authenticate with the RADIUS server, the user certificate created in the FortiAuthenticator
must first be exported.
1. On the FortiAuthenticator, go to Certificate Management > End Entities > Users. Select the certificate and
select Export Key and Cert.

2. In the Export User Certificate and Key File dialog, enter and confirm a Passphrase. This password will be
used when importing the certificate into a Windows 10 computer. Select OK.

3. Select Download PKCS#12 file to pull this certificate to the Widows 10 computer. Select Finish.

Importing user certificate into Windows 10

1. On the Windows 10 computer, double-click the downloaded certificate file from the FortiAuthenticator. This will
launch the Certificate Import Wizard. Select Next.

FortiAuthenticator 6.0.0 Cookbook 93

Fortinet Technologies Inc.
WiFi authentication

2. Make sure the correct certificate is shown in the File name section in the File to Import window. Select Next.

FortiAuthenticator 6.0.0 Cookbook 94

Fortinet Technologies Inc.
WiFi authentication

3. Enter the Password created on the FortiAuthenticator during the export of the certificate. Select Mark this key as
exportable and leave the remaining options to default. Select Next.

FortiAuthenticator 6.0.0 Cookbook 95

Fortinet Technologies Inc.
WiFi authentication

4. In the Certificate Store, choose the Place all certificates in the following store. Select Browse and choose
Personal. Select Next, and then Finish. A dialog box will show up confirming the certificate was imported
successfully.

FortiAuthenticator 6.0.0 Cookbook 96

Fortinet Technologies Inc.
WiFi authentication

Configuring Windows 10 wireless profile to use certificate

Create a new wireless SSID for this secure connection, in this case EAP-TLS.
1. On Windows 10, got to Control Panel > Network and Sharing Center > Set up a new connection or
network > Manually connect to a wireless network. Enter a Network name and set Security type to WPA2-
Enterprise. The Encryption type is set to AES.

FortiAuthenticator 6.0.0 Cookbook 97

Fortinet Technologies Inc.
WiFi authentication

2. Once created, you have the option to modify the wireless connection. Select Change connection settings.

FortiAuthenticator 6.0.0 Cookbook 98

Fortinet Technologies Inc.
WiFi authentication

3. In the Security tab, set Choose a network authentication method to Microsoft: Smart card or other
certificates, and select Settings.

FortiAuthenticator 6.0.0 Cookbook 99

Fortinet Technologies Inc.
WiFi authentication

4. Enable both Use a certificate on this computer and Use simple certificate selection.
Note that, for simplification purposes, Verify the server's identity by validating the certificate has been
disabled. However EAP-‐ TLS allows the client to validate the server as well as the server validate the client. To
enable this, you will need to import the CA from the FortiAuthenticator to the Windows 10 computer and make sure
that it is enabled as a Trusted Root Certification Authority.
Select OK for all dialog windows to confirm all settings. The configuration for the Windows 10 computer has been
completed and the user should be able to authenticate to WiFi via the certificate without using their username and
password.

FortiAuthenticator 6.0.0 Cookbook 100

Fortinet Technologies Inc.
WiFi authentication

FortiAuthenticator 6.0.0 Cookbook 101

Fortinet Technologies Inc.
WiFi authentication

Results

1. On the user's device, attempt to connect to the WiFi. Select the user's certificate and select OK.

2. On the FortiAuthenticator, go to Logging > Log Access > Logs to confirm the successful authentication.

FortiAuthenticator 6.0.0 Cookbook 102

Fortinet Technologies Inc.
WiFi authentication

3. On the FortiGate, go to Monitor > WiFi Client Monitor to view various information about the client.

You can also go to Log & Report > Forward Traffic to view more log details.

FortiAuthenticator 6.0.0 Cookbook 103

Fortinet Technologies Inc.
WiFi authentication

FortiAuthenticator 6.0.0 Cookbook 104

Fortinet Technologies Inc.
WiFi authentication

WiFi RADIUS authentication with FortiAuthenticator

In this example, you use a RADIUS server to authenticate your WiFi clients.
The RADIUS server is a FortiAuthenticator that is used authenticate users who belong to the employees user group.

FortiAuthenticator 6.0.0 Cookbook 105

Fortinet Technologies Inc.
WiFi authentication

Creating users and user groups on the FortiAuthenticator

1. Go to Authentication > User Management > Local Users and create a user account.

2. Then go to Authentication > User Management > User Groups and create a local user group (employees),

FortiAuthenticator 6.0.0 Cookbook 106

Fortinet Technologies Inc.
WiFi authentication

adding the newly created user.

Registering the FortiGate as a RADIUS client on the FortiAuthenticator

1. Go to Authentication > RADIUS Service > Clients and create a client account.
Enable all EAP types, set Realm to local, and apply the employees user group.

FortiAuthenticator 6.0.0 Cookbook 107

Fortinet Technologies Inc.
WiFi authentication

Configuring FortiGate to use the RADIUS server

1. Go to User & Device > RADIUS Servers and add the FortiAuthenticator as a RADIUS server.
Select Test Connectivity to confirm the successful connection.

FortiAuthenticator 6.0.0 Cookbook 108

Fortinet Technologies Inc.
WiFi authentication

FortiAuthenticator 6.0.0 Cookbook 109

Fortinet Technologies Inc.
WiFi authentication

Creating SSID and set up authentication

1. Go to WiFi & Switch Controller > SSID and define your wireless network.

2. Set up DHCP for your clients.

FortiAuthenticator 6.0.0 Cookbook 110

Fortinet Technologies Inc.
WiFi authentication

3. Configure WPA2 Enterprise security that uses the RADIUS server.

Connecting and authorizing the FortiAP

1. Go to Network > Interfaces and configure a dedicated interface for the FortiAP.

Under Administrative Access, enable PING and CAPWAP, and enable DHCP Server.
Under Networked Devices, enable Device Detection.

FortiAuthenticator 6.0.0 Cookbook 111

Fortinet Technologies Inc.
WiFi authentication

2. Connect the FortiAP unit to the interface. Then go to WiFi & Switch Controller > Managed FortiAPs. Notice
the Status is showing Waiting for Authorization.
When the FortiAP is listed, select and Authorize it.

3. The FortiAP is now Online. The Status may take a few minutes to update.

4. Go to WiFi & Switch Controller > FortiAP Profiles and edit the profile.

This example uses a FortiAP-S 221E, so the FAPS221E-default profile applies.
For each radio, make sure to select your SSID .

FortiAuthenticator 6.0.0 Cookbook 112

Fortinet Technologies Inc.
WiFi authentication

FortiAuthenticator 6.0.0 Cookbook 113

Fortinet Technologies Inc.
WiFi authentication

Creating the security policy

1. Go to Policy & Objects > IPv4 Policy and add a policy that allows WiFi users to access the Internet.

2. Under Logging Options, enable Log Allowed Traffic and All Sessions.

FortiAuthenticator 6.0.0 Cookbook 114

Fortinet Technologies Inc.
WiFi authentication

Results

1. Connect to the example-staff network and browse Internet sites.

On the FortiGate, go to Monitor > WiFi Client Monitor to see that clients connect and authenticate.

WiFi with WSSO using FortiAuthenticator RADIUS and Attributes

This is an example of wireless single sign-on (WSSO) with a FortiGate and FortiAuthenticator. The WiFi users are
teachers and students at a school. These users each belong to a user group, either teachers (smaguire) or students
(whunting). The FortiAuthenticator performs user authentication and passes the user group name to the FortiGate so
that the appropriate security policy is applied.
This recipe assumes that an SSID and a FortiAP are configured on the FortiGate unit. In this configuration, you will be
changing the existing SSID’s WiFi settings so authentication is provided by the RADIUS server.
For this example, the student security policy applies a more restrictive web filter.

Registering the FortiGate as a RADIUS client on the FortiAuthenticator

1. On the FortiAuthenticator, go to Authentication > RADIUS Service > Clients and select Create New.
Enter a Name, the Internet-facing IP address of the FortiGate, and a Secret.

FortiAuthenticator 6.0.0 Cookbook 115

Fortinet Technologies Inc.
WiFi authentication

Select the Password-only authentication method, select the Local users realm, and enable all EAP types.

Creating users on the FortiAuthenticator

1. Go to Authentication > User Management > Local Users and select Create New.
Create one teacher user (smaguire) and another student user (whunting).

FortiAuthenticator 6.0.0 Cookbook 116

Fortinet Technologies Inc.
WiFi authentication

2. Note that, after you create the users, RADIUS Attributes appears as an option.

FortiAuthenticator 6.0.0 Cookbook 117

Fortinet Technologies Inc.
WiFi authentication

If your configuration involves multiple users, it is more efficient to add RADIUS attributes in their respective user
groups, in the next step.

Creating user groups on the FortiAuthenticator

1. Go to Authentication > User Management > User Groups and create two user groups: teachers and
students.
Add the users to their respective groups.

FortiAuthenticator 6.0.0 Cookbook 118

Fortinet Technologies Inc.
WiFi authentication

2. Once created, edit both user groups and select Add Attribute.

FortiAuthenticator 6.0.0 Cookbook 119

Fortinet Technologies Inc.
WiFi authentication

3. Add the Fortinet-Group-Name RADIUS attribute to each group, which specifies the user group name to be sent to
the FortiGate.

Configuring the FortiGate to use the FortiAuthenticator as the RADIUS server

1. On the FortiGate, go to User & Device > RADIUS Servers and select Create New.
Enter a Name, the Internet-facing IP address of the FortiAuthenticator, and enter the same Primary Server
Secret entered on the FortiAuthenticator.

FortiAuthenticator 6.0.0 Cookbook 120

Fortinet Technologies Inc.
WiFi authentication

Select Test Connectivity to confirm the successful connection.

Configuring user groups on the FortiGate

1. Go to User & Device > User Groups and create two groups named the same as the ones created on the
FortiAuthenticator.

FortiAuthenticator 6.0.0 Cookbook 121

Fortinet Technologies Inc.
WiFi authentication

Do not add any members to either group.

Creating security policies

1. Go to Policy & Objects > IPv4 Policy and select Create New.

Create two policies (student-wifi and teacher-wifi) with WiFi-to-Internet access: one policy with Source set to the
students user group, and the other set to teachers. Make sure to add the SSID address (example-wifi) to both
policies also.

FortiAuthenticator 6.0.0 Cookbook 122

Fortinet Technologies Inc.
WiFi authentication

The student policy has a more restrictive Web Filter profile enabled.

FortiAuthenticator 6.0.0 Cookbook 123

Fortinet Technologies Inc.
WiFi authentication

Configuring the SSID to RADIUS authentication

1. Go to WiFi & Switch Controller > SSID and edit your pre-existing SSID interface.
Under WiFi Settings, set Security Mode to WPA2 Enterprise, set Authentication to RADIUS Server, and
add the RADIUS server configured on the FortiGate earlier from the dropdown menu.

Results

1. Connect to the WiFi network as a student.

FortiAuthenticator 6.0.0 Cookbook 124

Fortinet Technologies Inc.
WiFi authentication

2. Then on the FortiGate go to Monitor > Firewall User Monitor. From here you can verify the user, the user
group, and that the WSSO authentication method was used.

FortiAuthenticator 6.0.0 Cookbook 125

Fortinet Technologies Inc.
LDAP Authentication

LDAP Authentication

This section describes configuring LDAP authentication.

l G Suite integration using LDAP on page 126

G Suite integration using LDAP

This article explains how to integrate the FortiAuthenticator with G Suite Secure LDAP using client authentication
through a certificate. You will use the LDAP in Google DB to authenticate end users for 802.1X and VPN.
1. Generating the G Suite certificate on page 126
2. Importing the certificate to FortiAuthenticator on page 127
3. Configuring LDAP on the FortiAuthenticator on page 129
4. Troubleshooting on page 131

Generating the G Suite certificate

You must first generate certificates to authenticate the LDAP client with Secure LDAP service.

To generate certificate authentication:

1. From the Google Admin console, go to Apps > LDAP.

2. Select one of the clients in the list.
3. Click the Authentication card.
4. Click GENERATE NEW CERTIFICATE, then click the download icon to download the certificate.
5. Upload the certificate to your client, and configure the application.
Depending on the type of LDAP client, configuration may require LDAP access credentials. See Generate access
credentials.

Once you have uploaded the certificate to your client, G Suite will generate a client certificate and key.
Example:

FortiAuthenticator 6.0.0 Cookbook 126

Fortinet Technologies Inc.
LDAP Authentication

l Cert: Google_2022_09_09_72372.crt
l Key: Google_2022_09_09_72372.key

Store the certificate and key in a safe place.

By default, FortiAuthenticator will not trust the certificate issued by Google. You must install a Google Trusted CA to
match the chain group, which can be downloaded at https://pki.goog/.
l GS Root R2

Importing the certificate to FortiAuthenticator

This series of steps can be performed on the primary FortiAuthenticator.

FortiAuthenticator 6.0.0 Cookbook 127

Fortinet Technologies Inc.
LDAP Authentication

To import the trusted CA certificate:

1. Go to Certificate Management > Certificate Authorities > Trusted CAs > Import.

2. Enter a Certificate ID, select the certificate, and click OK.

Results:

You can now import the LDAP certificate generated by G Suite.

To import the client authentication certificate:

1. Go to Certificate Management > End Entities > Local Services > Import.

2. As the Type, select Certificate and Private Key.

3. Provide a Certificate ID, choose the file for the previously saved certificate and private key files, and select OK.

FortiAuthenticator 6.0.0 Cookbook 128

Fortinet Technologies Inc.
LDAP Authentication

4.
Results:

Configuring LDAP on the FortiAuthenticator

Now you can finish the LDAPS configuration using client authentication through certificate.
1. Go to Authentication > Remote Auth. Servers > LDAP > Create New.

2. Enter a name.
3. For Primary server name/IP enter ldap.google.com, and set the port to 636.
4. Enter the base distinguished name.
5. For the Username attribute, enter uid.
6. Select the option to obtain group memberships from Group attribute.
7. Enable Secure Connection and select either LDAPS or STARTTLS as the Protocol, and select the Google
CA certificate.

FortiAuthenticator 6.0.0 Cookbook 129

Fortinet Technologies Inc.
LDAP Authentication

8. Enable Use Client Certificate for TLS Authentication, and select the LDAP certificate.

9. Select OK.

If required, you can now import users by clicking the Go button next to the Import users dropdown. This is not a
required step, but can be done in cases where you want to include additional information to their accounts or assign
FortiTokens.

FortiAuthenticator 6.0.0 Cookbook 130

Fortinet Technologies Inc.
LDAP Authentication

Troubleshooting

Missing option to use client certificate for TLS authentication

Use Client Certificate for TLS Authentication is only supported in FortiAuthenticator 6.0.1 and higher.

Certificate error messages

The following is an example of an incorrect Trusted CA certificate entry. Please verify that you have followed the steps
included in Generating the G Suite certificate on page 126.

FortiAuthenticator 6.0.0 Cookbook 131

Fortinet Technologies Inc.
Copyright© 2020 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in
the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be
trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and
other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding
commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s
General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such
event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be
limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or
development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and
guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most
current version of the publication shall be applicable.

FortiGate 7.6 Administrator Lab Guide
No ratings yet
FortiGate 7.6 Administrator Lab Guide
251 pages
FortiAuthenticator-6 5 0-Cookbook
No ratings yet
FortiAuthenticator-6 5 0-Cookbook
340 pages
156-215.81.20 CheckPoint CCSA Exam Practice Questions
No ratings yet
156-215.81.20 CheckPoint CCSA Exam Practice Questions
21 pages
Security Operations2
No ratings yet
Security Operations2
238 pages
FortiOS 7.0.13 Administration Guide
No ratings yet
FortiOS 7.0.13 Administration Guide
2,862 pages
FortiSOAR 7.6.1 Deployment Guide
No ratings yet
FortiSOAR 7.6.1 Deployment Guide
117 pages
Minor Subject Cyber Law MCQ Part 2
No ratings yet
Minor Subject Cyber Law MCQ Part 2
14 pages
FortiManager-7 6 1-Administration - Guide
No ratings yet
FortiManager-7 6 1-Administration - Guide
1,066 pages
Scada Key Management Infrastructure-Lott
100% (3)
Scada Key Management Infrastructure-Lott
18 pages
FortiMail 7.6.0 Administration Guide
No ratings yet
FortiMail 7.6.0 Administration Guide
640 pages
Fortigate Getting Started
No ratings yet
Fortigate Getting Started
110 pages
Task 2 Report Xss
No ratings yet
Task 2 Report Xss
16 pages
FortiGate in Nat Mode
No ratings yet
FortiGate in Nat Mode
200 pages
FortiAuthenticator 6.6.0 Examples
No ratings yet
FortiAuthenticator 6.6.0 Examples
386 pages
FortiOS 7.4 Azure Administration Guide
No ratings yet
FortiOS 7.4 Azure Administration Guide
202 pages
Forti Authenticator
100% (1)
Forti Authenticator
9 pages
FortiOS 7.2.1 Log Reference
No ratings yet
FortiOS 7.2.1 Log Reference
1,643 pages
Chronicle SIEM
No ratings yet
Chronicle SIEM
2 pages
SectigoCertificateManager AdminGuide v23.12
No ratings yet
SectigoCertificateManager AdminGuide v23.12
320 pages
A Seminar Report
100% (2)
A Seminar Report
39 pages
AI in Cyber Security
100% (3)
AI in Cyber Security
14 pages
Linux Test 4
100% (2)
Linux Test 4
7 pages
Infoblox Whitepaper Data Exfiltration and Dns Closing The Back Door
No ratings yet
Infoblox Whitepaper Data Exfiltration and Dns Closing The Back Door
9 pages
SC4020 Factory Settings Procedure
100% (1)
SC4020 Factory Settings Procedure
2 pages
Transparent Mode Fortigate Getting Started 52
100% (1)
Transparent Mode Fortigate Getting Started 52
84 pages
FortiAnalyzer Admin Guide 72
No ratings yet
FortiAnalyzer Admin Guide 72
55 pages
NCP Core Prep Guide
No ratings yet
NCP Core Prep Guide
151 pages
SANS Trainning Program For CISSP
No ratings yet
SANS Trainning Program For CISSP
2 pages
Fortigate Cookbook 504 Expanded
No ratings yet
Fortigate Cookbook 504 Expanded
311 pages
How To Install An SSL Certificate From A Commercial Certificate Authority - DigitalOcean
100% (1)
How To Install An SSL Certificate From A Commercial Certificate Authority - DigitalOcean
27 pages
Fortiweb Admin Guide PDF
No ratings yet
Fortiweb Admin Guide PDF
847 pages
Essentials of Cyber Security
100% (1)
Essentials of Cyber Security
1 page
Hospital Management System
No ratings yet
Hospital Management System
18 pages
FortiAuthenticator-6 3 0-Cookbook
No ratings yet
FortiAuthenticator-6 3 0-Cookbook
253 pages
FortiAuthenticator-6 3 0-Administration - Guide
No ratings yet
FortiAuthenticator-6 3 0-Administration - Guide
247 pages
Cloud Security Controls
No ratings yet
Cloud Security Controls
1 page
Sec Flex VPN 15 MT Book PDF
No ratings yet
Sec Flex VPN 15 MT Book PDF
220 pages
(MS CDP) 2200912 Diff
No ratings yet
(MS CDP) 2200912 Diff
64 pages
FortiAuthenticator 6.1.0 Cookbook
No ratings yet
FortiAuthenticator 6.1.0 Cookbook
191 pages
Secure Access 6.0 Study Guide-Online PDF
No ratings yet
Secure Access 6.0 Study Guide-Online PDF
428 pages
OBSCURO White Paper
No ratings yet
OBSCURO White Paper
51 pages
4.6.6 Lab - View Wired and Wireless NIC Information
0% (1)
4.6.6 Lab - View Wired and Wireless NIC Information
4 pages
Network Security
No ratings yet
Network Security
66 pages
Quickstart Guide: Forticlient Ems 7.0.3
No ratings yet
Quickstart Guide: Forticlient Ems 7.0.3
54 pages
Cyber Security Score Booster
No ratings yet
Cyber Security Score Booster
37 pages
FortiGate Security Study Guide For FortiOS5.6.2
No ratings yet
FortiGate Security Study Guide For FortiOS5.6.2
666 pages
Training Manual SignServer-v10-20221012 - 223306
No ratings yet
Training Manual SignServer-v10-20221012 - 223306
47 pages
SD-WAN 7.2 Deployment Guide MSSPs
No ratings yet
SD-WAN 7.2 Deployment Guide MSSPs
88 pages
FAC-Use Cases
No ratings yet
FAC-Use Cases
47 pages
Forticlient 7.2.1 Macos Release Notes
No ratings yet
Forticlient 7.2.1 Macos Release Notes
26 pages
Netwok C
No ratings yet
Netwok C
36 pages
Opmanager User Guide
No ratings yet
Opmanager User Guide
185 pages
FortiToken 5.4 Comprehensive - Guide
No ratings yet
FortiToken 5.4 Comprehensive - Guide
31 pages
FortiGate Inf 02 SDWAN+
No ratings yet
FortiGate Inf 02 SDWAN+
38 pages
Redirecting HTTP To Https FortiWeb
0% (1)
Redirecting HTTP To Https FortiWeb
12 pages
Best Openssl Commands Formscratch
No ratings yet
Best Openssl Commands Formscratch
9 pages
Laboratorio 12
No ratings yet
Laboratorio 12
24 pages
FortiSIEM-7.1.5-Licensing - Guide 1
No ratings yet
FortiSIEM-7.1.5-Licensing - Guide 1
22 pages
Forticlient 7.2.0 Windows Release Notes
No ratings yet
Forticlient 7.2.0 Windows Release Notes
27 pages
FW3510 19.0v1 Configuring Authentication Servers and Services On Sophos Firewall
No ratings yet
FW3510 19.0v1 Configuring Authentication Servers and Services On Sophos Firewall
28 pages
D2 1 PDF
No ratings yet
D2 1 PDF
148 pages
FortiAnalyzer-7.0.0-VM Trial License Guide
No ratings yet
FortiAnalyzer-7.0.0-VM Trial License Guide
13 pages
Artificial Intelligence, Privacy and Cyber Law - Quiz-II - Google Forms
No ratings yet
Artificial Intelligence, Privacy and Cyber Law - Quiz-II - Google Forms
10 pages
Encryption and Decryption in Cryptography
No ratings yet
Encryption and Decryption in Cryptography
12 pages
Pki Administration Using Ejbca and Openca
No ratings yet
Pki Administration Using Ejbca and Openca
5 pages
Sophos XG Firewall v16 - 5 RN - v3.2
No ratings yet
Sophos XG Firewall v16 - 5 RN - v3.2
10 pages
Ciphersuite Analysis and Strong Cipher Enablement - 0
No ratings yet
Ciphersuite Analysis and Strong Cipher Enablement - 0
24 pages
Fortisiem - Windows Agent 3.1.2 Installation Guide
No ratings yet
Fortisiem - Windows Agent 3.1.2 Installation Guide
30 pages
Office Online Server 2019
No ratings yet
Office Online Server 2019
7 pages
FortiAnalyzer 5.4.5 Administration Guide
No ratings yet
FortiAnalyzer 5.4.5 Administration Guide
196 pages
3D Password
No ratings yet
3D Password
20 pages
Soc 200learning Plan
No ratings yet
Soc 200learning Plan
11 pages
Microsoft PKI
No ratings yet
Microsoft PKI
16 pages
Survey Paper On Different Type of Hashing Algorithm
No ratings yet
Survey Paper On Different Type of Hashing Algorithm
5 pages
FortiAnalyzer VM VMware Install Guide Licencia
No ratings yet
FortiAnalyzer VM VMware Install Guide Licencia
27 pages
4 Cry Pa
No ratings yet
4 Cry Pa
28 pages
JCE-Developer - Guide-4 6 0
0% (1)
JCE-Developer - Guide-4 6 0
108 pages
ExaGrid-Retention Time-Lock For Ransomware Recovery DS
No ratings yet
ExaGrid-Retention Time-Lock For Ransomware Recovery DS
3 pages
Fortinac: Ruckus Zone Director Wireless Controller Integration
No ratings yet
Fortinac: Ruckus Zone Director Wireless Controller Integration
13 pages
Oauth2 Openid Connect
No ratings yet
Oauth2 Openid Connect
10 pages
Juniper Netscreen 5gt
No ratings yet
Juniper Netscreen 5gt
2 pages
Fortidemo: Quick Step Guide
No ratings yet
Fortidemo: Quick Step Guide
9 pages
Fortigate - VM System Guide 40 mr2 PDF
No ratings yet
Fortigate - VM System Guide 40 mr2 PDF
20 pages
FortiMail 02 System Configuration
No ratings yet
FortiMail 02 System Configuration
16 pages
Riverbed Setup
No ratings yet
Riverbed Setup
84 pages
Luna PCI E PB EN A4 v7 JUN052014 Web PDF
No ratings yet
Luna PCI E PB EN A4 v7 JUN052014 Web PDF
2 pages
Fortigate Infrastructure: Course Description
No ratings yet
Fortigate Infrastructure: Course Description
2 pages
FortiGate 7.4 Administrator Instructor Guide
No ratings yet
FortiGate 7.4 Administrator Instructor Guide
15 pages
Mastering Netscaler VPX: Learn how to deploy and configure all the available Citrix NetScaler features with the best practices and techniques you need to know
From Everand
Mastering Netscaler VPX: Learn how to deploy and configure all the available Citrix NetScaler features with the best practices and techniques you need to know
Marius Sandbu
No ratings yet
Information and Network Security Lectures
No ratings yet
Information and Network Security Lectures
23 pages