FortiGate demo setup

These instructions assume you have a running installation of FortiGate firewall service. The screenshots here are from Fortigate VM64 v.6.0.6 but the main guides should be the same for every version. We also assume that you have installed a running instance of a MIRACL Trust RADIUS app and obtained your keys as detailed in the Installation section.

MIRACL Trust RADIUS setup

When changes have been made to your MIRACL Trust RADIUS config it is necessary to restart it so the changes could apply.

Make sure your /etc/miracl-radius/config.yaml lists the correct files to include (you will need to add a hosts/fortigate.yaml file to it):

includes:
  - core.yaml
  - hosts/fortigate.yaml

Open your /etc/miracl-radius/core.yaml file and edit the mfa section to include the client id and client secret from your app (as created in the MIRACL Trust administration portal in the Installation section):

server:
  address: :1812
protocols:
  - pap
  - chap
  - mschapv1
mfa:
  global:
    client_id: ''
    client_secret: ''

If you need to enable accounting functionality, you need to add ./integrations/accounting.yaml to the includes of the /etc/miracl-radius/config.yaml too:

includes:
  - core.yaml
  - hosts/fortigate.yaml
  - integrations/accounting.yaml

and change it if necessary. Here are the default values:

/etc/miracl-radius/integrations/accounting.yaml

server:
  accounting:
    address: :1813
    storage:
      file:
        path: ./acct.log

Then edit your /etc/miracl-radius/hosts/fortigate.yaml file. Add the IP of your FortiGate server and the shared secret (a strong and hard to guess arbitrary string) that should also be entered in the FortiGate admin console too. For the purposes of this simple demo you can also use the mfa_id parameter to allow for a non-email username. The example below will mean that you can use the first half of an '@mycompany.com’ email address as your username for logging into FortiGate (e.g. ‘john’ from 'john@mycompany.com’):

host:
  172.17.0.1:
    name: fortigate
    authorize: true
    mfa: global
    mfa_id: '{{.UserID}}@mycompany.com'
    secret: 'fortigateSecret'
#    return_attributes:
#      Acct-Interim-Interval: 600
#      Vendor-Specific:
#        Fortinet:
#          Fortinet-Group-Name: MyGroup

Using authorize: true on its own would mean that anybody would be permitted to attempt to login, but combining it with mfa_id: '{{.UserID}}@mycompany.com means that only users with the @mycompany email domain are authorized. The LDAP and authorization section explains how LDAP or simple regex of email domains can be used for more detailed control of lists of users authorized to attempt to login.

If you need your radius server to return any properties to the radius client (the FortiGate service in this case), you could use the return_attributes functionality and specify the ones you desire.

Do not confuse Client Secret with Secret! Client Secret is one of the keys you receive from the MIRACL Trust administration portal, while Secret is the arbitrary secret you must specify and add to both the MIRACL Trust config.json file and the FortiGate admin UI.

Note on user authentication

For the actual authentication of a user, the MIRACL Trust authentication server must receive an email address (Please see the OTP Generation menu section for an understanding of how an email address is used to register and authenticate once RADIUS/OTP is up and running). Hence the above mfa_id enables a user to use the prefix to their email address for FortiGate login, while still presenting the full email address to the MIRACL Trust platform for authentication purposes. For example, while you have registered with `john.smith@example.com, this would enable you to log in withjohn.smith` .

FortiGate configuration

It is important port 1812 (UDP) (and 1813 (UDP) if accounting used) to be open as the radius packets are sent through it.

We suppose you have a proper VPN setup and can successfully connect via FortiClient to the FortiGate service without a radius setup.

In order to add a radius server for authentication to the FortiGate server, you need to open the FortiGate admin panel and go to User & Device > RADIUS Servers and click + Create New button. You need to fill the required IP/Name of your running MIRACL Trust Radius server and the shared secret you have already entered in the server radius config host file.

fortigate_radius_setup

Test with FortiGate web interface tool

If you have properly setup your connection the Test Connectivity button should return Successful. Have in mind that this button only check if it has any response from the radius server and does not check if it is a success or a reject packet. If you'd like to check the type of the response too, you need to use the Test User Credentials button, to generate an OTP for a registered email and enter your email and OTP in the requested fields. If you have set the mfa_id in the RADIUS server host configuration, you can use only the email name instead of the entire one (e.g. ‘john’ from 'john@mycompany.com’) for a username.

fortigate_test_creds

Setup user group

You need to create a user group to authenticate with the created RADIUS server. Navigate to User & Device > User Groups and click + Create New button. It's important to choose Firewall for a type of the group. Enter an appropriate name and add the created RADIUS server as a Remote Group.

fortigate_user_group

You need to have setup a proper IPv4 Policy setup for the SSL-VPN tunnel with a Source the created RADIUS user group so you could authenticate with it using a SSL VPN connection. Here is our test sample setup:

fortigate_ipv4

Test with FortiClient

Your setup is ready and you could connect to your FortiGate service by the MIRACL Trust RADIUS server authentication using the FortiClient SSLVPN tool. You need fist to generate an OTP for a registered email. Then enter the FortiGate server IP and port in the requested FortiClient fields. Enter your username (if using mfa_id it should be only the first part of the mail you just generated an OTP for) and the generated OTP in the User and Passwords field.

forticlient

When you click Connect button you should see a similar screen:

forticlient_connect