SSL VPN remote browsing with LDAP authentication

August 19, 2015, 12:00 pm

≫ Next: RADIUS authentication for SSL VPN with FortiAuthenticator

This recipe describes how to configure an SSL VPN tunnel using LDAP Authentication on a FortiAuthenticator.

The VPN will be tested using FortiClient on a mobile Android device.

The recipe assumes that an LDAP server has already been configured and connected on the FortiGate, containing the user ‘bwayne’. For instructions on configuring FortiAuthenticator as an LDAP server, see LDAP authentication for SSL VPN with FortiAuthenticator.

1. Creating the LDAP user group
From the FortiGate GUI, go to User & Device > User > User Groups, and select Create New.
Enter a name for the user group, and under Remote Groups, select Create New.
Select the LDAP server under the Remote Server dropdown.
In the new Add Group Match window, select the desired group under the Groups tab, select Add Selected, and click OK.
The LDAP server has been added to the LDAP group.
2. Configuring the SSL VPN
Go to VPN > SSL > Portals, and edit the full-access portal. Disable Split Tunneling.
Go to VPN > SSL > Settings. Under Connection Settings set Listen on Port to 10443. Under Authentication/Portal Mapping, select Create New.
Assign the LDAPgroup user group to the full-access portal, and assign All Other Users/Groups to the desired portal.
3. Creating the security policies for VPN access to the Internet
Go to Policy & Objects > Policy > IPv4 and create an ssl.root – wan1 policy. Set Source User(s) to the LDAPgroup user group. Set Outgoing Interface to wan1 and Destination Address to all. Set Service to ALL and ensure that you enable NAT.
If it is not already available, create another policy allowing internal access to the Internet.
4. Results
On your Android smartphone, open the FortiClient app and create a new VPN.
Give the VPN a name (in the example, SSL to 121.56), and set the VPN Type to SSL VPN. Select Create.
The SSL VPN settings will appear. Set Server to the IP of the FortiGate (in the example, 172.20.121.56), and set the Port to 10443. Set Username to the desired LDAP user (in the example, bwayne), and set the user’s password.
Return to FortiClient’s list of VPN Tunnels, and connect to the newly created SSL VPN. If prompted, enter valid LDAP credentials.
User ‘bwayne’ is now connected to the SSL VPN tunnel and can securely browse the Internet.

This part of the recipe assumes that an LDAP server has already been configured and connected on the FortiGate, containing the user ‘bwayne’.

The post SSL VPN remote browsing with LDAP authentication appeared first on Fortinet Cookbook.

↧

RADIUS authentication for SSL VPN with FortiAuthenticator

August 27, 2015, 11:00 am

≫ Next: RADIUS authentication for SSL VPN with FortiAuthenticator (Video)

≪ Previous: SSL VPN remote browsing with LDAP authentication

This recipe describes how to set up FortiAuthenticator to function as a RADIUS server for FortiGate SSL VPN authentication. It involves adding users to FortiAuthenticator, setting up the RADIUS client on the FortiAuthenticator, and then configuring the FortiGate to use the FortiAuthenticator as a RADIUS server.

Watch the video

1. Creating the User(s) on FortiAuthenticator
From the FortiAuthenticator GUI, go to Authentication > User Management > Local Users, and select Create New. Enter a name for the user (in the example, ckent), enter and confirm a password, and select OK. Select OK again to bypass optional settings.
Next, go to Authentication > User Management > User Groups, and add a user group for the FortiGate users. Add the desired users to the group.
2. Creating the RADIUS Client on FortiAuthenticator
Go to Authentication > RADIUS Service > Clients, and select Create New. Enter a name for the RADIUS Client, set Client name/IP to the IP of the FortiGate, and set a Secret. The Secret is a pre-shared, secure password that the FortiGate will use to authenticate to the FortiAuthenticator.
Be sure to set Authentication method to Password-only authentication (exclude users without a password), and set Realms to local \| Local users.
3. Connecting the FortiGate to the RADIUS Server
From the FortiGate GUI, go to User & Device > Authentication > RADIUS Servers, and select Create New.
Enter a name for the RADIUS server, enter the IP address of the FortiAuthenticator, and enter the Secret created before. Test the connectivity and enter the credentials for ‘ckent’. The test should come back with a successful connection.
4. Creating the RADIUS User Group on the FortiGate
Go to User & Device > User > User Groups, and select Create New.
Enter a name for the user group, and under Remote Groups, select Create New.
Select FAC-RADIUS under the Remote Server dropdown.
FAC-RADIUS has been added to the RADIUS group.
5. Configuring the SSL VPN
From the FortiGate GUI, go to VPN > SSL > Portals, and edit the full-access portal. Disable Split Tunneling.
Go to VPN > SSL > Settings. Under Connection Settings set Listen on Port to 10443. Under Tunnel Mode Client Settings, select Specify custom IP ranges and set it to SSLVPN_TUNNEL_ADDR1. Under Authentication/Portal Mapping, select Create New.
Assign the RADIUSgroup user group to the full-access portal, and assign All Other Users/Groups to the desired portal.
Select the prompt at the top of the screen to create a new SSL-VPN policy. Set Source User(s) to the RADIUSgroup user group. Set Outgoing Interface to wan1 and Destination Address to all. Set Service to ALL and ensure that you enable NAT.
6. Results
From a remote device, access the SSL VPN Web Portal. Enter valid RADIUS credentials (in the example, ckent).
‘ckent’ is now successfully logged into the SSL VPN Portal.
From the FortiGate GUI, go to VPN > Monitor > SSL-VPN Monitor to confirm the connection.

The post RADIUS authentication for SSL VPN with FortiAuthenticator appeared first on Fortinet Cookbook.

↧

RADIUS authentication for SSL VPN with FortiAuthenticator (Video)

September 1, 2015, 10:33 am

≫ Next: SSO using a FortiGate, FortiAuthenticator, and DC Polling (Expert)

≪ Previous: RADIUS authentication for SSL VPN with FortiAuthenticator

This video will show how to set up FortiAuthenticator to function as a RADIUS server for FortiGate SSL VPN authentication. It involves adding users to FortiAuthenticator, setting up the RADIUS client, and then configuring the FortiGate to use the FortiAuthenticator as a RADIUS server.

The recipe for this video is available here.

Watch more videos

The post RADIUS authentication for SSL VPN with FortiAuthenticator (Video) appeared first on Fortinet Cookbook.

↧

SSO using a FortiGate, FortiAuthenticator, and DC Polling (Expert)

September 16, 2015, 11:07 am

≫ Next: Social WiFi Captive Portal with FortiAuthenticator (Twitter)

≪ Previous: RADIUS authentication for SSL VPN with FortiAuthenticator (Video)

This recipe demonstrates FortiGate user authentication with the use of a FortiAuthenticator as a Single Sign-On server. In this example, the FortiAuthenticator is configured to collect the user logon by polling the Domain Controller logs. User authentication controls Internet access and applies different security profiles for different users.

1. Configuring the FortiAuthenticator
Go to Fortinet SSO Methods > SSO > General to configure general settings as shown in the exhibit.
Go to Fortinet SSO Methods > SSO > Domain Controllers and add the Windows AD to the FortiAuthenticator.
Go to Authentication > Remote Auth. Servers > LDAP to set the Windows AD as an LDAP server. This will be useful to import SSO Filtering Objects from Windows AD to the FortiAuthenticator.
Go to Fortinet SSO Methods > SSO > FortiGate Filtering and create a new FortiGate Filtering. Under Fortinet Single Sign-On (FSSO), enable Forward FSSO information for users from the following subset of users/groups/containers only. Under SSO Filtering Objects, select Import, in the Remote LDAP Server field, select the LDAP server created earlier in the previous step (WinLDAP in this example) and select Apply. Next, select groups or containers to be imprted, controlled and monitored by the FortiAuthenticator. In this example the “FortiOS Writers” user group is selected.
2. Configuring SSO on the FortiGate
Go to User & Device > Authentication > Single Sign-On and create a new SSO server. In the Type field, select Fortinet Single-Sign-On Agent. When selecting the Users/Groups field, the SSO user groups initially polled by the FortiAuthenticator from the Domain Controller, shows up in the FortiGate. In this example, only the “FortiOS writers” group shows up because of the FortiGate Filtering configured in the previous step.
3. Creating a user group on the FortiGate
Go to User & Device > User > User Groups and create a new user group. Under Members, select the user group to be monitored. In this example only “FortiOS Writers” shows up because of the FortiGate Filtering configured earlier.
4. Adding a policy in the FortiGate
Go to Policy & Objects > Policy > IPv4 and create a policy allowing “FortiOS_writers” to navigate the Internet with appropriate security profiles. The default Web Filter security profile is used in this example.
5. Results from the FortiAuthenticator
Go to Monitor > SSO > Domains to verify monitored domains. In this Example “techdoc.local” is monitored by the FortiAuthenticator.
Have users log on to the domain, and go to Monitor > SSO > SSO Sessions and verify SSO sessions.
Go to Logging > Log Access > Logs to verify logs.
Select an entry for details.
You can also verify results in the User inventory widget under System > Dashboard > Status.
6. Results from the FortiGate
Upon successful authentication, go to User & Device > Monitor > Firewall and verify FSSO Logons.
Have authenticated user navigate the Internet. Security profiles will be applied accordingly. Go to Log & Report > Traffic Log > Forward Traffic to verify the log.
Select an entry for details.

The post SSO using a FortiGate, FortiAuthenticator, and DC Polling (Expert) appeared first on Fortinet Cookbook.

↧

Social WiFi Captive Portal with FortiAuthenticator (Twitter)

September 17, 2015, 8:00 am

≫ Next: Social WiFi Captive Portal with FortiAuthenticator (Google+)

≪ Previous: SSO using a FortiGate, FortiAuthenticator, and DC Polling (Expert)

WiFi authentication using social media provides access control without having to manually create guest accounts.

This recipe involves configuring an API for Twitter accounts, setting up a social portal RADIUS service on the FortiAuthenticator, and configuring the FortiGate for Captive Portal access.

This recipe is similar to the Captive portal WiFi access control recipe, but involves external security mode configuration, RADIUS authentication, and does not include FortiAP registration instructions.

Note that some minimal CLI usage is required when configuring the FortiGate.

The FortiAuthenticator has been given an example fully qualified domain name (FQDN) — fortiauthenticator.example.com.

1. Configuring the Twitter developer account API
Open a browser and log in to your Twitter account. In the URL field enter the following: https://apps.twitter.com/ Select Create New App.
Enter a Name, Description, and Website for the application.
In the Callback URL field, enter the following: https://fortiauthenticator.example.com/social/complete/twitter/ Note that the FortiAuthenticator needs to be able to access the Internet.
Accept the Developer Agreement and select Create your Twitter application.
Go to Keys and Access Tokens to view your Consumer Key and Consumer Secret. Take note of the Consumer Key and Consumer Secret as they are required when configuring the Captive Portal on the FortiAuthenticator.
The Consumer Key and Consumer Secret can be accessed at any time on the Twitter developer account, but it may be a good idea to copy them to a secure location.
2. Configuring the social portal RADIUS service on FortiAuthenticator
On the FortiAuthenticator, go to Authentication > User Management > User Groups, and create a Social_Users user group. Users that log into Twitter will be placed in this group once it is added to the Captive Portal General Settings.
Go to Authentication > RADIUS Service > Clients, and create a new RADIUS client. Enter a Name for the RADIUS client (the FortiGate) and enter its IP address (in the example, 172.20.121.56). Enable the Social portal captive portal.
Enter the pre-shared Secret and set the Authentication method. The FortiGate will use this secret key in its RADIUS configuration. Add the Social_Users user group to the Realms group filter as shown. Select Save and then OK.
Next go to Authentication > Captive Portal > General and enable Social Portal. Configure the account expiry time (in the example it is set to 1 hour). Set Place registered users into a group to Social_Users. Enable the Twitter login option and add your Twitter Consumer Key and Consumer Secret.
3. Configuring the FortiGate authentication settings
On the FortiGate, go to User & Device > Authentication > RADIUS Servers and create the connection to the FortiAuthenticator RADIUS server, using its IP and pre-shared secret. Use the Test Connectivity option with valid credentials to test the connection.
Next, go to User & Device > User > User Groups and create a RADIUS user group called social_users. Set the Type to Firewall and add the RADIUS server to the Remote groups table.
4. Configuring the FortiGate WiFi settings
Go to WiFi & Switch Controller > WiFi Network > SSID and select the SSID interface. Under WiFi Settings, set the Security Mode to Captive Portal.
For the Authentication Portal, select External, and enter the FQDN of the FortiAuthenticator, followed by /social_login/. For this recipe, it is set to: https://fortiauthenticator.example.com/social_login/ Set User Groups to the social_users group.
5. Configuring the FortiGate to allow access to Twitter
On the FortiGate, configure firewall addresses to allow users to access the Twitter login page. The following step can be performed in the GUI, but may take considerably longer than using the CLI. You can also copy and paste the commands below into the CLI console. Go to System > Dashboard and enter the CLI Console. Enter the following, which creates the firewall addresses and adds them to a firewall address group called Twitter_Auth: config firewall address edit "api.twitter.com" set type fqdn set fqdn "api.twitter.com" next edit "abs.twimg.com" set type fqdn set fqdn "abs.twimg.com" next edit "abs-0.twimg.com" set type fqdn set fqdn "abs-0.twimg.com" next end config firewall addgrp edit "Twitter_Auth" set member "api.twitter.com" "abs.twimg.com" "abs-0.twimg.com" next end
Go to Policy & Objects > Policy > IPv4 and create a policy for Twitter authentication traffic. Set Incoming Interface to the WiFi SSID interface and set Source Address to all. Set Outgoing Interface to the Internet-facing interface and set Destination Address to Twitter_Auth. Set Service to ALL and enable NAT. Configure Security Profiles accordingly.
Go to System > Dashboard and enter the CLI Console. Add the following to exempt the Twitter authentication traffic policy from the captive portal: config firewall policy edit <policy_id> set captive-portal-exempt enable next end This command allows access to the external Captive Portal.
6. Configuring the FortiGate to allow access to FortiAuthenticator
On the FortiGate, go to Policy & Objects > Objects > Addresses and add the FortiAuthenticator firewall object. For Subnet/IP Range enter the IP address of the FortiAuthenticator.
Go to Policy & Objects > Policy > IPv4 and create the FortiAuthenticator access policy. Set Incoming Interface to the WiFi SSID interface and set Source Address to all. Set Outgoing Interface to the Internet-facing interface and set Destination Address to FortiAuthenticator. Set Service to ALL and enable NAT.
Add the following to exempt the FortiAuthenticator access policy from the Captive Portal: config firewall policy edit <policy_id> set captive-portal-exempt enable next end
7. Results
Connect to the WiFi and attempt to browse the Internet. You will be redirected to the Captive Portal splash page. Select Twitter and you should be redirected to the Twitter login page.
Enter valid Twitter credentials and you will be redirected to the URL initially requested. You can now browse freely until the social login account expires, as configured on the FortiAuthenticator under Authentication > Captive Portal > General.
To view the authenticated user added on FortiAuthenticator, go to Authentication > User Management > Social Login Users.
You can configure Captive Portal to use other social WiFi logins: Form-based Facebook LinkedIn Google+

The post Social WiFi Captive Portal with FortiAuthenticator (Twitter) appeared first on Fortinet Cookbook.

↧

Social WiFi Captive Portal with FortiAuthenticator (Google+)

September 18, 2015, 9:00 am

≫ Next: Social WiFi Captive Portal with FortiAuthenticator (LinkedIn)

≪ Previous: Social WiFi Captive Portal with FortiAuthenticator (Twitter)

WiFi authentication using social media provides access control without having to manually create guest accounts.

This recipe involves configuring an API for Google+ accounts, setting up a social portal RADIUS service on the FortiAuthenticator, and configuring the FortiGate for Captive Portal access.

Note that some minimal CLI usage is required when configuring the FortiGate.

The FortiAuthenticator has been given an example fully qualified domain name (FQDN) — fortiauthenticator.example.com.

1. Configuring the Google+ developer account API
Open a browser and log in to your Google account. In the URL field enter the following: https://console.developers.google.com Under Select a project, select Create a project.
Enter a Project name, and accept the Terms of Service before continuing.
Go to APIs & auth > Credentials, and select OAuth 2.0 client ID from the Add credentials dropdown.
When prompted, select Configure consent screen. Enter an Email address and Product name. You must now create the client ID.
Set Application type to Web application. Under Authorized JavaScript origins, enter the FortiAuthenticator FQDN. Under Authorized redirect URIs, enter the following: https://fortiauthenticator.example.com/social/complete/google-oauth2/ Note that the FortiAuthenticator needs to be able to access the Internet.
Upon creating the client ID, a window will appear with your client ID and client secret. Take note of the client ID and client secret as they are required when configuring the Captive Portal on the FortiAuthenticator.
The client ID and client secret can be accessed at any time on the Google developer account, but it may be a good idea to copy them to a secure location.
Go to APIs & auth > APIs > Social APIs, and select Google+ API.
Enable the API.
2. Configuring the social portal RADIUS service on FortiAuthenticator
On the FortiAuthenticator, go to Authentication > User Management > User Groups, and create a Social_Users user group. Users that log into Google will be placed in this group once it is added to the Captive Portal General Settings.
Go to Authentication > RADIUS Service > Clients, and create a new RADIUS client. Enter a Name for the RADIUS client (the FortiGate) and enter its IP address (in the example, 172.20.121.56). Enable the Social portal captive portal.
Enter the pre-shared Secret and set the Authentication method. The FortiGate will use this secret key in its RADIUS configuration. Add the Social_Users user group to the Realms group filter as shown. Select Save and then OK.
Next go to Authentication > Captive Portal > General and enable Social Portal. Configure the account expiry time (in the example it is set to 1 hour). Set Place registered users into a group to Social_Users. Enable the Google login option and add your Google key and Google secret.
3. Configuring the FortiGate authentication settings
On the FortiGate, go to User & Device > Authentication > RADIUS Servers and create the connection to the FortiAuthenticator RADIUS server, using its IP and pre-shared secret. Use the Test Connectivity option with valid credentials to test the connection.
Next, go to User & Device > User > User Groups and create a RADIUS user group called social_users. Set the Type to Firewall and add the RADIUS server to the Remote groups table.
4. Configuring the FortiGate WiFi settings
Go to WiFi & Switch Controller > WiFi Network > SSID and select the SSID interface. Under WiFi Settings, set the Security Mode to Captive Portal.
For the Authentication Portal, select External, and enter the FQDN of the FortiAuthenticator, followed by /social_login/. For this recipe, it is set to: https://fortiauthenticator.example.com/social_login/ Set User Groups to the social_users group.
5. Configuring the FortiGate to allow access to Google
On the FortiGate, configure firewall addresses to allow users to access the Google login page. The following step can be performed in the GUI, but may take considerably longer than using the CLI. You can also copy and paste the commands below into the CLI console. Go to System > Dashboard and enter the CLI Console. Enter the following, which creates the firewall addresses and adds them to a firewall address group called Google_Auth: config firewall address edit "www.googleapis.com" set type fqdn set fqdn "www.googleapis.com" next edit "accounts.google.com" set type fqdn set fqdn "accounts.google.com" next edit "ssl.gstatic.com" set type fqdn set fqdn "ssl.gstatic.com" next edit "fonts.gstatic.com" set type fqdn set fqdn "fonts.gstatic.com" next edit "www.gstatic.com" set type fqdn set fqdn "www.gstatic.com" next edit "Google_13" set subnet 216.58.192.0 255.255.224.0 next end config firewall addrgrp edit "Google_Auth" set member "ssl.gstatic.com" "accounts.google.com" "www.googleapis.com" "fonts.gstatic.com" "www.gstatic.com" "Google_13" next end
Go to Policy & Objects > Policy > IPv4 and create a policy for Google authentication traffic. Set Incoming Interface to the WiFi SSID interface and set Source Address to all. Set Outgoing Interface to the Internet-facing interface and set Destination Address to Google_Auth. Set Service to ALL and enable NAT. Configure Security Profiles accordingly.
Go to System > Dashboard and enter the CLI Console. Add the following to exempt the Google authentication traffic policy from the captive portal: config firewall policy edit <policy_id> set captive-portal-exempt enable next end This command allows access to the external Captive Portal.
6. Configuring the FortiGate to allow access to FortiAuthenticator
On the FortiGate, go to Policy & Objects > Objects > Addresses and add the FortiAuthenticator firewall object. For Subnet/IP Range enter the IP address of the FortiAuthenticator.
Go to Policy & Objects > Policy > IPv4 and create the FortiAuthenticator access policy. Set Incoming Interface to the WiFi SSID interface and set Source Address to all. Set Outgoing Interface to the Internet-facing interface and set Destination Address to FortiAuthenticator. Set Service to ALL and enable NAT.
Add the following to exempt the FortiAuthenticator access policy from the Captive Portal: config firewall policy edit <policy_id> set captive-portal-exempt enable next end
7. Results
Connect to the WiFi and attempt to browse the Internet. You will be redirected to the Captive Portal splash page. Select Google and you should be redirected to the Google login page.
Enter valid Google credentials and you will be redirected to the URL initially requested. You can now browse freely until the social login account expires, as configured on the FortiAuthenticator under Authentication > Captive Portal > General.
To view the authenticated user added on FortiAuthenticator, go to Authentication > User Management > Social Login Users.
You can configure Captive Portal to use other social WiFi logins: Form-based Facebook LinkedIn Twitter

The post Social WiFi Captive Portal with FortiAuthenticator (Google+) appeared first on Fortinet Cookbook.

↧

Social WiFi Captive Portal with FortiAuthenticator (LinkedIn)

September 22, 2015, 9:00 am

≫ Next: SMS two-factor authentication for SSL VPN

≪ Previous: Social WiFi Captive Portal with FortiAuthenticator (Google+)

WiFi authentication using social media provides access control without having to manually create guest accounts.

This recipe involves configuring an API for LinkedIn accounts, setting up a social portal RADIUS service on the FortiAuthenticator, and configuring the FortiGate for Captive Portal access.

Note that some minimal CLI usage is required when configuring the FortiGate.

The FortiAuthenticator has been given an example fully qualified domain name (FQDN) — fortiauthenticator.example.com.

1. Configuring the LinkedIn developer account API
Open a browser and log in to your LinkedIn account.
In the URL field enter the following: https://developer.linkedin.com/documents/authentication Select Create Application.
Enter information in the required fields. Unlike the other social applications, LinkedIn requires an Application Logo URL. Select that you have read and agree to the LinkedIn API Terms if Use and select Submit.
The next screen shows your Client ID and Client secret. Take note of the Client ID and Client secret as they are required when configuring the Captive Portal on the FortiAuthenticator.
Under Authorized Redirect URLs, enter the following: https://fortiauthenticator.example.com/social/complete/linkedin-oauth2/ Note that the FortiAuthenticator needs to be able to access the Internet.
The client ID and client secret can be accessed at any time on the LinkedIn developer account, but it may be a good idea to copy them to a secure location.
2. Configuring the social portal RADIUS service on FortiAuthenticator
On the FortiAuthenticator, go to Authentication > User Management > User Groups, and create a Social_Users user group. Users that log into LinkedIn will be placed in this group once it is added to the Captive Portal General Settings.
Go to Authentication > RADIUS Service > Clients, and create a new RADIUS client. Enter a Name for the RADIUS client (the FortiGate) and enter its IP address (in the example, 172.20.121.56). Enable the Social portal captive portal.
Enter the pre-shared Secret and set the Authentication method. The FortiGate will use this secret key in its RADIUS configuration. Add the Social_Users user group to the Realms group filter as shown. Select Save and then OK.
Next go to Authentication > Captive Portal > General and enable Social Portal. Configure the account expiry time (in the example it is set to 1 hour). Set Place registered users into a group to Social_Users. Enable the LinkedIn login option and add your LinkedIn key and LinkedIn secret.
3. Configuring the FortiGate authentication settings
On the FortiGate, go to User & Device > Authentication > RADIUS Servers and create the connection to the FortiAuthenticator RADIUS server, using its IP and pre-shared secret. Use the Test Connectivity option with valid credentials to test the connection.
Next, go to User & Device > User > User Groups and create a RADIUS user group called social_users. Set the Type to Firewall and add the RADIUS server to the Remote groups table.
4. Configuring the FortiGate WiFi settings
Go to WiFi & Switch Controller > WiFi Network > SSID and select the SSID interface. Under WiFi Settings, set the Security Mode to Captive Portal.
For the Authentication Portal, select External, and enter the FQDN of the FortiAuthenticator, followed by /social_login/. For this recipe, it is set to: https://fortiauthenticator.example.com/social_login/ Set User Groups to the social_users group.
5. Configuring the FortiGate to allow access to LinkedIn
On the FortiGate, configure firewall addresses to allow users to access the LinkedIn login page. The following step can be performed in the GUI, but may take considerably longer than using the CLI. You can also copy and paste the commands below into the CLI console. Go to System > Dashboard and enter the CLI Console. Enter the following, which creates the firewall addresses and adds them to a firewall address group called LinkedIn_Auth: config firewall address edit "www.linkedin.com" set type fqdn set fqdn "www.linkedin.com" next edit "api.linkedin.com" set type fqdn set fqdn "api.linkedin.com" next edit "static.licdn.com" set type fqdn set fqdn "static.licdn.com" next edit "help.linkedin.com" set type fqdn set fqdn "help.linkedin.com" next edit "www.fortinet.com" set type fqdn set fqdn "www.fortinet.com" next end config firewall addrgrp edit "LinkedIn_Auth" set member "api.linkedin.com" "www.linkedin.com" "help.linkedin.com" "www.fortinet.com" "static.licdn.com" next end
Go to Policy & Objects > Policy > IPv4 and create a policy for LinkedIn authentication traffic. Set Incoming Interface to the WiFi SSID interface and set Source Address to all. Set Outgoing Interface to the Internet-facing interface and set Destination Address to LinkedIn_Auth. Set Service to ALL and enable NAT. Configure Security Profiles accordingly.
Go to System > Dashboard and enter the CLI Console. Add the following to exempt the LinkedIn authentication traffic policy from the captive portal: config firewall policy edit <policy_id> set captive-portal-exempt enable next end This command allows access to the external Captive Portal.
6. Configuring the FortiGate to allow access to FortiAuthenticator
On the FortiGate, go to Policy & Objects > Objects > Addresses and add the FortiAuthenticator firewall object. For Subnet/IP Range enter the IP address of the FortiAuthenticator.
Go to Policy & Objects > Policy > IPv4 and create the FortiAuthenticator access policy. Set Incoming Interface to the WiFi SSID interface and set Source Address to all. Set Outgoing Interface to the Internet-facing interface and set Destination Address to FortiAuthenticator. Set Service to ALL and enable NAT.
Add the following to exempt the FortiAuthenticator access policy from the Captive Portal: config firewall policy edit <policy_id> set captive-portal-exempt enable next end
7. Results
Connect to the WiFi and attempt to browse the Internet. You will be redirected to the Captive Portal splash page. Select LinkedIn and you should be redirected to the LinkedIn login page.
Enter valid LinkedIn credentials and you will be redirected to the URL initially requested. You can now browse freely until the social login account expires, as configured on the FortiAuthenticator under Authentication > Captive Portal > General.
To view the authenticated user added on FortiAuthenticator, go to Authentication > User Management > Social Login Users.
You can configure Captive Portal to use other social WiFi logins: Form-based Facebook Google+ Twitter

The post Social WiFi Captive Portal with FortiAuthenticator (LinkedIn) appeared first on Fortinet Cookbook.

↧

SMS two-factor authentication for SSL VPN

September 23, 2015, 8:00 am

≫ Next: Social WiFi Captive Portal with FortiAuthenticator (Form-based)

≪ Previous: Social WiFi Captive Portal with FortiAuthenticator (LinkedIn)

In this recipe, you will create an SSL VPN with two-factor authentication consisting of a username/password and an SMS token. The SMS token is generated by FortiAuthenticator using the FortiGuard Messaging Service.

When a user attempts to connect to this SSL VPN, they are prompted to enter their username and password. After successfully entering their credentials, they receive an SMS message on their mobile phone containing a 6-digit number (called the FortiToken Code). They must also enter this number to get access to the internal network and the Internet.

Although this recipe uses the FortiGuard Messaging Service, it will also work with any compatible SMS service you configure as an SMS Gateway.

1. Creating an SMS user and user group on the FortiAuthenticator
On the FortiAuthenticator, go to Authentication > User Management > Local Users and add/modify a user to include SMS Token-based authentication and a Mobile number using the preferred SMS gateway as shown. The Mobile number must be in the format: +[international_number]. Enable Allow RADIUS authentication.
Go to Authentication > User Management > User Groups and add the above user to a new SMS user group (in the example, ‘SMSgroup‘).
2. Configuring the FortiAuthenticator RADIUS client
Go to Authentication > RADIUS Service > Clients and create a new RADIUS client. Enter a Name for the RADIUS client (the FortiGate) and enter its IP address (in the example, 172.20.121.56). Enter the pre-shared Secret and set the Authentication method. The FortiGate will use this secret key in its RADIUS configuration.
Choose to Enforce two-factor authentication and add the SMS user group to the Realms group filter as shown. Select Save and then OK.
3. Configuring the FortiGate authentication settings
On the FortiGate, go to User & Device > Authentication > RADIUS Servers and create the connection to the FortiAuthenticator RADIUS server, using its IP address and pre-shared secret. Use the Test Connectivity button to make sure that the FortiGate can communicate with the FortiAuthenticator.
Next, go to User & Device > User > User Groups and create a RADIUS user group called RADIUSgroup. Set the Type to Firewall and add the RADIUS server to the Remote groups table.
4. Configuring the SSL VPN
Go to VPN > SSL > Settings. Under Connection Settings, set Listen on Port to 10443 and set IP Ranges to the SSL VPN tunnel address range. Under Authentication/Portal Mapping, select Create New. Assign the RADIUSgroup user group to the full-access portal, and assign All Other Users/Groups to the desired portal.
5. Creating the security policy for VPN access to the Internet
Go to Policy & Objects > Policy > IPv4 and create an ssl.root – wan1 policy. Set Source User(s) to the RADIUSgroup user group. Set Outgoing Interface to wan1 and Destination Address to all. Set Service to ALL and ensure that you enable NAT.
6. Results
In this example, we will use the web portal to access the SSL VPN and test the two-factor authentication.
Open a browser and navigate to the SSL VPN web portal, in this case https://172.20.121.56:10443. Enter a valid username and password and select Login. You should be prompted to enter a FortiToken Code.
The FortiToken Code should have been sent to your mobile phone as a text message containing a 6-digit number. Enter the number into the SSL VPN login portal and select Login.
You should now have access to the SSL VPN tunnel.
To verify that the user has connected to the tunnel, go to VPN > Monitor > SSL-VPN Monitor.

The post SMS two-factor authentication for SSL VPN appeared first on Fortinet Cookbook.

↧

Social WiFi Captive Portal with FortiAuthenticator (Form-based)

October 5, 2015, 9:00 am

≫ Next: Social WiFi Captive Portal with FortiAuthenticator (Facebook)

≪ Previous: SMS two-factor authentication for SSL VPN

WiFi authentication using a forms-based portal provides access control without having to manually create guest accounts.

This recipe involves setting up a social portal RADIUS service on the FortiAuthenticator, and configuring the FortiGate for Captive Portal access, allowing users to log in to the WiFi network using either SMS or e-mail self-registration.

This recipe is similar to the Captive portal WiFi access control recipe, but involves RADIUS authentication, and does not include FortiAP registration instructions.

1. Configuring the social portal RADIUS service on FortiAuthenticator
Go to Authentication > User Management > User Groups, and create a Social_Users user group. Users that log in through the forms-based authentication method will be placed in this group once it is added to the Captive Portal General Settings.
Go to Authentication > RADIUS Service > Clients, and create a new RADIUS client. Enter a Name for the RADIUS client (the FortiGate) and enter its IP address (in the example, 172.20.121.56). Enable the Social portal captive portal.
Enter the pre-shared Secret and set the Authentication method. The FortiGate will use this secret key in its RADIUS configuration. Add the Social_Users user group to the Realms group filter as shown. Select Save and then OK.
Next go to Authentication > Captive Portal > General and enable Social Portal. Configure the account expiry time (in the example it is set to 1 hour). Set Place registered users into a group to Social_Users. Enable the SMS self-registration and e-mail self-registration login options. Be sure SMS gateway is set to Use default.
2. Configuring the FortiGate authentication settings
On the FortiGate, go to User & Device > Authentication > RADIUS Servers and create the connection to the FortiAuthenticator RADIUS server, using its IP and pre-shared secret. Use the Test Connectivity option with valid credentials to test the connection.
Next, go to User & Device > User > User Groups and create a RADIUS user group called social_users. Set the Type to Firewall and add the RADIUS server to the Remote groups table.
3. Configuring the FortiGate WiFi settings
Go to WiFi & Switch Controller > WiFi Network > SSID and select the SSID interface. Under WiFi Settings, set the Security Mode to Captive Portal.
For the Authentication Portal, select External, and enter the FQDN of the FortiAuthenticator, followed by /social_login/. For this recipe, it is set to: https://fortiauthenticator.example.com/social_login/ Set User Groups to the social_users group.
4. Configuring the FortiGate to allow access to FortiAuthenticator
On the FortiGate, go to Policy & Objects > Objects > Addresses and add the FortiAuthenticator firewall object. For Subnet/IP Range enter the IP address of the FortiAuthenticator.
Go to Policy & Objects > Policy > IPv4 and create the FortiAuthenticator access policy. Set Incoming Interface to the WiFi SSID interface and set Source Address to all. Set Outgoing Interface to the Internet-facing interface and set Destination Address to FortiAuthenticator. Set Service to ALL and enable NAT.
Add the following to exempt the FortiAuthenticator access policy from the Captive Portal: config firewall policy edit <policy_id> set captive-portal-exempt enable next end This command allows access to the external Captive Portal.
5. Results
Connect to the WiFi and attempt to browse the Internet. You will be redirected to the Captive Portal splash page. Select Form-based and you should be redirected to the Form-based authentication login page.
Select your preferred Verification method, enter valid credentials, and select Submit. You will be redirected to the URL initially requested. You can now browse freely until the social login account expires, as configured on the FortiAuthenticator under Authentication > Captive Portal > General.
To view the authenticated user added on FortiAuthenticator, go to Authentication > User Management > Social Login Users.
You can configure Captive Portal to use other social WiFi logins: Facebook LinkedIn Google+ Twitter

The post Social WiFi Captive Portal with FortiAuthenticator (Form-based) appeared first on Fortinet Cookbook.

↧

Social WiFi Captive Portal with FortiAuthenticator (Facebook)

October 14, 2015, 7:27 am

≫ Next: 802.1X with VLAN Switch interfaces on a FortiGate

≪ Previous: Social WiFi Captive Portal with FortiAuthenticator (Form-based)

WiFi authentication using social media provides access control without having to manually create guest accounts.

This recipe involves configuring an API for Facebook accounts, setting up a social portal RADIUS service on the FortiAuthenticator, and configuring the FortiGate for Captive Portal access.

Note that some CLI usage is required when configuring the FortiGate.

The FortiAuthenticator has been given an example fully qualified domain name (FQDN) — fortiauthenticator.example.com.

1. Configuring the Facebook developer account API
Open a browser and log in to your Facebook account. In the URL field enter the following: https://developers.facebook.com/products/login/
Select My Apps and select Register as Developer.
Confirm your Facebook password to continue. Select that you have read and agree to the Facebook Platform and Facebook Privacy policies, and select Next to continue.
Enter your phone number and select to have your confirmation code sent to you via text (you may also choose to verify via phone call). Once received, enter the code and select Register to continue. You will now be registered as a Facebook developer.
Next, select the Website platform to add a new app. Enter a name for the website, and select Create New Facebook App ID.
Select Communication from the dropdown Category menu, and select Create App ID. Scroll down to the bottom of the page and enter the site’s URL, then select Next. Scroll back up to the top of the page, and select Skip Quick Start.
To confirm the configuration, go to Settings > Basic. From here you can see your App ID, App Secret, Display Name, and Site URL. Take note of the App ID and App Secret as they are required when configuring the Captive Portal on the FortiAuthenticator. Make sure to enter a Contact Email as it is required before you can make your application live to the public.
Next you must add the FortiAuthenticator as an OATH2 client. Go to Settings > Advanced. Under Security, enter the Server IP Whitelist. Note that the server IP whitelist must include the public IP address(es) of the FortiAuthenticator — this is the NAT IP address the FortiAuthenticator uses to reach the Internet.
Next, go to App Review and enable the application — the account needs to be made “live” before WiFi users can successfully authenticate through Facebook.
The App ID and App Secret can be accessed at any time on the Facebook developer account, but it may be a good idea to copy them to a secure location.
2. Configuring the social portal RADIUS service on FortiAuthenticator
On the FortiAuthenticator, go to Authentication > User Management > User Groups, and create a Social_Users user group. Users that log into Facebook will be placed in this group once it is added to the Captive Portal General Settings.
Go to Authentication > RADIUS Service > Clients, and create a new RADIUS client. Enter a Name for the RADIUS client (the FortiGate) and enter its IP address (in the example, 172.20.121.56). Enable the Social portal captive portal.
Enter the pre-shared Secret and set the Authentication method. The FortiGate will use this secret key in its RADIUS configuration. Add the Social_Users user group to the Realms group filter as shown. Select Save and then OK.
Next go to Authentication > Captive Portal > General and enable Social Portal. Configure the account expiry time (in the example it is set to 1 hour). Set Place registered users into a group to Social_Users. Enable the Facebook login option and add your Facebook key and Facebook secret.
3. Configuring the FortiGate authentication settings
On the FortiGate, go to User & Device > Authentication > RADIUS Servers and create the connection to the FortiAuthenticator RADIUS server, using its IP and pre-shared secret. Use the Test Connectivity option with valid credentials to test the connection.
Next, go to User & Device > User > User Groups and create a RADIUS user group called social_users. Set the Type to Firewall and add the RADIUS server to the Remote groups table.
4. Configuring the FortiGate WiFi settings
Go to WiFi & Switch Controller > WiFi Network > SSID and select the SSID interface. Under WiFi Settings, set the Security Mode to Captive Portal.
For the Authentication Portal, select External, and enter the FQDN of the FortiAuthenticator, followed by /social_login/. For this recipe, it is set to: `https://fortiauthenticator.example.com/social_login/` Set User Groups to the social_users group.
5. Configuring the FortiGate to allow access to Facebook
On the FortiGate, configure firewall addresses to allow users to access the Facebook login page. The following step can be performed in the GUI, but may take considerably longer than using the CLI. You can also copy and paste the commands below into the CLI console. Go to System > Dashboard and enter the CLI Console. Enter the following, which creates the firewall addresses and adds them to a firewall address group called Facebook_Auth: `config firewall address` `edit "FB0"` `set subnet 5.178.32.0 255.255.240.0` `next` `edit "FB1"` `set subnet 195.27.154.0 255.255.255.0` `next` `edit "FB2"` `set subnet 80.150.154.0 255.255.255.0` `next` `edit "FB3"` `set subnet 77.67.96.0 255.255.252.0` `next` `edit "FB4"` `set subnet 212.119.27.0 255.255.255.128` `next` `edit "FB5"` `set subnet 2.16.0.0 255.248.0.0` `next` `edit "FB6"` `set subnet 66.171.231.0 255.255.255.0` `next` `edit "FB7"` `set subnet 31.13.24.0 255.255.248.0` `next` `edit "FB8"` `set subnet 31.13.64.0 255.255.192.0` `next` `edit "FB9"` `set subnet 23.67.246.0 255.255.255.0` `next` `edit "akamai-subnet-23.74.8"` `set subnet 23.74.8.0 255.255.255.0` `next` `edit "akamai-subnet-23.74.9"` `set subnet 23.74.9.0 255.255.255.0` `next` `edit "akamaihd.net"` `set type fqdn` `set fqdn "akamaihd.net"` `next` `edit "channel-proxy-06-frc1.facebook.com"` `set type fqdn` `set fqdn "channel-proxy-06-frc1.facebook.com"` `next` `edit "code.jquery.com"` `set type fqdn` `set fqdn "code.jquery.com"` `next` `edit "connect.facebook.com"` `set type fqdn` `set fqdn "connect.facebook.com"` `next` `edit "fbcdn-photos-c-a.akamaihd.net"` `set type fqdn` `set fqdn "fbcdn-photos-c-a.akamaihd.net"` `next` `edit "fbcdn-profile-a.akamaihd.net"` `set type fqdn` `set fqdn "fbcdn-profile-a.akamaihd.net"` `next` `edit "fbexternal-a.akamaihd.net"` `set type fqdn` `set fqdn "fbexternal-a.akamaihd.net"` `next` `edit "fbstatic-a.akamaihd.net"` `set type fqdn` `set fqdn "fbstatic-a.akamaihd.net"` `next` `edit "m.facebook.com"` `set type fqdn` `set fqdn "m.facebook.com"` `next` `edit "ogp.me"` `set type fqdn` `set fqdn "ogp.me"` `next` `edit "s-static.ak.facebook.com"` `set type fqdn` `set fqdn "s-static.ak.facebook.com"` `next` `edit "static.ak.facebook.com"` `set type fqdn` `set fqdn "static.ak.facebook.com"` `next` `edit "static.ak.fbcdn.com"` `set type fqdn` `set fqdn "static.ak.fbcdn.com"` `next` `edit "web_ext_addr_SocialWiFi"` `set type fqdn` `set fqdn "web_ext_addr_SocialWiFi"` `next` `edit "www.facebook.com"` `set type fqdn` `set fqdn "www.facebook.com"` `next` `end` `config firewall addrgrp` `edit "Facebook_Auth"` `set member "FB0" "FB1" "FB2" "FB3" "FB4" "FB5" "FB6" "FB7" "FB8" "FB9" "akamaisubnet-23.74.8" "akamai-subnet-23.74.9" "akamaihd.net" "channel-proxy-06-frc1.facebook.com" "code.jquery.com" "connect.facebook.com" "fbcdn-photos-ca.akamaihd.net" "fbcdn-profile-a.akamaihd.net" "fbexternal-a.akamaihd.net" "fbstatic-a.akamaihd.net" "m.facebook.com" "ogp.me" "s-static.ak.facebook.com" "static.ak.facebook.com" "static.ak.fbcdn.com" "web_ext_addr_SocialWiFi" "www.facebook.com" "FortiAuthenticator"` `next` `end`
Go to Policy & Objects > Policy > IPv4 and create a policy for Facebook authentication traffic. Set Incoming Interface to the WiFi SSID interface and set Source Address to all. Set Outgoing Interface to the Internet-facing interface and set Destination Address to Facebook_Auth. Set Service to ALL and enable NAT. Configure Security Profiles accordingly. Once created, note the policy’s ID using the ID column.
Go to System > Dashboard and enter the CLI Console. Using the policy’s ID, add the following to exempt the Facebook authentication traffic policy from the captive portal: `config firewall policy` `edit <policy_id> set captive-portal-exempt enable next end` This command allows access to the external Captive Portal.
6. Configuring the FortiGate to allow access to FortiAuthenticator
On the FortiGate, go to Policy & Objects > Objects > Addresses and add the FortiAuthenticator firewall object. For Subnet/IP Range enter the IP address of the FortiAuthenticator.
Go to Policy & Objects > Policy > IPv4 and create the FortiAuthenticator access policy. Set Incoming Interface to the WiFi SSID interface and set Source Address to all. Set Outgoing Interface to the Internet-facing interface and set Destination Address to FortiAuthenticator. Set Service to ALL and enable NAT. Once created, note the policy’s ID using the ID column.
Using the policy’s ID, add the following to exempt the FortiAuthenticator access policy from the Captive Portal: `config firewall policy` `edit <policy_id> set captive-portal-exempt enable next end`
7. Results
Connect to the WiFi and attempt to browse the Internet. You will be redirected to the Captive Portal splash page. Select Facebook and you should be redirected to the Facebook login page.
Enter valid Facebook credentials and you will be redirected to the URL initially requested. You can now browse freely until the social login account expires, as configured on the FortiAuthenticator under Authentication > Captive Portal > General.
To view the authenticated user added on FortiAuthenticator, go to Authentication > User Management > Social Login Users.
You can configure Captive Portal to use other social WiFi logins: Form-based LinkedIn Google+ Twitter

The post Social WiFi Captive Portal with FortiAuthenticator (Facebook) appeared first on Fortinet Cookbook.

↧

802.1X with VLAN Switch interfaces on a FortiGate

December 28, 2015, 6:00 am

≫ Next: Assigning WiFi users to VLANs dynamically

≪ Previous: Social WiFi Captive Portal with FortiAuthenticator (Facebook)

This recipe follows on from the general introductory video, Managing FortiSwitch from FortiGate, which uses the FortiLink protocol.

Using 802.1X with VLAN Switch interfaces on the FortiGate secures the network at the switch port by requesting a connecting user to authenticate. In most deployments the user database will be external to the FortiGate.

This example uses FortiAuthenticator for the RADIUS authentication server, however the example is generic enough to be adapted to any authentication server supported by the FortiGate and the EAP protocol. Also this example can be adapted for other products which make use of 802.1X, such as wireless access points.

In this example we will configure EAP-TTLS.

There are three elements to be configured:

The supplicant, which identifies the client, in this case a Ubuntu host.
The authenticator, which translates EAP to RADIUS messages, and vice-versa. This is the FortiGate switch controller.
The authentication server, which processes the RADIUS messages. This is the FortiAuthenticator.

The topology is as shown:

1. Configuring a CA
In this example we configure EAP-TTLS which requires, as a minimum, server certificate validation. To do this we use FortiAuthenticator, we create a CA root, self signed, and a service certificate for the authentication server. The supplicant requires access to the CA certificate in order to validate the server authentication.
On FortiAuthenticator, go to Certificate Management > Certificate Authorities > Local CAs and create a new Local CA. Enter a Certificate ID and Name (CN). Leave all other settings default. This creates a root CA certificate that is self signed. This certificate must be copied to the supplicant.
Go to Certificate Management > End Entities > Local Services and create a new service. Enter a Certificate ID, Issuer (your local CA), and Name (CN). Leave all other settings default. This creates a certificate for the authentication server.
2. Configuring RADIUS authentication
The FortiAuthenticator will be the RADIUS sever and the FortiGate the RADIUS client.
On the FortiAuthenticator, go to Authentication > RADIUS Service > Clients and create a new client. Enter the Name, Client name/IP, and shared Secret. For Realms, use the local user realm and set EAP types to use EAP-TTLS.
Go to Authentication > User Management > Local Users and create a local user and password. This is your user account for 802.1X authentication.
Go to Authentication > RADIUS Service > EAP and select the local CA and local service certificates for the server’s authentication.
On the FortiGate, go to User & Device > RADIUS Servers and create a new server connection. Enter Name, Primary Server IP/Name, and Primary Server Secret.
Go to WiFi & Switch Controller > VLANs Modify your VLAN and change the admission control authentication method to RADIUS, and select you RADIUS server. (This example follows on from the local user configuration, given in the video.)
Test the RADIUS configuration from the the FortiGate CLI: `# diagnose test authserver radius myRADIUS mschap2 mike@local mypassword authenticate 'mike@local' against 'mschap2' succeeded, server=primary assigned_rad_session_id=790684157 session_timeout=0 secs idle_timeout=0 secs!`
3. Configure the supplicant and test
We will configure the 802.1X supplicant settings on the wired interface of our Ubuntu host. Use the settings in the following screenshot to test your connection.
Edit your wired connection and select 802.1X security. Chose Tunneled TLS (TTLS), your CA certificate, MSCAPv2 for Inner authentication, and the Username.
4. Results
Check FortiAuthenticator’s log messages, look for 802.1x authentication successful.
Using ifconfig, you should see that you have been allocated an address from the DHCP server.
If this does not work, check again the RADIUS client works using the testauth command. If that is ok, check your certificates, paying attention to the valid from date and time.

The post 802.1X with VLAN Switch interfaces on a FortiGate appeared first on Fortinet Cookbook.

↧

Assigning WiFi users to VLANs dynamically

December 28, 2015, 7:00 am

≫ Next: WiFi RADIUS authentication with FortiAuthenticator

≪ Previous: 802.1X with VLAN Switch interfaces on a FortiGate

Virtual LANs (VLANs) are used to assign wireless users to different networks without requiring the use of multiple SSIDs. Each user’s VLAN assignment is stored in the user database of the RADIUS server that authenticates the users.

This example creates dynamic VLANs for the Techdoc and Marketing departments. The RADIUS server is a FortiAuthenticator.

_{Find this recipe for other FortiOS versions}
_{5.2 | 5.4}

1. Configure the FortiAuthenticator
Go to Authentication > RADIUS Service > Clients to register the FortiGate as a client. Enter a Secret (a password) and remember it. It will also be used in the FortiGate configuration.
Go to Authentication > User Management > Local Users and create local user accounts as needed.
For each user, add these RADIUS attributes which specify the VLAN information to be sent to the FortiGate. Tunnel-Private-Group-Id specifies the VLAN ID. In this example, jsmith is assigned VLAN 100 and twhite is assigned VLAN 200.
2. Add the RADIUS server to the FortiGate configuration
Go to User & Device > RADIUS Servers. Select Create New. Enter the FortiAuthenticator IP address and the server secret that you entered on the FortiAuthenticator. Optionally, you can click Test Connectivity. Enter a RADIUS user’s ID and password. The result should be “Successful”.
3. Create an SSID with dynamic VLAN assignment
Go to WiFi Controller > SSID. Create a new SSID.
Set up DHCP service.
Select WPA2 Enterprise security and select your RADIUS server for authentication. Set the default VLAN ID to 10. This VLAN is used when RADIUS doesn’t assign a VLAN.
Go to the Dashboard and use the CLI Console to enable dynamic VLANs on the SSID.	`config wireless-controller vap` `edit example-wifi` `set dynamic-vlan enable` `end`
4. Create the VLAN interfaces
Go to Network > Interfaces. Create the VLAN interface for default VLAN-10 and set up DHCP service.
Create the VLAN interface for marketing-100 and set up DHCP service.
Create the VLAN interface for techdoc-200 and set up DHCP service.
5. Create security policies
Go to Policy & Objects > IPv4 Policy. Create a policy that allows outbound traffic from marketing-100 to the Internet.
In Logging Options, enable logging for all sessions.
Create a policy that allows outbound traffic from techdoc-200 to the Internet. For this policy too, in Logging Options enable logging for all sessions.
6. Create the FortiAP Profile
Go to WiFi Controller > FortiAP Profiles. Create a new profile for your FortiAP model and select the new SSID for both Radio 1 and Radio 2.
7. Connect and authorize the FortiAP Go to Network > Interfaces and choose an unused interface. Set Addressing mode to Dedicated to Extension Device. Connect the FortiAP unit to the this interface and apply power.
Go to WiFi Controller > Managed FortiAPs. Right-click on the FortiAP unit. Select Authorize. Right-click on the FortiAP unit again. Select Assign Profile and select the FortiAP profile that you created.
Results The SSID will appear in the list of available wireless networks on the users’ devices. Both twhite and jsmith can connect to the SSID with their credentials and access the Internet. (If a certificate warning message appears, accept the certificate.)
Go to Log & Report > Forward Traffic. Note that traffic for jsmith and twhite pass through different policies. (The column selections were customized for clarity.) The security policies could be made different so that Marketing and Techdoc departments were allowed different access, but didn’t think that was fair.

The post Assigning WiFi users to VLANs dynamically appeared first on Fortinet Cookbook.

↧

WiFi RADIUS authentication with FortiAuthenticator

December 29, 2015, 6:00 am

≫ Next: Single Sign-On using FSSO agent in advanced mode and FortiAuthenticator (Expert)

≪ Previous: Assigning WiFi users to VLANs dynamically

In this example, you use a RADIUS server to authenticate your WiFi clients.

The RADIUS server is a FortiAuthenticator (v4.00-build0008) that is used authenticate users who belong to the employees user group.

_{Find this recipe for other FortiOS versions}
_{5.2 | 5.4}

1. Create the user accounts and user group on the FortiAuthenticator
Go to Authentication > User Management > Local Users and create a user account. User Role settings are available after you click OK. Create additional user accounts as needed, one for each employee.
Go to Authentication > User Management > User Groups and create the local user group “employees” on the FortiAuthenticator.
2. Register the FortiGate as a RADIUS client on the FortiAuthenticator
Go to Authentication > RADIUS Service > Clients and create a client account. Enable all of the EAP types.
3. Configure FortiGate to use the RADIUS server
Go to User & Device > RADIUS Servers and add the FortiAuthenticator as a RADIUS server.
4. Create the SSID and set up authentication
Go to WiFi Controller > SSID and define your wireless network.
Set up DHCP for your clients.
Configure WPA2 Enterprise security that uses the RADIUS server.
5. Connect and authorize the FortiAP
Go to Network > Interfaces and configure a dedicated interface for the FortiAP.
Connect the FortiAP unit. Go to WiFi Controller > Managed FortiAPs.
When the FortiAP is listed, select and authorize it.
Go to WiFi Controller > FortiAP Profiles and edit the profile. This example used a FortiAP-221C, so the FAP221C-default profile applies. For each radio: Enable Radio Resource Provision. Select your SSID.
6. Create the security policy
Go to Policy & Objects > IPv4 Policy and add a policy that allows WiFi users to access the Internet.
Results
Connect to the example-staff network and browse Internet sites. Go to Monitor > Client Monitor to see that clients connect and authenticate.

The post WiFi RADIUS authentication with FortiAuthenticator appeared first on Fortinet Cookbook.

↧

Single Sign-On using FSSO agent in advanced mode and FortiAuthenticator (Expert)

January 25, 2016, 6:05 am

≫ Next: SSO using a FortiGate, FortiAuthenticator, and DC Polling (Expert)

≪ Previous: WiFi RADIUS authentication with FortiAuthenticator

This recipe demonstrates FortiGate user authentication with FSSO agent installed on a Windows Domain Controller, and the use of a FortiAuthenticator as an LDAP server. In this example, user authentication controls Internet access.

1. Configuring an LDAP directory on the FortiAuthenticator
Go to Authentication > User Management > Local Users to create a user list. Make sure to enable Allow LDAP browsing.
Go to Authentication > User Management > User Groups to create a user group and add users to it. “FortiOS_Writers” user group is used in this example.
Go to Authentication > LDAP Service > Directory tree and configure the LDAP directory tree.
2. Integrating the FortiGate with the FortiAuthenticator
On the FortiGate, go to User & Device > LDAP Servers to configure the LDAP server.
3. Installing FSSO agent on the Windows DC
Accept the license and follow the Wizard. Enter the Windows AD administrator password.
Select the Advanced access method for Windows Directory.
In the Collector Agent IP address field, enter the IP address of the Windows AD server.
Select the domain you wish to monitor.
Next, select the users you do not wish to monitor.
Under Working Mode, select DC Agent Mode.
When prompted, select Yes to reboot the Domain Controller.
Upon reboot, the collector agent will start up. You can choose to Require authenticated connection from FortiGate and set a Password which will be used in step 4.
4. Configuring Single Sign-On on the FortiGate
Go to User & Device > Single Sign-On and create a new SSO server. In the Primary Agent IP/Name field, enter the Collector Agent IP Address used in step 3. Likewise, enter the Password required for authentication. Under the Groups tab, select the user groups to be monitored. In this example, the “FortiOS_Writers” group is used.
5. Adding a user group to the FortiGate
Go to User & Device > User Groups to create new user group. Under Remote groups, add the remote LDAP server created earlier in the FortiAuthenticator (in this example it’s called “FAC_LDAP”).
6. Adding a policy to the FortiGate
Go to Policy & Objects > IPv4 Policy and create a policy allowing “FortiOS_Writers” to navigate the Internet with appropriate security profiles. The default Web Filter security profile is used in this example.
7. Results
Have users log on to the domain, go to the FSSO agent, and select Show Logon Users.
From the FortiGate, go to Dashboard to look for the CLI Console widget and type this command for more detail about current FSSO logons:	`diagnose debug authd fsso list` `----FSSO logons---- IP: 10.10.20.3 User: ADMINISTRATOR Groups: CN=FORTIOS WRITERS,CN=USERS,DC=TECHDOC,DC=LOCAL Workstation: WIN2K8R2.TECHDOC.LOCAL MemberOf: FortiOS_Writers IP: 10.10.20.7 User: TELBAR Groups: CN=FORTIOS WRITERS,CN=USERS,DC=TECHDOC,DC=LOCAL Workstation: TELBAR-PC7.TECHDOC.LOCAL MemberOf: FortiOS_Writers Total number of logons listed: 2, filtered: 0 ----end of FSSO logons----`
Have users belonging to the “FortiOS_Writers” user group navigate the Internet. An authentication portal is presented to allow only authorized users. Security profiles will be applied accordingly.
Upon successful authentication, from the FortiGate, go to Monitor > Firewall User Monitor and verify FSSO Logons.
Go to Log & Report > Forward Traffic to verify the log.
Select an entry for details.

The post Single Sign-On using FSSO agent in advanced mode and FortiAuthenticator (Expert) appeared first on Fortinet Cookbook.

↧

SSO using a FortiGate, FortiAuthenticator, and DC Polling (Expert)

February 4, 2016, 7:44 am

≫ Next: FortiToken two-factor authentication with RADIUS on a FortiAuthenticator

≪ Previous: Single Sign-On using FSSO agent in advanced mode and FortiAuthenticator (Expert)

This recipe demonstrates FortiGate user authentication with a FortiAuthenticator as a Single Sign-On server. In this example, the FortiAuthenticator is configured to collect the user logon by polling the Domain Controller logs. User authentication controls Internet access.

1. Configuring the FortiAuthenticator
Go to Fortinet SSO Methods > SSO > General and configure these general settings.
Go to Fortinet SSO Methods > SSO > Domain Controllers and add the Windows DC to the FortiAuthenticator.
Go to Authentication > Remote Auth. Servers > LDAP to set the Windows AD as an LDAP server. This will be useful to import SSO Filtering Objects from Windows AD to the FortiAuthenticator.
Go to Fortinet SSO Methods > SSO > FortiGate Filtering and create a new FortiGate Filter. Under Fortinet Single Sign-On (FSSO), enable Forward FSSO information for users from the following subset of users/groups/containers only. Under SSO Filtering Objects, select Import. In the Remote LDAP Server field, select the LDAP server created in the previous step (WinLDAP in this example) and select Apply. Next, select groups or containers to be imported, controlled, and monitored by the FortiAuthenticator. In this example, the “FortiOS Writers” user group is selected.
2. Configuring SSO on the FortiGate
Go to User & Device > Single Sign-On and create a new SSO server. In the Type field, select Fortinet Single-Sign-On Agent and set the Name, the Primary Agent IP/Name, the Password and select Apply & Refresh. When selecting the Users/Groups field, the SSO user groups initially polled by the FortiAuthenticator from the Domain Controller appear. In this example, only the “FortiOS Writers” group appears because of the FortiGate Filtering configuration in the previous step.
3. Creating a user group on the FortiGate
Go to User & Device > User Groups and create a new Fortinet Single Sign-On (FSSO) user group. Under Members, select the user group to be monitored. In this example only “FortiOS Writers” appears because of the FortiGate Filtering configured earlier.
4. Adding a policy on the FortiGate
Go to Policy & Objects > IPv4 Policy and create a policy allowing “FortiOS_writers” to navigate the Internet with appropriate security profiles. The default Web Filter security profile is used in this example.
5. Results from the FortiAuthenticator
Go to Monitor > SSO > Domains to verify monitored domains. In this example “techdoc.local” is monitored by the FortiAuthenticator.
Have users log on to the domain. Go to Monitor > SSO > SSO Sessions to verify SSO sessions.
Go to Logging > Log Access > Logs to verify logs.
Select an entry for details.
You can also verify FSSO users in the User Inventory widget under System > Dashboard > Status.
6. Results from the FortiGate
Upon successful authentication, go to Monitor > Firewall User Monitor and verify FSSO Logons.
Have authenticated users navigate the Internet. Security profiles will be applied accordingly. Go to Log & Report > Forward Traffic to verify the log.
Select an entry for details.

The post SSO using a FortiGate, FortiAuthenticator, and DC Polling (Expert) appeared first on Fortinet Cookbook.

↧

FortiToken two-factor authentication with RADIUS on a FortiAuthenticator

March 2, 2016, 7:30 am

≫ Next: FortiToken Two-Factor Authentication with FortiAuthenticator RADIUS (Video)

≪ Previous: SSO using a FortiGate, FortiAuthenticator, and DC Polling (Expert)

In this recipe, you will set up FortiAuthenticator to function as a RADIUS server to allow SSL VPN users to authenticate with a FortiToken-200.

You will configure a user (gthreepwood), FortiToken-200, and the RADIUS client on the FortiAuthenticator, create the SSL VPN tunnel, and configure the FortiGate to use the FortiAuthenticator as a RADIUS server.

Watch the video

1. Adding the FortiToken to FortiAuthenticator
On the FortiAuthenticator, go to Authentication > User Management > FortiToken, and select Create New. Make sure Token type is set to FortiToken 200, and enter the FortiToken’s serial number into the field provided.
2. Adding the FortiToken user to FortiAuthenticator
On the FortiAuthenticator, go to Authentication > User Management > Local Users, and select Create New. Enter a Username (gthreepwood), enter and confirm a password, and make sure that Allow RADIUS authentication is enabled. Select OK to access additional settings.
Enable Token-based authentication, select to deliver the token code by FortiToken, and select the FortiToken added earlier from the FortiToken 200 dropdown menu.
Next, go to Authentication > User Management > User Groups, create a user group (RemoteFortiTokenUsers), and add gthreepwood to the group.
3. Creating the RADIUS Client on FortiAuthenticator
On the FortiAuthenticator, go to Authentication > RADIUS Service > Clients, and select Create New. Enter a name (OfficeServer), set Client name/IP to the IP of the FortiGate, and set a Secret. The secret is a pre-shared, secure password that the FortiGate will use to authenticate to the FortiAuthenticator.
Set Authentication method to Enforce two-factor authentication, set Realms to local \| Local users, and add RemoteFortiTokenUsers to the Groups filter. Note the Username input format. This is the format that the user must use to enter their username in the web portal.
4. Connecting the FortiGate to the RADIUS Server
On the FortiGate, go to User & Device > RADIUS Servers, and select Create New. Enter a Name (OfficeRADIUS), set Primary Server IP/Name to the IP of the FortiAuthenticator, and enter the Secret created before. Test the connectivity and enter the credentials for gthreepwood. The test should come back with a successful connection. The FortiGate can now log into the RADIUS client added earlier to the FortiAuthenticator.
On the FortiGate, go to User & Device > User Groups, and select Create New. Enter a Name (SSLVPNGroup), and under Remote groups, select Create New. Select OfficeRADIUS under the Remote Server dropdown menu.
5. Configuring the SSL VPN on FortiGate
On the FortiGate, go to VPN > SSL-VPN Portals, and edit the full-access portal. Disable Split Tunneling.
Go to VPN > SSL-VPN Settings. Under Connection Settings set Listen on Port to 10443. Under Tunnel Mode Client Settings, select Specify custom IP ranges and set it to SSLVPN_TUNNEL_ADDR1. Under Authentication/Portal Mapping, select Create New. Assign the SSLVPNGroup user group to the full-access portal, and assign All Other Users/Groups to web-access — this will grant all other users access to the web portal only.
Go to Policy & Objects > IPv4 Policy and create a new SSL-VPN policy. Set Incoming Interface to the SSL-VPN tunnel interface and set Outgoing Interface to the Internet-facing interface. Set Source to the SSLVPNGroup user group and set Destination Address to all. Set Schedule to always, Service to ALL, and enable NAT.
6. Results
From a remote device, open a web browser and navigate to the SSL VPN web portal (https://FortiGate-IP:10443). Enter gthreepwood‘s credentials and select Login. Note that the username has to be entered in the format ‘realm\username‘, as per the client configuration on the FortiAuthenticator (in this example, local\gthreepwood).
The user will then be prompted to enter their FortiToken code.
Once the code is successfully entered, gthreepwood will successfully log into the SSL VPN Portal.
On the FortiGate, go to Monitor > SSL-VPN Monitor to confirm the user’s connection.

The serial number, located on the back of the FortiToken device, is case sensitive. Note that the token can only be registered to one device.

The post FortiToken two-factor authentication with RADIUS on a FortiAuthenticator appeared first on Fortinet Cookbook.

↧

FortiToken Two-Factor Authentication with FortiAuthenticator RADIUS (Video)

April 5, 2016, 11:45 am

≫ Next: FortiAuthenticator as a Certificate Authority

≪ Previous: FortiToken two-factor authentication with RADIUS on a FortiAuthenticator

In this video, you will set up FortiAuthenticator to function as a RADIUS server to allow FortiToken two-factor authentication for SSL VPN users. You will create a user, assign a FortiToken 200 to the user, and set up the RADIUS client on the FortiAuthenticator. You will then create the SSL VPN tunnel and configure the RADIUS server on the FortiGate.

The recipe for this video is available here.

Watch more videos

The post FortiToken Two-Factor Authentication with FortiAuthenticator RADIUS (Video) appeared first on Fortinet Cookbook.

↧

FortiAuthenticator as a Certificate Authority

April 19, 2016, 7:00 am

≫ Next: FortiAuthenticator certificate for SSL inspection

≪ Previous: FortiToken Two-Factor Authentication with FortiAuthenticator RADIUS (Video)

For this recipe, you will configure the FortiAuthenticator as a Certificate Authority (CA). This will allow the FortiAuthenticator to sign certificates that the FortiGate will use to secure administrator GUI access.

This scenario includes creating a certificate request on the FortiGate, downloading the certificate to the network’s computers, and then importing it to the FortiAuthenticator. You will sign the certificate with the FortiAuthenticator’s own certificate, then download and import the signed certificate back to the FortiGate.

The process of downloading the certificate to the network’s computers will depend on which web browser you use. Internet Explorer and Chrome use one certificate store, while Firefox uses another. This configuration includes both methods.

1. Creating a new CA on the FortiAuthenticator
On the FortiAuthenticator, go to Certificate Management > Certificate Authorities > Local CAs and create a new CA. Enter a Certificate ID, select Root CA certificate, and configure the key options as shown in the example.
Once created, highlight the certificate and select Export. This will save a .crt file to your local drive.
2. Installing the CA on the network
The certificate must now be installed on the computers in your network as a trusted root CA. The steps below show different methods of installing the certificate, depending on your browser.
Internet Explorer and Chrome In Windows Explorer, right-click on the certificate and select Install Certificate. Open the certificate and follow the Certificate Import Wizard.
Make sure to place the certificate in the Trusted Root Certification Authorities store.
Finish the Wizard, and select Yes to confirm and install the certificate.
Firefox In the web browser, go to Options > Advanced > Certificates and select View Certificates.
In the Authorities tab, select Import.
Find and open the root certificate. You will be asked what purposes the certificate will be trusted to identify. Select all options, and select OK.
3. Creating a CSR on the FortiGate
On the FortiGate, go to System > Certificates and select Generate to create a new certificate signing request (CSR). Enter a Certificate Name, the Internet facing IP address of the FortiGate, and a valid email address, then configure the key options as shown in the example.
Once created, the certificate will show a Status of Pending. Highlight the certificate and select Download. This will save a .csr file to your local drive.
4. Importing and signing the CSR on the FortiAuthenticator
Back on the FortiAuthenticator, go to Certificate Management > End Entities > Users and import the .csr certificate created earlier. Make sure to select the Certificate authority from the dropdown menu and set the Hash algorithm to SHA-256, as configured earlier.
Once imported, you should see that the certificate has been signed by the FortiAuthenticator, with a Status of Active. Highlight the certificate and select Export Certificate. This will save a .cer file to your local drive.
5. Importing the local certificate to the FortiGate
Back on the FortiGate, go to System > Certificates and select Local Certificate from the Import dropdown menu. Browse to the .cer certificate you just created. Select Open and then select OK.
You should now see that the certificate’s Status has changed from Pending to OK. You may have to refresh your page to see the status change.
6. Configuring the certificate for the GUI
Go to System > Admin > Settings. Under Administration Settings, set HTTPS server certificate to the certificate created/signed earlier, then select Apply.
7. Results
Close and reopen your browser, and go to the FortiGate admin login page. If you click on the lock icon next to the address bar, you should see that the certificate has been signed and verified by the FortiAuthenticator. As a result, no certificate errors will appear.

The post FortiAuthenticator as a Certificate Authority appeared first on Fortinet Cookbook.

↧

FortiAuthenticator certificate for SSL inspection

April 28, 2016, 8:00 am

≫ Next: Installing FortiAuthenticator VM in vSphere

≪ Previous: FortiAuthenticator as a Certificate Authority

For this recipe, you will create a certificate on the FortiGate, have it signed on the FortiAuthenticator, and configure the FortiGate so that the certificate can be used for SSL deep inspection of HTTPS traffic.

Note that, for this configuration to work correctly, the FortiAuthenticator must be configured as a certificate authority (CA), otherwise the certificate created in this recipe will not be trusted. For more information on how to do this, see FortiAuthenticator as a Certificate Authority.

This scenario includes creating a certificate signing request (CSR), signing the certificate on the FortiAuthenticator, and downloading the signed certificate back to the FortiGate. You will then create an SSL/SSH Inspection profile for full SSL inspection, add the certificate created to the profile, and apply the profile to the policy allowing Internet access.

As an example, you will also have Application Control with Deep Inspection of Cloud Applications enabled. This will apply inspection to HTTPS traffic. Note that you may use another security profile instead of Application Control.

1. Creating a CSR on the FortiGate
On the FortiGate, go to System > Certificates and select Generate to create a new CSR. Enter a Certificate Name (Ramtops), the public IP of the FortiGate (172.20.121.92), and a valid email address. Make sure to set Key Type to RSA and Key Size to 2048 Bit. This will ensure the certificate is securely encrypted.
Once created, the certificate Ramtops will show a Status of Pending. Highlight Ramtops and select Download. This will save a .csr file to your local drive.
2. Creating an Intermediate CA on the FortiAuthenticator
On the FortiAuthenticator, go to Certificate Management > Certificate Authorities > Local CAs and select Import. Set Type to CSR to sign, enter a Certificate ID, and import the Ramtops.csr file. Make sure to select the Certificate authority from the dropdown menu and set the Hash algorithm to SHA-256.
Once imported, you should see that Ramtops has been signed by the FortiAuthenticator, showing a Status of Active, and with the CA Type of Intermediate (non-signing) CA. Highlight the certificate and select Export. This will save a .crt file to your local drive.
3. Importing the signed certificate on the FortiGate
Back on the FortiGate, go to System > Certificates and select Local Certificate from the Import dropdown menu. Browse to the Ramtops.crt file and select OK.
You should now see that Ramtops has a Status of OK.
4. Configuring Application Control
Go to Security Profiles > Application Control and edit the default profile. Under Options, enable Deep Inspection of Cloud Applications.
5. Configuring full SSL inspection
Go to Policy & Objects > Policy > SSL/SSH Inspection and create a new profile. Enter a Name, select Ramtops from the CA Certificate dropdown menu, and make sure Inspection Method is set to Full SSL Inspection.
Next go to Policy & Objects > Policy > IPv4 and edit the policy that allows Internet access. Under Security Profiles, enable SSL/SSH Inspection and select the ramtops profile created earlier. Enable Application Control and set it to default.
6. Results
To test the certificate, open your web browser and attempt to navigate to an HTTPS website (in the example, https://www.dropbox.com). If you click on the lock icon next to the address bar, you should now see that the certificate from the FortiGate (172.20.121.92) has signed and verified access to the site. As a result, no certificate errors will appear.

The post FortiAuthenticator certificate for SSL inspection appeared first on Fortinet Cookbook.

↧

Installing FortiAuthenticator VM in vSphere

June 8, 2016, 9:05 am

≫ Next: WiFi with WSSO using FortiAuthenticator RADIUS and Attributes

≪ Previous: FortiAuthenticator certificate for SSL inspection

In this recipe, you will install and register FortiAuthenticator VM in a VMware ESXi environment and configure basic network settings in the vSphere console tab.

This recipe assumes that you have already configured the VMware ESXi environment, installed the vSphere client, and acquired a FortiAuthenticator VM registration code, redeemable for a license file.

1. Downloading the FortiAuthenticator VM
Log in to the Fortinet Customer Service & Support portal and go to Download > Firmware Images.
Select FortiAuthenticator from the drop-down provided, and select the Download tab. A directory of Image Folders/Files will open.
Browse to the desired version that you would like to download (in the example, 4.0.0), and download the .ovf.zip file.
Browse to the file on your management computer and extract the files to a new folder (the example shows the contents of the deployment package).
2. Deploying package to VMware
Launch the VMware vSphere client and log in with valid credentials. Go to File > Deploy OVF Template to launch the OVF Template wizard.
Browse to the deployment package’s OVF files. Note that two of the OVF files end with the extensions .hw04.ovf and hw07.ovf (.hw04.ovf is for VMware ESXi v3.5 servers). Select the most appropriate OVF format of the two, based on your hardware and server settings.
Continue through the wizard: confirm the OVF template details, accept the End User License Agreement, and enter a name for the OVF template.
You have the choice of selecting one of three available disk formats. The best choice depends on your virtualization environment:
Thick Provision Lazy Zeroed: Allocates the disk space statically; no other volumes can take the space. Thick Provision Eager Zeroed: Allocates the disk space statically, and writes zeros to all the blocks. Thin Provision: Allocates the disk space only when a write occurs to a block, but the total volume size is reported by VMware’s Virtual Machine File System (VMFS) to the OS. Other volumes can take the remaining space. This allows you to float space between your servers.
The most optimal method is to deploy Thick Provisioned Format because the disk space is allocated at the time of the installation. Thin Provisioning has the benefit of using less disk space initially, however performance is decreased, and issues can occur if the disk becomes filled with other VM instances.
Network 1 maps to port1 of the FortiAuthenticator VM. Make sure to set the destination network for this entry so you will have access to the device console, then select Next.
Review the deployment settings. Select Power on after deployment (or leave it deselected if you wish to configure the VM hardware settings prior to powering it on) and select Finish. The deployment is successfully complete.
3. Configuring basic network settings
In the VMware vSphere client, open the Inventory and expand the host icon to display your virtual machines. Select the FortiAuthenticator-VM.
In the Getting Started tab, make sure that the VM is powered on—if you see an option to Power Off the virtual machine under Basic Tasks, then the VM is powered on.
Open the Console tab and log into the FortiAuthenticator VM. Login with the default administrator account: admin and no password.
Set the port1 IP address (`set port1-ip`) and the default gateway (`set default-gw`).
Open a browser, go to https://172.20.121.138/login/, and log into the FortiAuthenticator VM as administrator. The FortiAuthenticator VM operates in evaluation mode until it is licensed. Evaluation mode only permits five users to be configured to the system. The FortiAuthenticator VM must be registered with Fortinet Customer Service & Support, which will in turn provide you with the license file. This file will then be uploaded to the FortiAuthenticator VM.
Meanwhile, the FortiAuthenticator VM shows a default Serial Number of FAC-VM0000000000.
4. Registering FortiAuthenticator VM with Customer Service
Open a browser, go to the Fortinet Customer Service & Support portal, and log in with valid credentials. Go to Asset > Register/Renew. This will take you to the Registration Wizard.
When the Wizard is complete, select License File Download.
A .lic file will be saved to your management computer.
5. Uploading the FortiAuthenticator VM license file
In the FortiAuthenticator VM, go to System > Administration > Licensing and select Choose File. You are warned that the system will require a reboot in order to install the license. Select OK to continue.
6. Backing up the VM with Snapshot
At this point, it is strongly recommended that you use the VMware Snapshot utility to backup the VM instance. In the event of an issue with a future firmware upgrade, or a configuration issue, you can use the Snapshot Manager to revert back to a previous Snapshot.
To create a Snapshot, right-click the VM instance in the vSphere Client and select Snapshot > Take Snapshot.
7. Results
In the FortiAuthenticator GUI, confirm that the Serial Number in the System Information widget has changed. The FortiAuthenticator VM is now ready for further configuration. Click here for a full list of FortiAuthenticator recipes that can be applied to FortiAuthenticator appliances and VMs.