Copyright

Copyright © 2006, CRYPTOCard Corp. All Rights Reserved. No part of this publication may be

reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in

any form or by any means without the written permission of CRYPTOCard Corp.

Fortinet Fortigate 60 Implementation Guide

Fortinet Fortigate 60 Implementation Guide 2

Fortinet Fortigate Overview

This documentation presents an overview and necessary steps to configure a Fortinet Fortigate 60 for

use with CRYPTO-MAS and CRYPTOCard tokens. The Fortigate can be used to create an encrypted

tunnel between hosts. CRYPTO-MAS works in conjunction with the Fortigate to replace static

passwords with strong two-factor authentication that prevents the use of lost, stolen, shared, or easily

guessed passwords when establishing a connection to gain access to protected resources.

With CRYPTO-MAS acting as the authentication server for a VPN enabled resource, an authenticated

connection sequence would be as follows:

1. The administrator configures the Fortinet Fortigate 60 to use RADIUS Authentication.

2. The incoming RADIUS authentication request is relayed over to the CRYPTO-MAS Server as

shown in Figure 1 below.

Figure 1 – RADIUS authentication request is relayed to the CRYPTO-MAS Server

3. The CRYPTO-MAS Server examines the incoming packet. If the user exists, it then checks the

token associated with the user for the expected PIN + One-time password.

4. Once the PIN + One-time password is verified against the user’s token and it is valid, it will

then send an access accepted. This is illustrated in Figure 2 below.

Fortinet Fortigate 60 Implementation Guide 3

If the user does not exist, or the PIN + One-time password is incorrect it will send the user an

access reject message.

Figure 2 – The CRYPTO-MAS Server responds with an access accepted or rejected.

Fortinet Fortigate 60 Implementation Guide 4

Prerequisites

The following systems must be verified operational prior to configuring the Fortigate to use

CRYPTOCard authentication:

1. Verify end users can authenticate through the Fortigate with a static password before

configuring the Fortigate to use CRYPTOCard authentication.

2. An initialized CRYPTOCard token assigned to a CRYPTOCard user.

The following CRYPTO-MAS server information is also required:

Primary CRYPTO-MAS RADIUS Server Fully Qualified

Hostname or IP Address:

Secondary CRYPTO-MAS RADIUS Server Fully Qualified

Hostname or IP Address (OPTIONAL):

CRYPTO-MAS RADIUS Accounting port number

(OPTIONAL):

CRYPTO-MAS RADIUS Shared Secret:

Fortinet Fortigate 60 Implementation Guide 5

Configuring Fortinet Fortigate

In order for the Fortigate to authenticate CRYPTOCard token users, RADIUS authentication must be

enabled.

Add RADIUS Server

To add a new RADIUS Server, choose:

• User

• RADIUS

• Create New

The IP Address and Shared Secret will be provided so the Fortinet Fortigate will point

towards the CRYPTO-MAS Server for authentication.

Fortinet Fortigate 60 Implementation Guide 6

Creating a Local User

Next thing to do is to create a user in the Fortigate.

To create a user click:

• User

• Local

• Create New

Enter the user’s username, and select RADIUS, then select the radius server it will be authenticating

to. Click OK when everything has been selected.

Note: the username must match the username that is provided to the CRYPTO-MAS Server

Fortinet Fortigate 60 Implementation Guide 7

Creating a User Group

Now a group must be created. From the Local tab, click on:

• User Group tab

• Create New

At least the following

configuration options should

be selected:

• Enter the name of the

group

• Change type from

Firewall to SSL VPN

• Expand the SSL-VPN

User Group Options.

• Put a check mark in

the following boxes.

• “Enable SSL-VPN

Tunnel Service”

• Enable Web

Application

o HTTP/HTTPS

Proxy

o Telnet(applet)

o VNC

o FTP

o Samba

o RDP

• Click OK

Fortinet Fortigate 60 Implementation Guide 8

Configuring SSL-VPN Settings

To configure your SSL-VPN Connection, click on VPN, then SSL.

• Select Enable SSL-VPN.

• Choose a port for the SSL-VPN Connection.

• Enter the Tunnel IP Range.

• Select the Server Certificate (Self-Signed by default)

• Select “Default” for Encryption Key Algorithm

• Idle Timeout is 300 seconds.

Fortinet Fortigate 60 Implementation Guide 9

Creating a Firewall Policy

To create a new firewall policy, click on Firewall, Policy, Create New.

The following should be done.

Source

Interface/Zone wan1

Address Name All

Destination

Interface/Zone internal

Address Name all

Schedule always

Service ANY

Action SSL-VPN

Select the Group on the

Available Groups side and

move them over to the

Allowed side for SSL-VPN

access.

Check off Protection Profile

and it should be defaulted to

unfiltered.

Click OK when finished.

Fortinet Fortigate 60 Implementation Guide 10

Testing RADIUS Authentication through HyperTerminal

Create a new HyperTerminal on the machine where the Fortinet Fortigate is connected.

Once you have logged on, the syntax should be entered as followed:

# diag test auth rad <radius server name> <auth protocol> <username> <One-Time Password>

If it succeeds, the output message will be something along the line of:

“authenticate ‘henry’ against ‘pap’ succeeded, server=primary session_timeout=0 secs!”

Fortinet Fortigate 60 Implementation Guide 11

VPN Client login page

To test the VPN access from a browser, navigate to https://<Fortigate_Wan_IP_Address>:<port>

A login prompt comes

up. Enter the

username and PIN +

One-time password.

Fortinet Fortigate 60 Implementation Guide 12

Once the user has

successfully logs in, they will

be prompt with a Welcome

to SSL-VPN Service page.

The CRYPTO-MAS Server can

also be set up to do New PIN

Mode – Stored on Server,

server changeable.

If the user’s PIN style has

been set to Store on Server,

server changeable, and set

to push out a new PIN after

next log on, it will display a

new PIN on the webpage

which is illustrated below.

Fortinet Fortigate 60 Implementation Guide 13

Solution Overview

Summary

Product Name Fortinet Fortigate

Vendor Site http://www.fortinet.com/

Supported VPN Client Software Internet Explorer 6 or higher

Mozilla Firefox 1.5 or higher

Authentication Method RADIUS Authentication

Supported RADIUS Functionality for Fortinet Fortigate

RADIUS Authentication Encryption PAP

Authentication Method One-time password

Challenge-response

Static password

New PIN Mode User changeable Alphanumeric 4-8 digit PIN

User changeable Numeric 4-8 digit PIN

Server changeable Alphanumeric 4-8 digit PIN

Server changeable Numeric 4-8 digit PIN

Trademarks

CRYPTOCard, CRYPTO-Server, CRYPTO-Web, CRYPTO-Kit, CRYPTO-Logon, CRYPTO-VPN, CRYPTO-MAS

are either registered trademarks or trademarks of CRYPTOCard Corp.

Microsoft Windows and Windows XP/2000/2003/NT are registered trademarks of Microsoft

Corporation. All other trademarks, trade names, service marks, service names, product names, and

images mentioned and/or used herein belong to their respective owners.

Publication History

Date Changes October 27, 2006 Initial Draft

November 9, 2006 Global Draft

November 30, 2006 Minor Revision