Fortinet VPN Client

Fortinet provide physical and virtualized security designs and appliance for important data and critical workload. You can enable two-factor authentication (2FA) for your Fortinet managed active directory to increase security level. When you enable 2FA, your users enter their username and password (first factor) as usual, and they have to enter an authentication code (the second factor) which will share on your virtual or hardware 2FA solution.
To enable 2FA you can enable RADIUS authentication in Fortinet and configure policies in miniOrange to enable or disable 2FA for users.

miniOrange 2FA for VPN Login

miniOrange accomplishes this by acting as a RADIUS server, that accepts the username/password of the user entered as a RADIUS request, validates the user against the user store as Active Directory ( AD ), prompts him for the 2-factor authentication and either grants/revokes access based on the input by the user.

Types of 2FA Authentication with RADIUS

The 2-factor authentication can be of two types depending on the VPN clients.

• VPN Clients that support RADIUS Challenge.
• VPN Clients that do not support RADIUS Challenge.

In VPN Clients that support RADIUS Challenge :

• First step is user's username & password get validated against the credentials stored in Active Directory and 2nd request sends a success response, this request is sent to validate the 2-factor authentication of the user, on successful authentication user is granted access to the application.
• Authentication methods : All Authentication methods supported by miniOrange. Software Token, Push Notification, OTP over Email to name a few.
• RADIUS Clients that support this authentication type:
  -> OpenVPN
  -> Palo Alto
  -> Fortinet
  -> Pulse Secure Connect Secure SSL

Enable Two-Factor Authentication (2FA) for your Fortinet managed active directory to increase security level

Step 1: Add the Radius Client in miniOrange

• Login into the Admin Dashboard..
• Click on Apps >> Manage Apps.
• Click on Configure Apps.



• Select Radius tab and select Radius Client.



• Configure details below to add Radius Client.

Client Name:	Fortinet or any other name for your reference
Client IP:	IP address of Fortinet VPN server which will send Radius authentication request
Shared Secret:	Security key (Keep this with you, you will need to configure same in Fortinet )

• Click on Save.

Step 2: Enable 2 factor authentication

• Click on Policies tab >> App Authentication Policy.



• Click on Add Policy tab.
• In Step 1 Select “OpenVPN” in Application section.
• In Step 2 Select “DEFAULT” in Group Name and enter Policy name as “OpenVPN” add policy then Select First factor as “PASSWORD”.
• Enable Second factor then click on Save.

Step 3: Setup LDAP authentication ( OPTIONAL)

• Select User Stores then click on Add User Store.



• Select “AD/LDAP” tab and configure it with your LDAP settings.




Field	Value
Name	miniOrange RADIUS
Type	Query
Primary Server Name/IP	The IP address or FQDN of your miniOrange RADIUS proxy
Primary Server Secret	The RADIUS secret configured on your miniOrange RADIUS proxy
Search Filter	If you want to add extra conditions on user search you can add it in Search Filter. Example:(&(objectClass=*)(mail=?))(&(objectClass=*)(samaccountname=?))

• Enable “Active LDAP” and “Sync user in miniOrange” option and click on save.



• Click on Test Configuration to check whether your LDAP configuration details are right and LDAP server is reachable. It will ask for test username & password from LDAP directory.



• After this, it will show you the list of User stores. Click on “ Make Default “.

Step 4:Configure Fortinet client

• Log in to the Fortinet FortiGate administrative interface with your Username and Password



• Click on User & Device >> Authentication >> RADIUS Servers. Click on Create New.
• On the New RADIUS Server page and enter the below information:

Area	Field Value
Directory Type	Active Directory or your directory type
LDAP Server URL	Your AD server URL or IP address
Bind Account DN	Click on AD FS>>Domain>>respective Users>> Properties>>Attribute Editor then copy the value of distinguishedName & paste it against Bind Account DN.
Search Bases	Search Base is a user search location. It means where to search for a user.Example: cn=users,dc=miniorange,dc=com
Search Filter	If you want to add extra conditions on user search you can add it in Search Filter. Example:(&(objectClass=*)(mail=?))(&(objectClass=*)(samaccountname=?))

• Click on Ok.

Step 5: Configure the Fortinet a User Group with miniOrange RADIUS server

• Click on “User & Device” >> User >> User Groups.
• To create new group : Click on Create New. (In case if you have an existing user group then click on that user group and edit its settings).
• After section your user group, enter Name as miniOrange SSL VPN and Type as Firewall.
• Click on Create New in the Remote groups section and select the miniOrange RADIUS remote server.
• Click on Ok.

Step 6 : Configure the Fortinet timeout with miniOrange RADIUS server

• Connect to the appliance CLI.
• Execute below commands in it: #config system global #set remoteauthtimeout 30 #end

Step 7: Test miniOrange 2FA setup for Fortinet VPN Login

• Login to Fortinet and enter Username and password.
• It will prompt you for 2 Factor code if you have enabled 2-factor authentication in miniOrange policy.
• Enter your 2-Factor code and you should be connected to VPN.

For Further Details:

Two Factor authentication
Fortinet
https://cookbook.fortinet.com/ssl-vpn-with-radius-and-fortitoken-60/
https://cookbook.fortinet.com/sms-two-factor-authentication-ssl-vpn/