Configuring the SecurID system
To use SecurID with a FortiGate unit, you need:
• to configure the RSA server and the RADIUS server to work with each other (see RSA server documentation)
or
The following instructions are based on RSA ACE/Server version 5.1, or RSA SecurID 130 Appliance, and assume that you have successfully completed all the external RSA and RADIUS server configuration steps listed above.
For this example, the RSA server is on the internal network, with an IP address of 192.128.100.100. The FortiGate unit internal interface address is 192.168.100.3, RADIUS shared secret is fortinet123, RADIUS server is at IP address 192.168.100.102.
To configure the RSA SecurID 130 Appliance
1. Go to the IMS Console for SecurID and logon.
2. Go to RADIUS > RADIUS Clients, and select Add New.
3. Enter the following information to configure your FortiGate as a SecurID Client, and select Save.
RADIUS Client Basics |
Client Name | FortiGate |
Associated RSA Agent | FortiGate |
RADIUS Client Settings |
IP Address | 192.168.100.3 The IP address of the FortiGate unit internal interface. |
Make / Model | Select Standard Radius |
Shared Secret | fortinet123 The RADIUS shared secret. |
Accounting | Leave unselected |
Client Status | Leave unselected |
To configure the FortiGate unit as an Agent Host on the RSA ACE/Server
1. On the RSA ACE/Server computer, go to Start > Programs > RSA ACE/Server, and then Database Administration - Host Mode.
2. On the Agent Host menu, select Add Agent Host.
3. Enter and save the following information.
Name | FortiGate |
Network Address | 192.168.100.3 The IP address of the FortiGate unit. |
Secondary Nodes | Optionally enter other IP addresses that resolve to the FortiGate unit. |
If needed, refer to the RSA ACE/Server documentation for more information.
To configure the FortiGate unit to use the RADIUS server
1. Go to User & Device > Authentication > RADIUS Servers and select Create New.
2. Enter the following information, and select OK.
Name | RSA |
Primary Server IP/Name | 192.168.100.102 Optionally select Test to ensure the IP address is correct and the FortiGate can contact the RADIUS server. |
Primary Server Secret | fortinet123 |
Authentication Scheme | Select Use Default Authentication Scheme. |
To create a SecurID user group
1. Go to User & Device > User > User Groups, and select Create New.
2. Enter the following information.,
Name | RSA_group |
Type | Firewall |
3. In Remote Groups, select Add, then select the RSA server.
4. Select OK.
To create a SecurID user
1. Go to User & Device > User > User Definition, and select Create New.
2. Use the wizard to enter the following information, and then select Create.
User Type | Remote RADIUS User |
User Name | wloman |
RADIUS Server | RSA |
Contact Info | (optional) Enter Email or SMS information |
User Group | RSA_group |
To test this configuration, on your FortiGate unit use the CLI command:
diagnose test authserver radius RSA auto wloman 111111111
The series of 1s is the one time password that your RSA SecurID token generates and you enter.