Today, a customer asked me about selectively assigning FortiTokens to AD users using FortiAuthenticator. In this use case, I am going to use an AD group
Token-Users to auto-assign FortiTokens to and another group,
Non-Tokens which will be used to authenticate users to FortiGate remote access VPN without tokens; only AD credentials. We are going to be using Electronic FortiTokens.
Assumptions: You have a licensed implementation of FortiAuthenticator.
Before you can add the FortiTokens, you will of course need to purchase the electronic tokens.
Once you receive the PDF you will notice the
Activation Code in the PDF file.
On the FortiAuthenticator (FAC), you will need to go to:
- User Management
- Create New
Since we are using electronic tokens, you will need to:
- Enter the
Once you activate them, you will see the tokens populated
Configuring Active Directory
To connect your FAC to AD, go to
Remote Auth Server and finally,
Create a new entry by choosing
You will need to fill out the
Name, Primary Server name/IP, Port,Username, Password . Once the credentials are in place, you can choose the search icon and choose the Base DN.
Windows Active Directory Domain Authentication choose
Enable. Enter the
Kerberos realm name . It is in All CAPS.
We need to create a group on the FAC to place the users we sync from Active Directory.
Here we can see the
Corp_Group and the
Remote LDAP. We need to create a
Creating a Realm on FAC
realm on FAC is different than the
SSL-VPN Realms on the FortiGate.
Authentication, User Management, Realms you need to create a
Realm. Under the
User source choose the LDAP server you created above.
Active Directory Users / Groups
Here we see the test users and groups created on the Domain Controller.
Here we can see the
Non-Token user group with two members.
And here we have the
Token-Group which has two member as well.
Now here is where we can get the tokens assigned to the users based on user group. And have another
Remote User Sync Rules where no tokens are assigned. Lets first get the LDIF location for the groups. The LDAP Data Interchange Format (LDIF) is a standard plain text data interchange format for representing LDAP (Lightweight Directory Access Protocol) directory content and update requests. LDIF conveys directory content as a set of records, one record for each object (or entry).
By looking at the
Attribute Editor of the group, you can double click on the
distinguishedName and you can easily copy it to the clipboard.
In my case:
What we are doing here is that we are creating a
Filter to match a particular AD group. Once the user group is matched, we can choose what to do with the users.
The filter built using some of the information received from then
Here is a link to the Fortinet Docs regarding how to format these filters.
We can see that we can do a
Test Filter . As you can see, the results shows
token user1 and
token user2 .
Here we are showing the disposition of the matching of the sync rule. For the
Token-Users we could auto assign the available token,
Create another sync group to the other group that will NOT get tokens. This would simply do nothing regarding tokens.
However, we WILL assign these users to the group we created above.
We will now configure the RADIUS client (FortiGate) on the FAC
Here we see the IP address of the FortiGate. The most important thing here is to have the Realm you created above, The AD authentication and the Group and the Secret Key.
Configuring RADIUS Server on FortiGate
Now we will go to
User & Device then
RADIUS Servers (On FortiOS 6.4, it is
User & Authentication) then
Here you can see the simple config. We see a name, IP address and secret key.
FortiGate User Group
We can create a new user group choosing
Remote Group and choosing the
RADIUS server we created above.
Here are the particulars of the
Remote Group where we entered the
You can see the
RADIUS-FAC-TOK above and below we can see the specifics about the configuration.
Finally we have the Firewall Policy for the VPN referencing the RADIUS group.