Fortigate

Introduction

This will be a general guide on how to set up Fortinet/Fortigate together with a Mideye Server.

---

Requirements

The following requirements are needed for this integration to work: - Mideye Server 5 / Mideye Server 6 - UDP Port 1812 - RADIUS authentication

Fortigate acts as a RADIUS client towards the Mideye Server. The Fortigate must be defined as a RADIUS client in the Mideye Server. Refer to the Mideye Server Reference Guide for more information on how to define a new RADIUS client.

Known Issues

Following are the known issues for the integration: - The option to dynamically present radius-reject messages has not yet been introduced with Fortigate. This means that more information about failed login attempts is not presented to the user.

Note

Example: If login fails due to the mobile phone not being reachable, the Mideye error message ’Phone not reachable, for help see [www.mideye.com/help]’ will not be presented to the user. Instead a default error message will be presented.

• FortiClient app for mobile devices does not support challenge response. When logging in a login error will be displayed with the error message "Bad host name - HTTP/1.1 401 Authorization Required". This bug has been reported to Fortigate, and might be resolved in upcoming releases.

---

Integration

The following will explain the integration process of Fortigate with Mideye.

1. Create address-spaces for internal networks:
   Log in to your Fortigate web-management and navigate to "Policy & Objects" → ”Addresses” → “Address”. Click "Create new" and specify your internal network(s). Repeat this step to add more networks.

2. Add internal networks to a group:
   If more than one address object was created in step 1, those networks need to be added to a group. Navigate to "Policy & Objects" → ”Addresses” → ”Address Group”. Click "Create new" and give the group a suitable name and add all networks created in step 1.

3. Specify address-range for remote users:
   By default, an address-range of 10.212.134.200-10.212.134.210 will be used for remote users.

   If there is a conflict in your IP allocation. Navigate to "Policy & Objects" → ”Addresses” → ”Address” and click "Create new" and create a new “IP Range” object. Update SSL-VPN Portal to use new range profile.

4. Add the Mideye RADIUS-server in Fortigate:
   Navigate to "User & Authentication" → ”RADIUS server”. “Create New” Give the RADIUS server a suitable name, specify the IP-address to the Mideye-server and a shared-secret that must be identical on both the Fortigate and the Mideye-server.

   Fortigate must be added as a RADIUS-client on the Mideye-server. For more information on how to define a RADIUS-client please see the Mideye Server Reference Guide.

   There are limitations to the “Test Connectivity” function. Fortigate uses its hostname as the NAS-ID when running the “Test Connectivity” feature. It won't connect properly unless your fortigate has the same hostname as the NAS-ID defined in Mideye-Server, however you can verify connectivity in the Mideye-Server.

5. Add NAS-ID:
   Connect to the fortigate CLI and set the NAS-ID provided by Mideye:
   

   config user radius
     edit < server >
       set nas-id-type { legacy | custom | hostname} **
       set nas-id < custom ID >
     next
   end
   

   

6. Create SSLVPN User group:
   Navigate to "User & Authentication" → ”User Groups”. Click "Create New" and give the new user-group a suitable name. Click "Add" under "Remote Groups" and add the RADIUS-server created in step 4.

7. Configure the SSL-VPN portal:
   Navigate to "VPN" → ”SSL-VPN Portals” → “Edit full-access” By default the SSLVPN_TUNNEL_ADDR1 should be selected as the Source IP Pools, if you created your own address-range before select the one you created. Click "OK".

8. Configure the SSL-VPN Settings:
   Select your WAN interface as the “Listen on interface.”

   Adjust the “Listen on Port” to example, 4443:

   Scroll down on the same page and add the user group we created before under the “Authentication/Port Mapping”:
   

9. Create a new firewall-policy for the SSL-VPN:

   • Navigate to “Policy & Objects” → ”Firewall Policy”. Click "Create new"
   • Name the policy with a suitable name,
   • Set the “incoming interface” to “SSL-VPN- tunnel interface(ssl.root)”
   • Set the “outgoing interface” to the local network interface.
   • Set the Source > Address to all and source > user to SSLVPN
   • Set Destination > Address (Subnet) to your internal network.
   • Set schedule to always, service to all and action to accept.
   • Enable NAT.

   Reference:

10. Change RADIUS-timeout:
    The default timeout-value set to 5 seconds need to be changed to 30 seconds to avoid authentication failure.

    Open CLI in the fortigate webui:

    Followed by:

    config system global
    set remoteauthtimeout 30
    end
    

    

11. Verify Mideye two-factor authentication: Logon to your Fortigate SSL-VPN using your web browser or Fortclient and verify that your OTP gets delivered your cellphone.