Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Copyright
Copyright 2006, CRYPTOCard Corp. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of CRYPTOCard Corp.
2. The incoming RADIUS authentication request is relayed over to the CRYPTO-MAS Server as
shown in Figure 1 below.
3. The CRYPTO-MAS Server examines the incoming packet. If the user exists, it then checks the token associated with the user for the expected PIN + One-time password. 4. Once the PIN + One-time password is verified against the users token and it is valid, it will then send an access accepted. This is illustrated in Figure 2 below.
Fortinet Fortigate 60 Implementation Guide 2
If the user does not exist, or the PIN + One-time password is incorrect it will send the user an access reject message.
Prerequisites
The following systems must be verified operational prior to configuring the Fortigate to use CRYPTOCard authentication: 1. Verify end users can authenticate through the Fortigate with a static password before configuring the Fortigate to use CRYPTOCard authentication. 2. An initialized CRYPTOCard token assigned to a CRYPTOCard user.
The following CRYPTO-MAS server information is also required: Primary CRYPTO-MAS RADIUS Server Fully Qualified Hostname or IP Address: Secondary CRYPTO-MAS RADIUS Server Fully Qualified Hostname or IP Address (OPTIONAL): CRYPTO-MAS RADIUS Accounting port number (OPTIONAL): CRYPTO-MAS RADIUS Shared Secret:
The IP Address and Shared Secret will be provided so the Fortinet Fortigate will point towards the CRYPTO-MAS Server for authentication.
Enter the users username, and select RADIUS, then select the radius server it will be authenticating to. Click OK when everything has been selected. Note: the username must match the username that is provided to the CRYPTO-MAS Server
At least the following configuration options should be selected: Enter the name of the group Change type from Firewall to SSL VPN Expand the SSL-VPN User Group Options. Put a check mark in the following boxes. Enable SSL-VPN Tunnel Service Enable Web Application o o o o o o HTTP/HTTPS Proxy Telnet(applet) VNC FTP Samba RDP
Click OK
Select Enable SSL-VPN. Choose a port for the SSL-VPN Connection. Enter the Tunnel IP Range. Select the Server Certificate (Self-Signed by default) Select Default for Encryption Key Algorithm Idle Timeout is 300 seconds.
8
Source Interface/Zone wan1 Address Name All Destination Interface/Zone internal Address Name all Schedule always Service ANY Action SSL-VPN
Select the Group on the Available Groups side and move them over to the Allowed side for SSL-VPN access. Check off Protection Profile and it should be defaulted to unfiltered. Click OK when finished.
Once you have logged on, the syntax should be entered as followed: # diag test auth rad <radius server name> <auth protocol> <username> <One-Time Password>
If it succeeds, the output message will be something along the line of: authenticate henry against pap succeeded, server=primary session_timeout=0 secs!
10
A login prompt comes up. Enter the username and PIN + One-time password.
11
Once the user has successfully logs in, they will be prompt with a Welcome to SSL-VPN Service page.
The CRYPTO-MAS Server can also be set up to do New PIN Mode Stored on Server, server changeable. If the users PIN style has been set to Store on Server, server changeable, and set to push out a new PIN after next log on, it will display a new PIN on the webpage which is illustrated below.
12
Solution Overview
Summary
Product Name Vendor Site Supported VPN Client Software Authentication Method Fortinet Fortigate http://www.fortinet.com/ Internet Explorer 6 or higher Mozilla Firefox 1.5 or higher RADIUS Authentication
Trademarks
CRYPTOCard, CRYPTO-Server, CRYPTO-Web, CRYPTO-Kit, CRYPTO-Logon, CRYPTO-VPN, CRYPTO-MAS are either registered trademarks or trademarks of CRYPTOCard Corp. Microsoft Windows and Windows XP/2000/2003/NT are registered trademarks of Microsoft Corporation. All other trademarks, trade names, service marks, service names, product names, and images mentioned and/or used herein belong to their respective owners.
Publication History
Date
October 27, 2006 November 9, 2006 November 30, 2006
Changes
Initial Draft Global Draft Minor Revision
13