DIGIPASS Authentication for FortiGate IPSec VPN - · PDF file4 DIGIPASS Authentication for...
-
Upload
nguyenhuong -
Category
Documents
-
view
253 -
download
3
Transcript of DIGIPASS Authentication for FortiGate IPSec VPN - · PDF file4 DIGIPASS Authentication for...
DIGIPASS Authentication for FortiGate IPSec VPN
INTEGRATION GUIDE
1 DIGIPASS Authentication for FortiGate IPSec VPN
DIGIPASS Authentication for FortiGate IPSec VPN
Disclaimer
Disclaimer of Warranties and Limitation of Liabilities
All information contained in this document is provided 'as is'; VASCO Data Security assumes no
responsibility for its accuracy and/or completeness.
In no event will VASCO Data Security be liable for damages arising directly or indirectly from any
use of the information contained in this document.
Copyright
Copyright 2010 VASCO Data Security, Inc, VASCO Data Security International GmbH. All
rights reserved. VASCO, Vacman, IDENTIKEY, aXsGUARD, DIGIPASS and logo
are registered or unregistered trademarks of VASCO Data Security, Inc. and/or VASCO Data
Security International GmbH in the U.S. and other countries. VASCO Data Security, Inc.
and/or VASCO Data Security International GmbH own or are licensed under all title, rights and
interest in VASCO Products, updates and upgrades thereof, including copyrights, patent
rights, trade secret rights, mask work rights, database rights and all other intellectual and
industrial property rights in the U.S. and other countries. Microsoft and Windows are
trademarks or registered trademarks of Microsoft Corporation. Other names may be
trademarks of their respective owners.
2 DIGIPASS Authentication for FortiGate IPSec VPN
DIGIPASS Authentication for FortiGate IPSec VPN
Table of Contents
Disclaimer ...................................................................................................................... 1
Table of Contents ........................................................................................................... 2
Reference guide ............................................................................................................. 3
1 Reader ...................................................................................................................... 4
2 Overview................................................................................................................... 4
3 Problem Description ................................................................................................. 4
4 Solution .................................................................................................................... 4
5 Technical Concept ..................................................................................................... 5
5.1 General overview .................................................................................................. 5
5.2 FortiGate prerequisites ........................................................................................... 5
5.3 IDENTIKEY SERVER Prerequisites ............................................................................ 5
6 FortiGate configuration ............................................................................................. 6
6.1 RADIUS configuration ............................................................................................ 7
6.2 Group configuration ............................................................................................... 8
6.3 IPSec configuration ............................................................................................... 9
6.4 Firewall configuration ........................................................................................... 11
7 FortiClient configuration ......................................................................................... 12
8 IDENTIKEY Server .................................................................................................. 16
8.1 Policy configuration ............................................................................................. 16
8.2 Client configuration ............................................................................................. 19
9 Test FortiGate VPN Client ........................................................................................ 21
10 About VASCO Data Security .................................................................................. 23
3 DIGIPASS Authentication for FortiGate IPSec VPN
DIGIPASS Authentication for FortiGate IPSec VPN
Reference guide
ID Title Author Publisher Date ISBN
4 DIGIPASS Authentication for FortiGate IPSec VPN
DIGIPASS Authentication for FortiGate IPSec VPN
1 Reader This Document is a guideline for configuring the partner product with IDENTIKEY SERVER or
Axsguard IDENTIFIER. For details about the setup and configuration of IDENTIEKEY SERVER and
Axsguard IDENTIFIER, we refer to the Installation and administration manuals of these products.
Axsguard IDENTIFIER is the appliance based solution, running IDENTIKEY SERVER by default.
Within this document, VASCO Data Security, provides the reader guidelines for configuring the
partner product with this specific configuration in combination with VASCO Server and Digipass.
Any change in the concept might require a change in the configuration of the VASCO Server
products.
The product name`IDENTIKEY SERVER`will be used throughout the document keeping in mind
that this document applies as well to the Axsguard IDENTIFIER.
2 Overview The purpose of this document is to demonstrate how to configure IDENTIKEY SERVER to work
with a FortiGate device. Authentication is arranged on one central place where it can be used in a
regular VPN or SSL/VPN connection.
3 Problem Description The basic working of the FortiGate is based on authentication to an existing media (LDAP,
RADIUS, local authentication ). To use the IDENTIKEY SERVER with FortiGate, the external
authentication settings need to be changed or added manually.
4 Solution After configuring IDENTIKEY SERVER and FortiGate in the right way, you eliminate the weakest
link in any security infrastructure the use of static passwords that are easily stolen guessed,
reused or shared.
In this integration guide we will make use of a FortiGate 60B. This combines a firewall, an IPSec,
PPTP or SSL/VPN and a UTM suite in one. For authentication, we focused on the IPSec VPN part.
Figure 1: Solution
5 DIGIPASS Authentication for FortiGate IPSec VPN
DIGIPASS Authentication for FortiGate IPSec VPN
5 Technical Concept 5.1 General overview
The main goal of the FortiGate is to perform authentication to secure all kind of VPN connections
and web traffic. As the FortiGate can perform authentication to an external service using the
RADIUS protocol, we will place the IDENTIKEY SERVER as back-end service, to secure the
authentication with our proven IDENTIKEY SERVER software.
5.2 FortiGate prerequisites
Please make sure you have a working setup of the FortiGate. It is very important this is working
correctly before you start implementing the authentication to the IDENTIKEY SERVER.
Currently all FortiGate devices use the same web config and CLI interface. This means
our integration guide is suited for the complete product range of FortiGate devices.
5.3 IDENTIKEY SERVER Prerequisites
In this guide we assume you already have IDENTIKEY SERVER installed and working. If this is not
the case, make sure you get IDENTIKEY SERVER working before installing any other features.
6 DIGIPASS Authentication for FortiGate IPSec VPN
DIGIPASS Authentication for FortiGate IPSec VPN
6 FortiGate configuration The FortiGate device is configured by web config or by CLI, there is even a CLI window available
in the web config screen.
By default the web config is reachable by https://.
In our case this becomes: https://192.168.0.3
Figure 2: FortiGate configuration
7 DIGIPASS Authentication for FortiGate IPSec VPN
DIGIPASS Authentication for FortiGate IPSec VPN
6.1 RADIUS configuration
Go to UserRemote. Select the RADIUS tab and click on the Create New button.
Fill in the IDENTIKEY SERVER details, IP address and shared secret. Specify the authentication
scheme to PAP. Also dont forget to fill in a NAS IP. This will be the IP address on the Firewall
Interface which is used to send the RADIUS request to the IDENTIKEY SERVER. Click OK to save
the settings.
Figure 3: Group configuration (1)
8 DIGIPASS Authentication for FortiGate IPSec VPN
DIGIPASS Authentication for FortiGate IPSec VPN
6.2 Group configuration
Now go to UserUser Group and click the Create New button.
Fill in an appropriate name and choose firewall as type. Leave the protection profile as default
on unfiltered. Select the RADIUS settings we created in chapter 5.1 on the left side of the
screen and click the button to add it to the members of this group. Click OK to continue.
Figure 4: Group configuration (2)
You will now see the group appearing in the list.
Figure 5: Group configuration (3)
9 DIGIPASS Authentication for FortiGate IPSec VPN
DIGIPASS Authentication for FortiGate IPSec VPN
6.3 IPSec configuration
Go to VPNIPSEC, select the Auto Key (IKE) tab and click the Create Phase1 button.
Give this phase an appropriate name and select Preshared Key as Authenticatio