Fortigate SSL VPN 4 With PINsafe Installation Notes



Similar documents
Fortigate SSL VPN 3.x With PINsafe Installation Notes

Integration Guide. Swivel Secure Authentication

Update Instructions

Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)

Installation & Configuration Guide Version 2.2

First Time Off-Campus Remote Desktop Connection ipad Edition

HTML Forms and CONTROLS

Website Login Integration

Update Instructions

Swivel Multi-factor Authentication

Script Handbook for Interactive Scientific Website Building

External Authentication with Cisco ASA Authenticating Users Using SecurAccess Server by SecurEnvoy

Active Directory Integration Notes. Introduction. Overview

External authentication with Fortinet Fortigate UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy

OpenClinica SSL VPN Access New User Setup Guide

Creating a User Profile for Outlook 2013

DualShield. for. Microsoft TMG. Implementation Guide. (Version 5.2) Copyright 2011 Deepnet Security Limited

Update Instructions

Update Instructions

Web Development 1 A4 Project Description Web Architecture

Managed Security Web Portal USER GUIDE

Further web design: HTML forms

VERALAB LDAP Configuration Guide

Step by step guide to implement SMS authentication to Cisco ASA Clientless SSL VPN and Cisco VPN

Novell Identity Manager

Client Configuration Secure Socket Layer. Information Technology Services 2010

Accessing the Media General SSL VPN

Instructions. Outlook (Windows) Mail (Mac) Webmail Windows Live Mail iphone 4, 4S, 5, 5c, 5s Samsung Galaxy S4 BlackBerry

WiNG5 CAPTIVE PORTAL DESIGN GUIDE

Intell-a-Keeper Reporting System Technical Programming Guide. Tracking your Bookings without going Nuts!

External Authentication with Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

NSi Mobile Installation Guide. Version 6.2

Authentication Node Configuration. WatchGuard XTM

Connecting an Android to a FortiGate with SSL VPN

Setup Corporate (Microsoft Exchange) . This tutorial will walk you through the steps of setting up your corporate account.

First Time On-Campus Remote Desktop Connection ipad Edition

Filtering Admin Guide. Guide to Administrative Functions of Spam and Virus Filtering Service

Strong Authentication for Juniper Networks SSL VPN

Virtual Code Authentication User Guide for Administrators

ActivIdentity 4TRESS AAA Web Tokens and SSL VPN Fortinet Secure Access. Integration Handbook

Cisco ASA Authentication QUICKStart Guide

How To Integrate Watchguard Xtm With Secur Access With Watchguard And Safepower 2Factor Authentication On A Watchguard 2T (V2) On A 2Tv 2Tm (V1.2) With A 2F

Dell SonicWALL and SecurEnvoy Integration Guide. Authenticating Users Using SecurAccess Server by SecurEnvoy

Device LinkUP + Desktop LP Guide RDP

Tenrox and Microsoft Dynamics CRM Integration Guide

How to Create a Basic VPN Connection in Panda GateDefender eseries

How to Access Coast Wi-Fi

Two-Factor Authentication

Managing Web Authentication

Chapter 22 How to send and access other web sites

ipad or iphone with Junos Pulse and Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

Strong Authentication for Cisco ASA 5500 Series

client configuration guide. Business

Mozilla Thunderbird: Setup & Configuration Learning Guide

Client configuration and migration Guide Setting up Thunderbird 3.1

Using the ECM VPN with Windows 7

1. Open the preferences screen by opening the Mail menu and selecting Preferences...

Preparing for GO!Enterprise MDM On-Demand Service

Configuring Internet Authentication Service on Microsoft Windows 2003 Server

Non-Employee VPN Quick Start Guide

NeoMail Guide. Neotel (Pty) Ltd

Juniper SSL VPN Authentication QUICKStart Guide

INTEGRATION GUIDE. DIGIPASS Authentication for Cisco ASA 5505

Password Manager. Version Password Manager Quick Guide

EBOX Digital Content Management System (CMS) User Guide For Site Owners & Administrators

ADFS Integration Guidelines

HTML Tables. IT 3203 Introduction to Web Development

Quick Start Guide. Installation and Setup

PINsafe Multifactor Authentication Solution. Technical White Paper

Administration Guide. . All right reserved. For more information about Specops Password Sync and other Specops products, visit

How to configure your Windows PC post migrating to Microsoft Office 365

HOTPin Integration Guide: DirectAccess

OneLogin Integration User Guide

Note that if at any time during the setup process you are asked to login, click either Cancel or Work Offline depending upon the prompt.

Issue Tracking Anywhere Installation Guide

Wireless Installation Checklist for Novell GroupWise Environments

Defender Token Deployment System Quick Start Guide

Evoko Room Manager. System Administrator s Guide and Manual

Active Directory Authentication Integration

Guide for Setting Up Your Multi-Factor Authentication Account and Using Multi-Factor Authentication. Mobile App Activation

ZyWALL OTP Co works with Active Directory Not Only Enhances Password Security but Also Simplifies Account Management

Click-To-Talk. ZyXEL IP PBX License IP PBX LOGIN DETAILS. Edition 1, 07/2009. LAN IP: WAN IP:

HDAccess Administrators User Manual. Help Desk Authority 9.0

SonicWALL SSL VPN 3.5: Virtual Assist

Setting up Sharp MX-Color Imagers for Inbound Fax Routing to or Network Folder

Configuring Sponsor Authentication

PINsafe Manual. PINsafe Reference Manual Version 3.8

EMR Link Server Interface Installation

BackupAssist Settings tab User guide

INTEGRATION GUIDE. DIGIPASS Authentication for Juniper SSL-VPN

BlackShield ID Best Practice

Open Directory. Contents. Before You Start 2. Configuring Rumpus 3. Testing Accessible Directory Service Access 4. Specifying Home Folders 4

Authentication Solutions

Windows XP Exchange Client Installation Instructions

Aventail Connect Client with Smart Tunneling

Microsoft Outlook 2010

Transcription:

Fortigate SSL VPN 4 With PINsafe Installation Notes Table of Contents Fortigate SSL VPN 4 With PINsafe Installation Notes... 1 1. Introduction... 2 2. Overview... 2 2.1. Prerequisites... 2 2.2. Baseline... 2 2.3. Architecture... 2 3. Installation... 2 3.1. Configuring the PINsafe server... 2 3.2. Configuring the Fortigate SSL VPN... 3 3.3. Integrating PINsafe into login screens... 5 3.4. Modifying the SSL login screen to integrate with the PINsafe Server.... 5 3.5. Example SSL VPN login pages.... 8 Display Turing request button and Turing image... 8 3.6. Turing Display Script... 9 3.7. On Demand Request for one time Security String... 11 3.8. On demand script... 12 4. Verifying the Installation... 13 5. Troubleshooting... 13 6. Known Issues and Limitations... 13 7. Additional Information... 14 Fortigate SSL VPN 4 With PINsafe Installation Notes Page 1 of 14

1. Introduction PINsafe from Swivel Secure is an enhanced authentication system that utilizes both single and dual factor authentication. The essence of PINsafe is an ever changing one time password generated from an end user known PIN and a randomly generated string. The one time code is calculated by entering the letters or numbers of the random string according to the position they occur relative to the users PIN code. For example if the user s PIN code is 2468 and the random string is 0987654321 then the one time code will be the 2 nd, 4 th, 6 th, then 8th character from the random string (9753 in this example). The Pinsafe system can be integrated into the Fortigate login screens to display the random string as a Turing string. Whilst not achieving any dual factor authentication in this manner, the system helps to alleviate the problem of keyloggers capturing passwords as they are unique every time. The PINsafe system has a dual channel option. In this mode the random string is sent to the user by a different channel. These channels include a request from a different web page, SMS message, email and others. The system can be setup to send a new random string after every login attempt, either successful or not, or the user may request a random string on demand which will have a validity period of 2 minutes. The Swivelsecure PINsafe server acts as a radius server to the Fortigate and will provide authentication and accounting. This document discusses the integration requirements; it does not go into detail regarding how to setup either Pinsafe, or The Fortigate SSL VPN as this information is available in other documents. 2. Overview 2.1. Prerequisites PINsafe 3.x Pinsafe admin guide Fortigate SSL VPN 4 FortiGate SSL VPN User Guide 2.2. Baseline The integration was tested with a Fortinet Fortigate SSL VPN version 4.0 and PINsafe 3.3 Note: Version 4 was tested August 2009 and has an update in the style sheet location (<link href="/sslvpn/css/login.css" rel="stylesheet" type="text/css">) 2.3. Architecture The PINsafe server is usually situated with the DMZ and connects to various data sources. The Fortigate SSL VPN connects to the PINsafe server for authentication information by RADIUS. 3. Installation 3.1. Configuring the PINsafe server Configure PINsafe as a RADIUS server, from the RADIUS/server menu, enter the RADIUS server details and then select Enable RADIUS server. From the RADIUS/NAS menu enter a name for the Fortigate device and its IP address and a shared secret key. Fortigate SSL VPN 4 With PINsafe Installation Notes Page 2 of 14

If using Single Channel, select Server/Single Channel and set session request by user name to YES. 3.2. Configuring the Fortigate SSL VPN Set the PINsafe server as a RADIUS server. Select User=>Remote in the left hand navigation pane, the select the Radius tab. Press create new to bring up the new Radius server option. Enter a name for the Radius server Enter the Radius Server primary IP address Enter the shared secret chosen between the Fortigate and the Pinsafe server Enter the IP address of the Interface that will be used to send information to the PINsafe Server Check the Include in every User Group check box Fortigate SSL VPN 4 With PINsafe Installation Notes Page 3 of 14

Fortigate SSL VPN 4 With PINsafe Installation Notes Page 4 of 14

Add the Radius server to the SSL VPN Group. Under User=>User Group select an existing, or create a new SSL VPN User group. Add the newly created Radius server to the Member list by selecting it from the left hand panel and pressing the right facing arrow. 3.3. Integrating PINsafe into login screens If you are using a standard dual channel authentication then no further action is required on the Fortigate. The PINsafe server will send the security strings and PIN information to the user on first setup of the account and after every subsequent login attempt. The following section discusses how to modify the Fortigate authentication screens to integrate with PINsafe Turing image and on demand features. For this example we discuss only the SSL VPN login screen, but the theory can be applied to any of the Fortigate s Web Authentication methods. 3.4. Modifying the SSL login screen to integrate with the PINsafe Server. In this scenario we will add some simple client side java script to the default SSL login page, to allow the user to directly request information from the Pinsafe server. Fortigate SSL VPN 4 With PINsafe Installation Notes Page 5 of 14

From System=>Config in the left hand navigation panel select the replacement messages tab. Open the SSL VPN section by pressing on the blue arrow to the left of it. Press the edit icon to the right of the SSL VPN login message You can directly add to the default page, or simply copy and paste from a HTML/text editor a complete new login page The example below shows a modified login page already applied. Fortigate SSL VPN 4 With PINsafe Installation Notes Page 6 of 14

Fortigate SSL VPN 4 With PINsafe Installation Notes Page 7 of 14

3.5. Example SSL VPN login pages. Display Turing request button and Turing image In this page a script is included that will display a button called Turing. When a user enters his username and then presses the button. The random string Turing image is displayed within the logon box. With the image displayed the user then enters the one time code according to his PIN number and logs in as usual. The login request is sent to the PINsafe RADIUS server for authentication. NB. PINsafe also allows for the one time code to be appended to a static password for increased security. Fortigate SSL VPN 4 With PINsafe Installation Notes Page 8 of 14

3.6. Turing Display Script The bold sections indicate additions to the default page <html><head><title>login</title> <meta http-equiv="pragma" content="no-cache"> <meta http-equiv="cache-control" content="no-cache"> <meta http-equiv="cache-control" content="must-revalidate"> <link href="/sslvpn/css/login.css" rel="stylesheet" type="text/css"> <script language="javascript"><!--if (top && top.location!= window.location) top.location = top.location;if (window.opener && window.opener.top) { window.opener.top.location = window.opener.top.location; self.close(); }//--></script> <script> { //~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ // //Configuration section... //URL of radiusturing page on the PINsafe server... //var surl="http://pinsafe.server.com:8080/pinsafe/scimage?username="; var surl="https://pinsafe.server.com:8443/proxy/scimage?username="; //Names of the username and password texboxes in the page that's calling this script... //(On Fortinet these are username and credential) var snameofusernametext = "username"; var snameofpasswordtext = "credential"; //End configuration section... // //~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ function ShowTuring() { suser=document.getelementsbyname(snameofusernametext)[0].value; if (suser=="") { alert ("Please enter your username first!"); document.getelementsbyname(snameofusernametext)[0].focus() }else{ //Find the image using Mozilla compatible pproach... varimg = document.getelementbyid("imgturing"); //Set the image SRC and make it visible varimg.src = surl + suser + "&Random=" + Math.random(); varimg.style.visibility = "visible"; //Set focus to the OTC input document.getelementsbyname(snameofpasswordtext)[0].focus() } } Fortigate SSL VPN 4 With PINsafe Installation Notes Page 9 of 14

} </script> </head> <body class="main"> <center><table width="100%" height="100%" align="center" class="container" valign="middle" cellpadding="0" cellspacing="0"> <tr valign=middle> <td> <form action="%%ssl_act%%" method="%%ssl_method%%" name="f"> <table class="list" cellpadding=10 cellspacing=0 align=center width=400 height=180>%%ssl_login%% <td> <input type="button" name="btnturing" value="turing" onclick="showturing()" class="submitbutton" style="width:75"> </td> <td> <img id="imgturing" name="imgturing" style="visibility:hidden"> </td> </table> %%SSL_HIDDEN%% </td> </tr> </table> </form> </center> </body> <script>document.forms[0].username.focus(); </script> </html> Fortigate SSL VPN 4 With PINsafe Installation Notes Page 10 of 14

3.7. On Demand Request for one time Security String The on demand script causes the PINsafe server to simply send the one time security string to the user via the chosen transport (SMTP, SMS etc.) The script is almost identical, with just the button name and URL requested changed. (changes are highlighted in red in the following script) In this configuration, the server simply displays confirmed to tell the user that the one time security string has been sent via his/her preferred method. The user then has two minutes <default> to login before this one time pad expires. NB: If this on demand mode is chosen, then the automatic sending of a one time security strings after failed or successful login is disabled Fortigate SSL VPN 4 With PINsafe Installation Notes Page 11 of 14

3.8. On demand script <html><head><title>login</title> <meta http-equiv="pragma" content="no-cache"> <meta http-equiv="cache-control" content="no-cache"> <meta http-equiv="cache-control" content="must-revalidate"> <link href="/sslvpn/css/login.css" rel="stylesheet" type="text/css"> <script language="javascript"><!--if (top && top.location!= window.location) top.location = top.location;if (window.opener && window.opener.top) { window.opener.top.location = window.opener.top.location; self.close(); }//--></script> </head> <body class="main"> <center><table width="100%" height="100%" align="center" class="container" valign="middle" cellpadding="0" cellspacing="0"> <tr valign=middle> <td> <form action="%%ssl_act%%" method="%%ssl_method%%" name="f"> <table class="list" cellpadding=10 cellspacing=0 align=center width=400 height=180>%%ssl_login%% <td> <script> //Print Turing Buttom document.write("<input type=button name=btnturing value='send Key' onclick=showturing() class='submitbutton' style=';width:75;'>"); </script> </td> <td> <script> //Show Turing Image document.write("<img id=imgturing name=imgturing style='visibility:hidden;'>"); </script> </td> </table> %%SSL_HIDDEN%% </td> </tr> </table> </form> </center> </body> <script>document.forms[0].username.focus(); </script> <script> { //~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ // Fortigate SSL VPN 4 With PINsafe Installation Notes Page 12 of 14

//Configuration section... //URL of confirmation page on the PINsafe server... var surl="http://pinsafe.server.com:8080/pinsafe/dcmessage?username="; //Names of the username and password textboxes in the page that's calling this script... //(On Fortinet these are username and credential; on Netscreen they are username and password) var snameofusernametext = "username"; var snameofpasswordtext = "credential"; //End configuration section... // //~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ function ShowTuring() { suser=document.getelementsbyname(snameofusernametext)[0].value; if (suser=="") { alert ("Please enter your username first!"); document.getelementsbyname(snameofusernametext)[0].focus() }else{ //Find the image using Mozilla compatible pproach... varimg = document.getelementbyid("imgturing"); //Set the image SRC and make it visible varimg.src = surl + suser; varimg.style.visibility = "visible"; //Set focus to the OTC input document.getelementsbyname(snameofpasswordtext)[0].focus() } } } </script> </html> 4. Verifying the Installation Connect to the SSL VPN login page and check that the correct authentication methods are available. 5. Troubleshooting Check the PINsafe and Fortigate logs. 6. Known Issues and Limitations None Fortigate SSL VPN 4 With PINsafe Installation Notes Page 13 of 14

7. Additional Information For assistance in the PINsafe installation and configuration please firstly contact your reseller and then email Swivel Secure support at support@swivelsecure.com Fortigate SSL VPN 4 With PINsafe Installation Notes Page 14 of 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information