Fortigate SSL VPN Integration

General Overview

This guide explains the process of configuring multi-factor authentication (MFA) for your Fortinet Firewall using Mirket, and setting up the integration of your Fortinet Firewall with Mirket RADIUS.

This integration was tested with version v7.2.2 of Fortinet FortiGate.

Preparation Steps

Before proceeding with these procedures, ensure the following:

You've completed the installation and configuration of the Mirket (go to"Mirket Installation Steps" ).
End-users can access the FortiGate Firewall.
Ensure that FortiClient version 7.0.5 or a higher version is installed.

Configuring the Fortinet Firewall

Configure a RADIUS Server

For RADIUS authentication in FortiGate Firewall VPN, you need to add a RADIUS server (the Mirket server ip address).

Follow these steps to configure a RADIUS server:

Access the FortiGate web UI using https://<IP address of FortiGate>
Select User & Authentication > RADIUS Servers. Then click on Create New.

Enter a name for the RADIUS server in the Name field; for instance, input "Mirket Radius."
Click on the Specify option in Authentication Method field, and then choose the PAP protocol for the authentication method.
Input the IP address of the Mirket (RADIUS server) into the IP/Name field.
Assign a shared secret key to identify your RADIUS client in the Secret field. Make sure to use the same shared secret key while configuring your RADIUS client resource in Mirket.
Click OK to confirm the settings.

After creating the RADIUS service, we set the RADIUS timeout value and global timeout value using the FortiGate CLI.

config user radius    
    edit <name> {enter radius server name you created.}
        set timeout 60
        set source-ip {if radius status is failure,you may need to specify source ip}
    next
end

 config system global 
        set remoteauthtimeout 60
end

Configure a User Group

Once you've added the Mirket RADIUS server, you'll need to define a group that will authenticate using this server. Additionally, you can create a user assigned to this group.

Follow these steps to configure a user group:

Select User & Authentication > User Groups. Then click on Create New.

Enter a name in the Name field, for instance input Radius User Group.
Choose Firewall option from the Type field.
Click on Add under the Remote Groups section.

Choose the Mirket Radius you previously created in the Remote Server dropdown list.
Choose the Specify option in the Groups field.
In the Groups field, enter the group name you are going to create ,for instance input Radius User Group. Then click on OK. In the Group Name section, the authorizaiton profile in Mirket must be the same as the value.
Click on OK to confirm settings.

Configure SSL VPN Settings

Follow these steps to configure SSL VPN settings:

Select VPN > SSL-VPN Settings.

Choose WAN1 from the Listen on Interfaces(s) dropdown list.
Enter 10443 in the Listen on Port field. You should define your own port here.
Select Fortinet_Factory from the Server Certificate dropdown list.
Toggle the Idle Logout option.
Click on Create New in the Authentication/Portal Mapping section.

Select the Radius User Group you created in the user group configuration section from the Users/Groups dropdown list.
Choose full-access option from the Portal dropdown list.
Then click on OK and keep the remaining settings as default.

Click on Apply to confirm settings.

Create an SSL VPN Policy

An SSL VPN policy needs to be established to permit specific users and groups for SSL VPN usage.

To create an SSL VPN policy:

Select Policy & Objects > Firewall Policy. Then click on Create New.

Enter a name in the Name field.
Choose SSL-VPN tunnel interface(ssl.root) from the Incoming Interface dropdown list.
Choose the internal interface connected to the Mirket from the Outgoing Interface dropdown list, for example, lan.
Under Source, select “SSLVPN address you defined on portal settings” for Address and "Radius User Group" for User.
Under Destination, select the internal protected subnet under Address, such as "all”.
Choose "always" from the Schedule dropdown list.
Under Service select "ALL" option.
Keep the remaining settings as default values.

Click OK to confirm settings.

Add a Fortigate as Resource in Mirket with Mirket Radius Gateway

Before starting, ensure that you have installed Mirket Radius Gateway. To add a Radius Client to the Mirket Radius Gateway, follow these steps:

First, navigate to the directory C:\MirketRadius and open the config.json file.

Fill in the gateway and radiusClientList fields according to the provided specifications to ensure accurate and secure network configuration.
- samName: Enter the SAM name of the gateway. In Mirket, user identification is done using the SAM (Security Account Manager) name. This is preferred over the standard username. This username is used for authentication and access controls. Please provide your domain name, such as 'mirket'.
- authenticationPort: Enter the authentication port value you set for the gateway. The default value is 1812.
- accountingPort: Enter the accounting port value you specified for the gateway. The default value is 1813.
- gatewayIp: Enter the IP address of the server where the Mirket is installed.
- ipAddress: Enter the IP address of your firewall.
- secretKey: Enter your secret key. This secret key is used to link your radius client and radius server, so ensure they are identical.

Once you've made the necessary changes to the config.json file, save and close it. Note: You can add multiple RADIUS clients.
After completing the configuration, restart the 'Mirket Radius Gateway Service'.

User and Group configuration on Mirket

To set up multifactor authentication, make sure you have at least one user group in Mirket.

If it is preferred to use a local user, first create a local group and then create a local user and make the user a member of the group.

If it is preferred to use LDAP users, the priority LDAP group is created by pulling users from Active Directory or OpenLDAP in Mirket.

Create an Authorization Profile on Mirket

After authentication, in scenarios requiring authorization (Example: Sending group name to the Radius client in SSL VPN), you can complete the process by creating an authorization profile in Mirket and selecting the created profile in Radius rules.

The following steps should be followed to create an authorization profile:

Select Authorization Profiles.
Click on Add New.
Enter an authorization profile name in the Name field.
Select the attribute type as "FortigateGroupName" from the Attribute Type dropdown list.
Enter the group to be granted authorization in the Value field. Please make sure that the value is the same with group name you specify in Fortigate.
Click on Save to confirm settings.

Add a Radius Rules to Mirket

Radius Rules define user access to resources and the authentication methods available (such as SMS, Approve / Deny, OTP, etc.).

First, you should follow these steps:

Select Rules > Radius Rules.
Click on Add New.
Enter a rule name in the Name field.
Enter the rule description in the Description field.
Select the group to which the rule applies from the Group dropdown list.
Select the provider to which the rule applies from the Provider dropdown list.
Select the authorization profile to which the rule applies from the Authorization dropdown list.
Click on Save to confirm settings.

Test the Integration

To validate the integration between Mirket and your configured Fortinet Firewall, perform authentication using a Mirket MFA app on your mobile device. For RADIUS resources, available authentication methods include Approve/Deny authentication.

In this example, we illustrate the use of the approve/deny authentication method.

Launch FortiClient.
Select Configure VPN.
Enter a name for this connection in the Connection Name field.
Enter a description in the Description field.
Input the IP address of the listen on interface in Fortinet in the Remote Gateway field.
Tick the Customize port option and enter 10443(specified port).
Then, click on Save.
Enter your Mirket username in the Username field.
Enter your password in the Password field.
Click on Connect.
Then, select the 'Approve' option(found in the Mirket mobile app) immediately and make sure it doesn't time out.