Fortinet Fortigate 60 Implementation Guide
CopyrightCopyright 2006, CRYPTOCard Corp. All Rights Reserved.
No part of this publication may be reproduced, transmitted,
transcribed, stored in a retrieval system, or translated into any
language in any form or by any means without the written permission
of CRYPTOCard Corp.
Fortinet Fortigate OverviewThis documentation presents an
overview and necessary steps to configure a Fortinet Fortigate 60
for use with CRYPTO-MAS and CRYPTOCard tokens. The Fortigate can be
used to create an encrypted tunnel between hosts. CRYPTO-MAS works
in conjunction with the Fortigate to replace static passwords with
strong two-factor authentication that prevents the use of lost,
stolen, shared, or easily guessed passwords when establishing a
connection to gain access to protected resources. With CRYPTO-MAS
acting as the authentication server for a VPN enabled resource, an
authenticated connection sequence would be as follows: 1. The
administrator configures the Fortinet Fortigate 60 to use RADIUS
Authentication.
2. The incoming RADIUS authentication request is relayed over to
the CRYPTO-MAS Server asshown in Figure 1 below.
Figure 1 RADIUS authentication request is relayed to the
CRYPTO-MAS Server
3. The CRYPTO-MAS Server examines the incoming packet. If the
user exists, it then checks the token associated with the user for
the expected PIN + One-time password. 4. Once the PIN + One-time
password is verified against the users token and it is valid, it
will then send an access accepted. This is illustrated in Figure 2
below.Fortinet Fortigate 60 Implementation Guide 2
If the user does not exist, or the PIN + One-time password is
incorrect it will send the user an access reject message.
Figure 2 The CRYPTO-MAS Server responds with an access accepted
or rejected.
Fortinet Fortigate 60 Implementation Guide
3
PrerequisitesThe following systems must be verified operational
prior to configuring the Fortigate to use CRYPTOCard
authentication: 1. Verify end users can authenticate through the
Fortigate with a static password before configuring the Fortigate
to use CRYPTOCard authentication. 2. An initialized CRYPTOCard
token assigned to a CRYPTOCard user.
The following CRYPTO-MAS server information is also required:
Primary CRYPTO-MAS RADIUS Server Fully Qualified Hostname or IP
Address: Secondary CRYPTO-MAS RADIUS Server Fully Qualified
Hostname or IP Address (OPTIONAL): CRYPTO-MAS RADIUS Accounting
port number (OPTIONAL): CRYPTO-MAS RADIUS Shared Secret:
Fortinet Fortigate 60 Implementation Guide
4
Configuring Fortinet FortigateIn order for the Fortigate to
authenticate CRYPTOCard token users, RADIUS authentication must be
enabled.
Add RADIUS ServerTo add a new RADIUS Server, choose: User RADIUS
Create New
The IP Address and Shared Secret will be provided so the
Fortinet Fortigate will point towards the CRYPTO-MAS Server for
authentication.
Fortinet Fortigate 60 Implementation Guide
5
Creating a Local UserNext thing to do is to create a user in the
Fortigate. To create a user click: User Local Create New
Enter the users username, and select RADIUS, then select the
radius server it will be authenticating to. Click OK when
everything has been selected. Note: the username must match the
username that is provided to the CRYPTO-MAS Server
Fortinet Fortigate 60 Implementation Guide
6
Creating a User GroupNow a group must be created. From the Local
tab, click on: User Group tab Create New
At least the following configuration options should be selected:
Enter the name of the group Change type from Firewall to SSL VPN
Expand the SSL-VPN User Group Options. Put a check mark in the
following boxes. Enable SSL-VPN Tunnel Service Enable Web
Application o o o o o o HTTP/HTTPS Proxy Telnet(applet) VNC FTP
Samba RDP
Click OK
Fortinet Fortigate 60 Implementation Guide
7
Configuring SSL-VPN SettingsTo configure your SSL-VPN
Connection, click on VPN, then SSL.
Select Enable SSL-VPN. Choose a port for the SSL-VPN Connection.
Enter the Tunnel IP Range. Select the Server Certificate
(Self-Signed by default) Select Default for Encryption Key
Algorithm Idle Timeout is 300 seconds.8
Fortinet Fortigate 60 Implementation Guide
Creating a Firewall PolicyTo create a new firewall policy, click
on Firewall, Policy, Create New. The following should be done.
Source Interface/Zone wan1 Address Name All Destination
Interface/Zone internal Address Name all Schedule always Service
ANY Action SSL-VPN
Select the Group on the Available Groups side and move them over
to the Allowed side for SSL-VPN access. Check off Protection
Profile and it should be defaulted to unfiltered. Click OK when
finished.
Fortinet Fortigate 60 Implementation Guide
9
Testing RADIUS Authentication through HyperTerminalCreate a new
HyperTerminal on the machine where the Fortinet Fortigate is
connected.
Once you have logged on, the syntax should be entered as
followed: # diag test auth rad
If it succeeds, the output message will be something along the
line of: authenticate henry against pap succeeded, server=primary
session_timeout=0 secs!
Fortinet Fortigate 60 Implementation Guide
10
VPN Client login pageTo test the VPN access from a browser,
navigate to https://:
A login prompt comes up. Enter the username and PIN + One-time
password.
Fortinet Fortigate 60 Implementation Guide
11
Once the user has successfully logs in, they will be prompt with
a Welcome to SSL-VPN Service page.
The CRYPTO-MAS Server can also be set up to do New PIN Mode
Stored on Server, server changeable. If the users PIN style has
been set to Store on Server, server changeable, and set to push out
a new PIN after next log on, it will display a new PIN on the
webpage which is illustrated below.
Fortinet Fortigate 60 Implementation Guide
12
Solution OverviewSummaryProduct Name Vendor Site Supported VPN
Client Software Authentication Method Fortinet Fortigate
http://www.fortinet.com/ Internet Explorer 6 or higher Mozilla
Firefox 1.5 or higher RADIUS Authentication
Supported RADIUS Functionality for Fortinet FortigateRADIUS
Authentication Encryption Authentication Method PAP One-time
password Challenge-response Static password New PIN Mode User
changeable Alphanumeric 4-8 digit PIN User changeable Numeric 4-8
digit PIN Server changeable Alphanumeric 4-8 digit PIN Server
changeable Numeric 4-8 digit PIN
TrademarksCRYPTOCard, CRYPTO-Server, CRYPTO-Web, CRYPTO-Kit,
CRYPTO-Logon, CRYPTO-VPN, CRYPTO-MAS are either registered
trademarks or trademarks of CRYPTOCard Corp. Microsoft Windows and
Windows XP/2000/2003/NT are registered trademarks of Microsoft
Corporation. All other trademarks, trade names, service marks,
service names, product names, and images mentioned and/or used
herein belong to their respective owners.
Publication HistoryDateOctober 27, 2006 November 9, 2006
November 30, 2006
ChangesInitial Draft Global Draft Minor Revision
Fortinet Fortigate 60 Implementation Guide
13
