# Fortigate SSL VPN via Radius Integration ## General Overview This guide explains the process of configuring multi-factor authentication (MFA) for your Fortinet Firewall using Mirket, and setting up the integration of your Fortinet Firewall with Mirket RADIUS. This integration was tested with version v7.2.2 of Fortinet FortiGate. ## Preparation Steps Before proceeding with these procedures, ensure the following: * You've completed the installation and configuration of the Mirket (go to"[Mirket Installation Steps](/mirket-help-center/mirket-help-center/mirket-on-premise/mirket-installation/mirket-installation-steps.md)" ). * End-users can access the FortiGate Firewall. * Ensure that FortiClient version 7.0.5 or a higher version is installed. ## Configuring the Fortinet Firewall ### Configure a RADIUS Server For RADIUS authentication in FortiGate Firewall VPN, you need to add a RADIUS server (the Mirket server ip address). Follow these steps to configure a RADIUS server: * Access the FortiGate web UI using https\://\ * Select **User & Authentication > RADIUS Servers**. Then click on **Create New**.

* Enter a name for the RADIUS server in the **Name** field; for instance, input "**Mirket Radius**." * Click on the **Specify** option in **Authentication Method** field, and then choose the **PAP** protocol for the authentication method. * Input the IP address of the Mirket (RADIUS server) into the **IP/Name** field. * Assign a shared secret key to identify your RADIUS client in the **Secret** field. Make sure to use the same shared secret key while configuring your RADIUS client resource in Mirket. * Click **OK** to confirm the settings. After creating the RADIUS service, we set the RADIUS timeout value and global timeout value using the FortiGate CLI. ``` config user radius edit {enter radius server name you created.} set timeout 60 set source-ip {if radius status is failure,you may need to specify source ip} next end ``` ``` config system global set remoteauthtimeout 60 end ``` ### Configure a User Group Once you've added the Mirket RADIUS server, you'll need to define a group that will authenticate using this server. Additionally, you can create a user assigned to this group. Follow these steps to configure a user group: * Select **User & Authentication > User Groups**. Then click on **Create New**.

* Enter a name in the **Name** field, for instance input **Radius User Group**. * Choose **Firewall** option from the **Type** field. * Click on Add under the **Remote Groups** section.

* Choose the **Mirket Radius** you previously created in the **Remote Server** dropdown list. * Choose the **Specify** option in the **Groups** field. * In the **Groups** field, enter the group name you are going to create ,for instance input **Radius User Group**. Then click on **OK**. In the **Group Name** section, the authorizaiton profile in Mirket must be the same as the value. * Click on **OK** to confirm settings. ### Configure SSL VPN Settings Follow these steps to configure SSL VPN settings: * Select **VPN > SSL-VPN** **Settings**.

* Choose **WAN1** from the **Listen on Interfaces(s)** dropdown list. * Enter **10443** in the **Listen on Port** field. You should define your own port here. * Select **Fortinet\_Factory** from the **Server Certificate** dropdown list. * Toggle the **Idle Logout** option. * Click on **Create New** in the **Authentication/Portal Mapping** section.

* Select the **Radius User Group** you created in the [user group configuration](#configure-a-user-group) section from the **Users/Groups** dropdown list. * Choose **full-access** option from the **Portal** dropdown list. * Then click on **OK** and keep the remaining settings as default.

* Click on **Apply** to confirm settings. ### Create an SSL VPN Policy An SSL VPN policy needs to be established to permit specific users and groups for SSL VPN usage. To create an SSL VPN policy: * Select **Policy & Objects > Firewall Policy**. Then click on **Create New**.

* Enter a name in the **Name** field. * Choose **SSL-VPN tunnel interface(ssl.root)** from the **Incoming Interface** dropdown list. * Choose the internal interface connected to the Mirket from the **Outgoing Interface** dropdown list, for example, **lan**. * Under **Source**, select “**SSLVPN address you defined on portal settings**” for **Address** and "**Radius User Group**" for **User**. * Under **Destination**, select the internal protected subnet under **Address**, such as "**all**”. * Choose "**always**" from the **Schedule** dropdown list. * Under **Service** select "**ALL**" option. * Keep the remaining settings as default values.

* Click **OK** to confirm settings.

## Configure Mirket To enable Mirket to receive authentication requests from FortiClient, follow these steps: ### Add Fortigate as a Resource in Mirket with Radius Gateway Before starting, ensure that you have installed Mirket Radius Gateway from the **Configuration** > **Gateway.** To add a Radius Gateway to the Mirket, follow these steps: * Go to **Configuration** > **Gateway** and click on the **Add Radius Gateway** button. * On the displayed screen, enter a name for your Radius Gateway in the **Name** field. * Enter the SAM value of the gateway in the **Sam Value** field. In Mirket, user identification is done using the SAM (Security Account Manager) name. This is preferred over the standard username. This username is used for authentication and access controls. * Enter the IP address of the server where the gateway is installed in the **Host IP Address** field. * Enter the authentication port value you set for the gateway in the **Auth Port** field. The default value is 1812. * Enter the accounting port value you specified for the gateway in the **Acc Port** field. The default value is 1813. **Note**: After completing these fields, you must create a **RADIUS client** for the newly created RADIUS Gateway. * Click on the **Add Radius Client** option at the bottom of the displayed screen. * Enter a name for your Radius Client in the **Radius Client** field. * Enter the IP address of the client(firewall) that will communicate with the gateway in the **IP Address** field. * Enter the secret key that the client will communicate with the gateway in the **Secret Key** field.

* Click on the **Save** button to confirm the settings.

### Configuring Radius Gateway * After creating the Radius Gateway, click on the **Download > Config** from the menu on the right side of the gateway.

* This option will generate a script related to the gateway, which will be displayed from the RADIUS Setup config file. The config file will automatically begin downloading once this option is selected.

* Replace the existing config file in the `"C:\MirketRadius"` directory with the downloaded file. Alternatively, copy the displayed script and paste it into the config file in `"C:\MirketRadius"`.

* Then, restart the **Mirket Radius Service**.

You can check whether the Radius Gateway you created is active by navigating to **Configuration** > **Gateway**. ### User and Group configuration on Mirket To set up multifactor authentication, make sure you have at least one **user** or **group** in Mirket. If it is preferred to use a local user, you can first create a local group and then create a local user and make the user a member of the group. Alternatively, you can create a local user without creating a local group. * [Create a Local Group to add users manually.](/mirket-help-center/mirket-help-center/mirket-saas-platform/mirket-portal/groups.md) * [Add local Mirket users manually.](/mirket-help-center/mirket-help-center/mirket-saas-platform/mirket-portal/users/local-users.md) If it is preferred to use LDAP users, the priority External Source is created by pulling users from Active Directory or OpenLDAP in Mirket. **Note**: Before proceeding, ensure that you have installed Mirket LDAP Gateway. ([Refer to create LDAP Gateway.](/mirket-help-center/mirket-help-center/mirket-saas-platform/mirket-portal/connector/ldap-gateways.md)) * [Create an External Source to include LDAP users.](/mirket-help-center/mirket-help-center/mirket-saas-platform/mirket-portal/external-sources/active-directory.md) * [Sync users from an external user database.](/mirket-help-center/mirket-help-center/mirket-saas-platform/mirket-portal/users/ldap-users.md) ### Add a Radius Rule to Mirket Radius Rules define user access to resources and the authentication methods available (such as SMS, Approve / Deny, OTP, etc.). First, you should follow these steps: * Go to **Configuration > Radius Rules**. * Click on the **Add Radius Rule** button. * On the displayed screen, enter a name for the rule in the **Name** field. * Enter the rule description in the **Description** field. * Select the Radius Client to which the rule will apply from the **Radius Client** dropdown list. * Enter the source IP addresses to which the rule will apply in the **Source Adress** field. * Select the source countries where the rule will be applied from the Source Country dropdown list. * Click on the **Next** button.

* Specify whether the rule will be applied to a user or a group. * After specifying, click on the **Next** button.

* Select the users or groups to which the rule will apply. Transfer your selections to the **Selected Users/Groups** table by clicking the arrow icon next to the **Available Users/Groups** table. * Click on the **Next** button.

* Select the time period when the rule will run. * **All**: The rule will run every day. * **Recurring**: The rule will run on the specified days and times. * **One Time**: The rule will run within the date range you specify. * After selecting, click on the **Next** button.

* Specify whether the user or group will be granted access based on the rule in the **Action** field. * Select the authentication provider to which the rule will apply from the **Auth Method** dropdown list. * Select the attribute type as "**FortigateGroupName**" from the **Attribute Type** dropdown list. * Enter the group to be granted authorization in the **Value** field. Please make sure that the value is the same as the group name you specify in Fortigate.

* Click on **Save** to confirm the settings.

### Test the Integration To validate the integration between Mirket and your configured Fortinet Firewall, perform authentication using a Mirket MFA app on your mobile device. For RADIUS resources, available authentication methods include Approve/Deny authentication. In this example, we illustrate the use of the approve/deny authentication method. * Launch FortiClient. * Select **Configure VPN**. * Enter a name for this connection in the **Connection Name** field. * Enter a description in the **Description** field. * Input the IP address of the listen on interface in Fortinet in the **Remote Gateway** field. * Tick the **Customize port** option and enter **10443**(specified port). * Then, click on Save. * Enter your Mirket username in the **Username** field. * Enter your password in the **Password** field. * Click on **Connect**. * Then, select the '**Approve**' option(found in the Mirket mobile app) immediately and make sure it doesn't time out.

#### Related Topics --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.mirketsecurity.com/mirket-help-center/mirket-help-center/mirket-saas-platform/integrations/fortigate-ssl-vpn-via-radius-integration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.