INTEGRATION GUIDE DIGIPASS Authentication for FortiGate IPSec VPN
Disclaimer DIGIPASS Authentication for FortiGate IPSec VPN Disclaimer of Warranties and Limitation of Liabilities All information contained in this document is provided 'as is'; VASCO Data Security assumes no responsibility for its accuracy and/or completeness. In no event will VASCO Data Security be liable for damages arising directly or indirectly from any use of the information contained in this document. Copyright Copyright 2010 VASCO Data Security, Inc, VASCO Data Security International GmbH. All rights reserved. VASCO, Vacman, IDENTIKEY, axsguard, DIGIPASS and logo are registered or unregistered trademarks of VASCO Data Security, Inc. and/or VASCO Data Security International GmbH in the U.S. and other countries. VASCO Data Security, Inc. and/or VASCO Data Security International GmbH own or are licensed under all title, rights and interest in VASCO Products, updates and upgrades thereof, including copyrights, patent rights, trade secret rights, mask work rights, database rights and all other intellectual and industrial property rights in the U.S. and other countries. Microsoft and Windows are trademarks or registered trademarks of Microsoft Corporation. Other names may be trademarks of their respective owners. 1 DIGIPASS Authentication for FortiGate IPSec VPN
Table of Contents Disclaimer... 1 Table of Contents... 2 Reference guide... 3 1 Reader... 4 2 Overview... 4 3 Problem Description... 4 4 Solution... 4 5 Technical Concept... 5 5.1 General overview... 5 5.2 FortiGate prerequisites... 5 5.3 IDENTIKEY SERVER Prerequisites... 5 6 FortiGate configuration... 6 6.1 RADIUS configuration... 7 6.2 Group configuration... 8 6.3 IPSec configuration... 9 6.4 Firewall configuration... 11 7 FortiClient configuration... 12 8 IDENTIKEY Server... 16 8.1 Policy configuration... 16 8.2 Client configuration... 19 9 Test FortiGate VPN Client... 21 10 About VASCO Data Security... 23 2 DIGIPASS Authentication for FortiGate IPSec VPN
Reference guide ID Title Author Publisher Date ISBN 3 DIGIPASS Authentication for FortiGate IPSec VPN
1 Reader DIGIPASS Authentication for FortiGate IPSec VPN This Document is a guideline for configuring the partner product with IDENTIKEY SERVER or Axsguard IDENTIFIER. For details about the setup and configuration of IDENTIEKEY SERVER and Axsguard IDENTIFIER, we refer to the Installation and administration manuals of these products. Axsguard IDENTIFIER is the appliance based solution, running IDENTIKEY SERVER by default. Within this document, VASCO Data Security, provides the reader guidelines for configuring the partner product with this specific configuration in combination with VASCO Server and Digipass. Any change in the concept might require a change in the configuration of the VASCO Server products. The product name`identikey SERVER`will be used throughout the document keeping in mind that this document applies as well to the Axsguard IDENTIFIER. 2 Overview The purpose of this document is to demonstrate how to configure IDENTIKEY SERVER to work with a FortiGate device. Authentication is arranged on one central place where it can be used in a regular VPN or SSL/VPN connection. 3 Problem Description The basic working of the FortiGate is based on authentication to an existing media (LDAP, RADIUS, local authentication ). To use the IDENTIKEY SERVER with FortiGate, the external authentication settings need to be changed or added manually. 4 Solution After configuring IDENTIKEY SERVER and FortiGate in the right way, you eliminate the weakest link in any security infrastructure the use of static passwords that are easily stolen guessed, reused or shared. In this integration guide we will make use of a FortiGate 60B. This combines a firewall, an IPSec, PPTP or SSL/VPN and a UTM suite in one. For authentication, we focused on the IPSec VPN part. Figure 1: Solution 4 DIGIPASS Authentication for FortiGate IPSec VPN
5 Technical Concept 5.1 General overview The main goal of the FortiGate is to perform authentication to secure all kind of VPN connections and web traffic. As the FortiGate can perform authentication to an external service using the RADIUS protocol, we will place the IDENTIKEY SERVER as back-end service, to secure the authentication with our proven IDENTIKEY SERVER software. 5.2 FortiGate prerequisites Please make sure you have a working setup of the FortiGate. It is very important this is working correctly before you start implementing the authentication to the IDENTIKEY SERVER. Currently all FortiGate devices use the same web config and CLI interface. This means our integration guide is suited for the complete product range of FortiGate devices. 5.3 IDENTIKEY SERVER Prerequisites In this guide we assume you already have IDENTIKEY SERVER installed and working. If this is not the case, make sure you get IDENTIKEY SERVER working before installing any other features. 5 DIGIPASS Authentication for FortiGate IPSec VPN
6 FortiGate configuration The FortiGate device is configured by web config or by CLI, there is even a CLI window available in the web config screen. By default the web config is reachable by https://<ip_or_name_fortigate>. In our case this becomes: https://192.168.0.3 Figure 2: FortiGate configuration 6 DIGIPASS Authentication for FortiGate IPSec VPN
6.1 RADIUS configuration Go to User Remote. Select the RADIUS tab and click on the Create New button. Fill in the IDENTIKEY SERVER details, IP address and shared secret. Specify the authentication scheme to PAP. Also don t forget to fill in a NAS IP. This will be the IP address on the Firewall Interface which is used to send the RADIUS request to the IDENTIKEY SERVER. Click OK to save the settings. Figure 3: Group configuration (1) 7 DIGIPASS Authentication for FortiGate IPSec VPN
6.2 Group configuration Now go to User User Group and click the Create New button. Fill in an appropriate name and choose firewall as type. Leave the protection profile as default on unfiltered. Select the RADIUS settings we created in chapter 5.1 on the left side of the screen and click the button to add it to the members of this group. Click OK to continue. Figure 4: Group configuration (2) You will now see the group appearing in the list. Figure 5: Group configuration (3) 8 DIGIPASS Authentication for FortiGate IPSec VPN
6.3 IPSec configuration Go to VPN IPSEC, select the Auto Key (IKE) tab and click the Create Phase1 button. Give this phase an appropriate name and select Preshared Key as Authentication Method. Fill in a secret in the Pre-Shared Key box. Click on the Advanced button on the bottom of the screen. Figure 6: IPSec configuration (1) In the XAUTH section, select Enable as Server. Mark PAP as authentication mechanism and select the User Group you created in Chapter 5.2. Click OK to save this new Phase1. Figure 7: IPSec configuration (2) 9 DIGIPASS Authentication for FortiGate IPSec VPN
Once you created Phase1, click on the Create Phase2 button. Enter an appropriate name for this phase and select the Phase1 you create in the previous step. Click the Advanced button and make the following changes. 1-Encryption: 3DES Authentication: SHA1 2-Encryption: 3DES Authentication: MD5 Enable replay detection Enable perfect forward secrecy (PFS) DH Group: 5 Keylife: Seconds 1800 Auto Keep Alive Enable DHCP-IPsec Enable Click the OK button to save phase 2. Figure 8: IPSec configuration (3) 10 DIGIPASS Authentication for FortiGate IPSec VPN
6.4 Firewall configuration Go to Firewall Policy and click the Create New button. Give this policy an appropriate name. Select the correct Source and Destination network details and make sure Shedule is always, service is ANY and Action is IPSEC. Choose the correct Phase1 tunnel for the VPN Tunnel and select Allow inbound and outbound. Click OK to save the firewall policy. Figure 9: Firewall configuration The Fortigate appliance is now set up. We first have to do some configuration on the client side too. 11 DIGIPASS Authentication for FortiGate IPSec VPN
7 FortiClient configuration Open the FortiClient on the client side. Select the following options on the Connections tab: Start VPN before logging on to Windows Keep IPSec Service running forever unless manually stopped Beep when connection error occers o Stop after 60 seconds Click the Advanced>>> button and select Add Figure 10: FortiClient configuration (2) Fill in a connection name and select Manual configuration. Enter the network settings and select Preshared Key as authentication method. Fill in the Preshared Key set in Chapter 5.3. Click the Advanced button to continue. Figure 11: FortiClient configuration (3) 12 DIGIPASS Authentication for FortiGate IPSec VPN
Click on the Config button in the Policy group. Figure 12: FortiClient configuration (4) On the next screen select Autokey Keep Alive. And click OK. Figure 13: FortiClient configuration (5) 13 DIGIPASS Authentication for FortiGate IPSec VPN
Now select extended Authentication and click the Config button. Figure 14: FortiClient configuration (6) Select Prompt to login and click OK. Figure 15: FortiClient configuration (7) 14 DIGIPASS Authentication for FortiGate IPSec VPN
Select OK in the Advanced Settings and the New Connection screen. Now the connection is ready to be used, but we will first set up the IDENTIKEY SERVER. Figure 16: FortiClient configuration (8) 15 DIGIPASS Authentication for FortiGate IPSec VPN
8 IDENTIKEY Server Go to the IDENTIKEY Server web administration page, and authenticate with and administrative account. 8.1 Policy configuration To add a new policy, select Policies Create. Figure 17: Policy configuration (1) There are some policies available by default. You can also create new policies to suit your needs. Those can be independent policies or inherit their settings from default or other policies. 16 DIGIPASS Authentication for FortiGate IPSec VPN
Fill in a policy ID and description. Choose the option most suitable in your situation. If you want the policy to inherit setting from another policy, choose the right policy in the Inherits From list. Otherwise leave this field to None. Figure 18: Policy configuration (2) In the policy options configure it to use the right back-end server. This could be the local database, but also active directory or another radius server. This is probably the same that was in your default client authentication options before you changed it. Or you use the local database, Windows or you go further to another radius server. In our example we select our newly made Demo Policy and change it like this: Local auth.: Digipass/Password Back-End Auth.: Default (None) Back-End Protocol: Default (None) Dynamic User Registration: Default (No) Password Autolearn: Default (No) Stored Password Proxy: Default (No) Windows Group Check: Default (No Check) After configuring this Policy, the authentication will happen locally in the IDENTIKEY Server. So user credentials are passed through to the IDENTIKEY Server, it will check these credentials to its local user database and will answer to the client with an Access-Accept or Access-Reject message. 17 DIGIPASS Authentication for FortiGate IPSec VPN
In the Policy tab, click the Edit button, and change the Local Authentication to Digipass/Password. Figure 19: Policy configuration (3) The user details can keep their default settings. Figure 20: Policy configuration (4) 18 DIGIPASS Authentication for FortiGate IPSec VPN
8.2 Client configuration Now create a new component by right-clicking the Components and choose New Component. Figure 21: Client configuration (1) 19 DIGIPASS Authentication for FortiGate IPSec VPN
As component type choose RADIUS Client. The location is the IP address of the client. In the policy field you should find your newly created policy. Fill in the shared secret you entered also in the client for the RADIUS options. In our example this was vasco. Click Create. Figure 22: Client configuration (2) Now the client and the IDENTIKEY Server are set up. We will now see if the configuration is working. 20 DIGIPASS Authentication for FortiGate IPSec VPN
9 Test FortiGate VPN Client In the Connections tab, select the correct connection and click the Connect button. Currently the Status is Down. Figure 23: Test FortiGate VPN Client (1) Enter a username and One-Time Password (OTP) and click OK. Figure 24: Test FortiGate VPN Client (2) 21 DIGIPASS Authentication for FortiGate IPSec VPN
The connection screen will show you the IKE Negotiation details and will state that the Negotiation succeeded when the authentication was successful. Click OK to close. Figure 25: Test FortiGate VPN Client (3) You will now see that the Status has changed to Up (time). Figure 26: Test FortiGate VPN Client (4) 22 DIGIPASS Authentication for FortiGate IPSec VPN
10 About VASCO Data Security VASCO designs, develops, markets and supports patented Strong User Authentication products for e-business and e-commerce. VASCO s User Authentication software is carried by the end user on its DIGIPASS products which are small calculator hardware devices, or in a software format on mobile phones, other portable devices, and PC s. At the server side, VASCO s VACMAN products guarantee that only the designated DIGIPASS user gets access to the application. VASCO s target markets are the applications and their several hundred million users that utilize fixed password as security. VASCO s time-based system generates a one-time password that changes with every use, and is virtually impossible to hack or break. VASCO designs, develops, markets and supports patented user authentication products for the financial world, remote access, e-business and e-commerce. VASCO s user authentication software is delivered via its DIGIPASS hardware and software security products. With over 25 million DIGIPASS products sold and delivered, VASCO has established itself as a world-leader for strong User Authentication with over 500 international financial institutions and almost 3000 blue-chip corporations and governments located in more than 100 countries. 23 DIGIPASS Authentication for FortiGate IPSec VPN