Description
This article gives answers to some basic questions about the FortiOS setup with RSA Authentication Manager.
1. How to configure FortiOS to support RSA Authentication Server.
2. How to test FortiGate -RSA connectivity via the CLI of the FortiGate.
3. What type of authentication can be used with RSA authentication Manager?
4. What tasks can be assigned to the RSA server following deployment ?
5. What version of RSA Authentication Manager is supported?
Scope
FortiOS v4.0 MR3 and above.
RSA Authentication Manager v5.1 to v7.1 SP4
Solution
1 How to configure FortiOS to support RSA Authentication Server. (CLI)
|
FGT60C # sh user radius RSA_server
config user radius
edit "RSA_server"
set radius-port 1812
set secret ENC fvcXHgbHfrTNb4P9ZndSHjrcnXIJgAunhnzP8yivG4vzd+o4hyF6glULYGN
PkL+OhzZsr6dnOJXpzPUfnwCx6oTYqObt/BqMkwJ8BgAP1QKB2cUH
set server "10.177.0.21"
next
end
|
2. How to test FortiGate-RSA connectivity via the CLI of the FortiGate.
|
FGT60C-1 # diag deb console timestamp enable
FGT60C-1 # diag deb app fnbamd -1
diag debug app authd -1
FGT60C-1 # diag sniffer packet any 'port 1812' 6
interfaces=[any]
filters=[port 1812]
2012-12-20 03:33:21 fnbamd_fsm.c[739] handle_req-Rcvd auth req 0 for administrator in RSA_server opt=13 prot=0
2012-12-20 03:33:21 fnbamd_radius.c[648] fnbamd_radius_auth_send-Sent radius req to 10.177.0.21: code=1 id=109 len=92 user=administrator using PAP
35.403201 vid177 -- 10.177.0.148.3474 -> 10.177.0.21.1645: udp 92
0x0000 000c 298b 1a8a 0009 0f84 2757 0800 4500 ..).......'W..E.
0x0010 0078 4f29 0000 4011 1542 0ab1 0094 0ab1 .xO)..@..B......
0x0020 0015 0d92 066d 0064 dfc4 016d 005c 7079 .....m.d...m.\py
0x0030 30b4 54ab d7d1 ff83 0e78 f7cb 6f61 200b 0.T......x..oa..
0x0040 4647 5434 3030 412d 3101 0f61 646d 696e FGT400A-1..admin
0x0050 6973 7472 6174 6f72 0212 e85e ea9d 96e6 istrator...^....
0x0060 0f88 3332 f89d ff12 c95e 2c0a 3030 3245 ..32.....^,.002E
0x0070 3030 3542 4d06 7465 7374 1a0c 0000 3044 005BM.test....0D
0x0080 0306 726f 6f74 ..root
2012-12-20 03:33:23 fnbamd_auth.c[886] fnbamd_auth_handle_result-->Result for radius svr 10.177.0.21(0) is 0
37.429478 vid177 -- 10.177.0.21.1645 -> 10.177.0.148.3474: udp 85
0x0000 0009 0f84 2757 000c 298b 1a8a 0800 4500 ....'W..).....E.
0x0010 0071 671f 0000 8011 bd52 0ab1 0015 0ab1 .qg......R......
0x0020 0094 066d 0d92 005d e7d7 026d 0055 8914 ...m...]...m.U..
0x0030 f01e c69a 7c16 bedb 795f 52e0 f121 1941 ....|...y_R..!.A
0x0040 5342 5232 434c 99fb e6f4 eced e6ae f780 SBR2CL..........
0x0050 1180 2c01 8003 8198 ce80 0280 0f81 b0d9 ..,.............
0x0060 8dd6 cbb9 d2f3 ba9c cc97 a3bd e412 800e ................
0x0070 8199 fbe6 f4ec ede6 aef7 8080 8080 c8 ...............
2012-12-20 03:33:23 fnbamd_comm.c[128] fnbamd_comm_send_result-Sending result 0 for req 0
|
3. What type of authentication can be used with RSA authentication Manager?
- Firewall authentication
- IPSec eXtended authentication (XAuth)
- PPTP
- SSL VPN authentication from the web portal
4. What tasks can be assigned to the RSA server following deployment ?
As the RSA server is seen by FortiOS as a RADIUS server, FortiOS uses VSA attributes returned by the server to perform the following actions:-
-assign access profile and vdom (admin user profiles)
-assign IP address to IPSec dialer (DHCP over IPSec)
-assign an identity based firewall policy (firewall authentication)
-determine a route (authentication-based routing)
For more information on how to configure an Identity Based Security Policy for RSA Authentication Manager refer to User Authentication FortiOS Handbook v3 for FortiOS v4.0 MR3 (Pages 60-63)
5. What version of RSA Authentication Manager is supported?
Refer to the attached RSA SecurID Ready Implementation Guide.
