Configure the Fortinet Appliance to Interoperate with Okta via RADIUS

Supported Factors

The following MFA Factors are supported:

MFA Factor	Password Authentication Protocol PAP	Extensible Authentication Protocol - Generic Token Card EAP-GTC	Extensible Authentication Protocol - Tunneled Transport Layer Security EAP-TTLS
Okta Verify (TOTP and PUSH)	Supported	Supported	Supported - as long as challenge is avoided. For example: MFA-only or password, MFA for TOTP. Push can work with primary auth + MFA as the push challenge is sent out-of-band.
Voice Call	Supported	Supported	Not supported
SMS Authentication	Supported	Supported	Not supported
Google Authenticator	Supported	Supported	Supported - as long as challenge is avoided. For example MFA only or password, MFA.
Symantec VIP	Supported	Supported	Supported
Security Question	Supported	Supported	Not supported
Custom TOTP Authentication	Supported	Supported	Not supported
Duo(Push, SMS and Passcode only)	Supported	Supported	Supported (passcode, Push)
YubiKey	Supported	Supported	Supported
RSA Token	Supported	Supported	Supported
Email	Supported	Supported	Not supported

Note

The U2F Security and Windows Hello MFA factors are not compatible with RADIUS-enabled implementations.
For additional information about the Radius apps refer to Configuring RADIUS applications in Okta.

Part 1 – Preconfiguration: Installing, and configuring the Okta RADIUS Agent.

Configuring a Fortinet appliance to use the Okta RADIUS Agent requires pre-configuration of the RADIUS agent.

Download the Okta RADIUS Agent from the Settings > Downloads page in Okta.
Install the agent using the instructions in Installing and Configuring the Okta RADIUS Server Agent.
For throughput, availability and other considerations, see Okta RADIUS Server Agent Deployment Best Practices.

After installing the Okta RADIUS Agent ensure that you have met these minimum requirements for network connectivity

Source	Destination	Port/Protocol	Description
Okta RADIUS Agent	Okta Identity Cloud	TCP/443 HTTP	Configuration and authentication traffic
Fortinet appliance	Okta RADIUS Agent	UDP/1812 RADIUS (actual port number defined in next step)	RADIUS traffic between the firewall (client) and the RADIUSs Agent (server)

Part 2 – Use the Okta Admin Console to Configure the Okta RADIUS Agent

In this step, add the Fortinet Fortigate (RADIUS) app from the OIN and apply settings specific to your deployment. In this section we will configure the following:

Authentication configuration
UDP Port
Secret Key
Application Username Format

Note

The U2F Security and Windows Hello MFA factors are not compatible with RADIUS-enabled implementations.
For additional information about the Radius apps refer to Configuring RADIUS applications in Okta.

There are some optional advanced radius configuration options that are listed at the end of this document to help with Reporting the Client IP and Sending Groups information to the firewall.

In Okta, navigate to Applications > Applications> Add Application, search for Fortinet Fortigate (RADIUS), and then click Add Application:
Enter a unique name.
Provide the following Sign On values:
- Authentication: Retaining this default button allows Okta to perform primary authentication.
- UDP Port: Required. Each RADIUS app has a unique number. Enter it here.
- Secret Key: Required. Enter the secret key that will be used to encrypt and decrypt the user password. This key must be identical to what is configured on the Fortinet Fortigate (RADIUS) app.
- Application username format:This determines how the RADIUS client sends in the username. Select an option from the drop-down menu.
After completing the setup, assign the app to the users/groups that require access.

For additional information, including guidance on advanced authentication and adaptive multifactor configuration options, see Using the Okta RADIUS App.

For additional information about Multifactor authentication in general please see Multifactor Authentication

For additional information about configuring and managing security policies see Security Policies.

Part 3 – Configure Your Fortinet FortiGate SSL VPN to use the Fortinet Fortigate (RADIUS) OIN App

In Part 3 you define a RADIUS Server Profile, define a RADIUS server, define a firewall group, define an IPv4 policy, and define Authentication/Portal mapping. Complete these using the Fortinet web based Admin Console.

Step 1 –Define a RADIUS Server Profile

Sign in to the Fortinet Admin console for the VPN appliance with sufficient privileges
Navigate to User & Device > RADIUS Servers, and then click Create New to define a new RADIUS server, as shown below.

Enter the following values to create a New RADIUS Server

Field	Value
Name	Unique and appropriate name (Okta MFA RADIUS)
Primary Server IP / Name	IP or Name of Okta RADIUS Server Agent
Primary Server Secret	Secret Key for the Fortinet Fortigate (RADIUS) App defined in Part 2, Step 3, above
Secondary Server IP / Name	Optional
Secondary Server Secret	Optional
Authentication Method	Specify
Method	PAP
NAS IP	Blank
Include in every User Group	unchecked

Note: FortiGate defaults to using port 1812. To modify this setting, follow command line instructions below.

Click OK to save these settings.
Set the Remote Authentication Timeout

The default timeout for Fortinet is 5 seconds; however, this timeout is insufficient when using Okta Verify Push. Run following commands from the command line to increase the timeout to 60 seconds.
```
config system global
    set remoteauthtimeout 60
end
```
[Optional] Change the Standard Port Definition

To define a UDP Port other than the default (usually 1812), run the following commands from the command line.

Note: These commands show the full RADIUS definition. MyRadiusSecretKey is the secret key for the Fortinet Fortigate (RADIUS) App defined in Part 2, Step 3, above. The command to define the RADIUS port is highlighted.
```
config user radius
   edit "Okta MFA RADIUS"
      set server "10.20.251.19"
	  set secret MyRadiusSecretKey
      set radius-port 1814
      set auth-type pap
   next
end	
```

Step 2 – Define a Firewall Group

Navigate to User & Device > User Groups, and then click Add to define a new Group Match, as shown below.
Note: Leave the Groups field blank.

Enter the following values to create a New Firewall Group

Field	Value
Name	Unique and appropriate name (Okta MFA Radius Group)
Type	Firewall
Single Sign-On (RSSO) Members	blank
Remote Groups	Create New Remote Server: Use the name created in Step 1, above (Okta MFA Radius) Group Name: Any (Note: In Fortigate firmware 5.6.5 and above, leave the Group Name blank.)

Click OK to save these settings.

Step 3 – Define an IPv4 Policy

Navigate to Policy & Objects > IPv4 Policy, and then locate and edit the policy related to your SSL-VPN interface. Edit the Source, as shown below.
Navigate to the User Define an IPv4 Policy Select Entries dialog.
Select and add the group you created in the previous step (Okta MFA Radius Group).
Click OK to apply and save the settings.

Step 4 – Define Authentication/Portal Mapping

Navigate to VPN > SSL-VPN Settings, and then go to the Authentication/Portal Mapping section,
Create a new or edit an existing mapping, as shown below, to grant access to the Firewall group you just created in the previous step.
Navigate to the User Define an IPv4 Policy Select Entries dialog.
Click Apply to apply and save the settings.

Part 4 – Test your Configuration

There are two tests to verify the Fortinet SSL VPN Appliance is properly configured to work with Okta.

Network Diagram

Test 1 – Test SSL-VPN with Fortinet

Open the Fortinet app and select Remote Access, as shown below.
Enter your Username and a Password.
- The username must be in the format you specified when you added the app in Okta in Part 2, above.
- If configured, you concatenate the Password with a one-time password (OTP) or a keyword; for example Password1,123456, Password1,push, or Password1,sms, as detailed below.
  - 123456 – code from Okta Verify, Google Authenticator, or Yubikey OTP
  - push – trigger push notice to enrolled phone
  - sms – trigger sms to enrolled phone
  - other – any other configuration
Click Connect.
If you receive the Connection Error! screen shown below, check your username and password and try again.
When the challenge screen appears, enter the corresponding number to the appropriate second factor and click Continue, as shown below. Follow the prompts to enter the second factor challenge and then, click OK.

Note: Users are challenged for a second factor to use based on the devices they have enrolled.
After successfully completing the challenge, you are connected and see the screen shown below.

The FortiClient Console displays the connection details, as shown below.

If you enter an incorrect value or take to long to respond to the push notification, you see the screen shown below.

Test 2 –Test the clientless VPN with the Fortinet web portal

Navigate to the Fortinet web portal URL, as shown below.
Enter your Username and a Password.
- The username must be in the format you specified when you added the app in Okta in Part 2, above.
- If configured, you concatenate the Password with a one-time password (OTP) or a keyword; for example Password1,123456, Password1,push, or Password1,sms, as detailed below.
  - 123456 – code from Okta Verify, Google Authenticator, or Yubikey OTP
  - push – trigger push notice to enrolled phone
  - sms – trigger sms to enrolled phone
  - other – any other configuration
Click Connect.
If you receive the Login Failed screen shown below, check your username and password and try again.
When the challenge screen appears, enter the corresponding number to the appropriate second factor, as shown below. Follow the prompts to enter the second factor challenge and then, click Login.

Note: Users are challenged for a second factor to use based on the devices they have enrolled.
After successfully completing the challenge, you are connected and see the screen shown below.

If you enter an incorrect value or take to long to respond to the push notification, you see the screen shown below.

Part 5 – Configure Optional Settings

There are two optional settings you can configure, Client IP Reporting and Groups response.

Configure Client IP Reporting

To configure Okta to be able to parse, report on and eventually enforce policy based off of the source client IP Address you need to configure the Fortinet Fortigate (RADIUS) App in Okta as follows:

Enter the following settings in Advanced RADIUS Settings found on the Sign On tab for the RADIUS app in your Okta Admin Console, as shown below.

Client IP: Check Report client IP.
RADIUS End User IP Attributes: 31 Calling-Station-Id

Configure Groups Response

The Fortinet appliance does not receive groups using the standard Attribute Value Pairs (AVP) of 11 (Filter-Id) and 25 (Class). Instead it relies on Vendor Specific Attributes.

To configure the app to send RADIUS Group information in vendor specific attributes:

Note

This is an Early Access feature. To enable it, contact Okta Support.

In Okta, navigate to Applications > Applications.
Open the application by clicking its name.
Tip
You can narrow the set of applications displayed using the Search field.
Select the sign on tab.
Scroll to the Advanced RADIUS Settings section and click Edit.

In the GROUPS RESPONSE section:

Check include groups in RADIUS response.

In the RADIUS attributes sub section, specify the following:

Field	Value	Comment
RADIUS attribute	26-Vendor specific.	Must be 26-Vendor specific
vendor specific ID	Enter one of : Cisco - ASA-Group-Policy (3076) Citrix-Group-Names (3845) Fortinet-Group-Name(12356) PaloAlto-User-Group(25461)	Enter the associated numeric vendor id. For example, for Cisco enter 3076.
Attribute ID	Cisco - ASA-Group-Policy (25) Citrix-Group-Names (16) Fortinet-Group-Name(1) PaloAlto-User-Group(5)	Enter the associated numeric attribute id. For example, for Cisco enter 25.

Field

Value

Comment

RADIUS attribute

26-Vendor specific.

Must be 26-Vendor specific

vendor specific ID

Enter one of :
Cisco - ASA-Group-Policy (3076)

Citrix-Group-Names (3845)

Fortinet-Group-Name(12356)

PaloAlto-User-Group(25461)

Enter the associated numeric vendor id.
For example, for Cisco enter 3076.

Attribute ID

Cisco - ASA-Group-Policy (25)

Citrix-Group-Names (16)

Fortinet-Group-Name(1)

PaloAlto-User-Group(5)

Enter the associated numeric attribute id. For example, for Cisco enter 25.

Important

Vendor specific ID and Attribute ID are string fields.
Admins may use any appropriate value for vendors not listed.

Caution

The maximum group membership value length is 247 bytes. In situations where length of group memberships or where any group names length exceeds the maximum size truncation will occur and partial values returned.
In such situations Okta suggests configuring the response as a set of Repeated Attributes as opposed to a single delimited list.

Click Save.

Troubleshooting

You can use the command line interface (CLI) to debug issues that might occur.

Attempt to Authenticate and Review Messages from the Console

From the CLI console, run the following commands:

# diag debug application fnbamd 7
# diag debug enable

Unsuccessful Results Sample

Bad User or Bad Credentials

[1943] handle_req-Rcvd auth req 1189741811 for baduser in 
       Okta Radius Group opt=00000500 prot=10
[608] fnbamd_pop3_start-baduser
[539] __fnbamd_cfg_get_radius_list_by_group-Loading RADIUS 
      server 'Okta RADIUS' for usergroup 
      'Okta Radius Group' (3)
[314] radius_start-Opened radius socket 12
[1203] fnbamd_radius_auth_send-Compose RADIUS request
[1427] fnbamd_radius_auth_send-Sent radius req to server 
       'Okta RADIUS': fd=12,  IP=10.20.251.19 code=1 
       id=135 len=122 user="baduser" using PAP
[682] auth_tac_plus_start-Didn't find tac_plus servers (0)
[402] ldap_start-Didn't find ldap servers (0)
[460] create_auth_session-Total 1 server(s) to try
[1626] fnbamd_radius_auth_validate_pkt-RADIUS resp code 3
[2580] fnbamd_auth_handle_radius_result-->Result for 
       radius svr 'Okta RADIUS' 10.20.251.19(0) is 1
[180] fnbamd_comm_send_result-Sending result 1 
       (error 0) for req 1189741811
[602] destroy_auth_session-delete session 1189741811
[1943] handle_req-Rcvd auth req 1189741812 for baduser 
       in Special1 opt=00000500 prot=10
[608] fnbamd_pop3_start-baduser
[304] radius_start-Didn't find radius servers (0)
[682] auth_tac_plus_start-Didn't find tac_plus servers (0)
[402] ldap_start-Didn't find ldap servers (0)
[452] create_auth_session-Error starting authentication
[1962] handle_req-Error creating session
[180] fnbamd_comm_send_result-Sending result 3 
      (error 0) for req 1189741812

Successful Results Samples

Good Credentials Entered and Challenge Received

[1943] handle_req-Rcvd auth req 1189741817 for test in Okta Radius Group opt=00000500 prot=10
[608] fnbamd_pop3_start-test
[539] __fnbamd_cfg_get_radius_list_by_group-Loading RADIUS 
      server 'Okta RADIUS' for usergroup 
      'Okta Radius Group' (3)
[314] radius_start-Opened radius socket 12
[1203] fnbamd_radius_auth_send-Compose RADIUS request
[1427] fnbamd_radius_auth_send-Sent radius req to server 
       'Okta RADIUS': fd=12, IP=10.20.251.19 code=1 
       id=143 len=119 user="test" using PAP
[682] auth_tac_plus_start-Didn't find tac_plus servers (0)
[402] ldap_start-Didn't find ldap servers (0)
[460] create_auth_session-Total 1 server(s) to try
[1626] fnbamd_radius_auth_validate_pkt-RADIUS 
       resp code 11
[2580] fnbamd_auth_handle_radius_result-->Result 
       for radius svr 'Okta RADIUS' 10.20.251.19(0) is 2
[180] fnbamd_comm_send_result-Sending 
      result 2 (error 0) for req 1189741817

Security Question Selected for Challenge Method

[2161] handle_req-Rcvd chal rsp for req 1189741817
[1203] fnbamd_radius_auth_send-Compose RADIUS request
[1427] fnbamd_radius_auth_send-Sent radius req to server 
       'Okta RADIUS': fd=12, IP=10.20.251.19 
       code=1 id=144 len=209 user="test" using PAP
[1626] fnbamd_radius_auth_validate_pkt-RADIUS resp code 11
[2580] fnbamd_auth_handle_radius_result-->Result for 
       radius svr 'Okta RADIUS' 10.20.251.19(0) is 2
[180] fnbamd_comm_send_result-Sending result 2 
      (error 0) for req 1189741817

Security Question Answered Successfully

[2161] handle_req-Rcvd chal rsp for req 1189741817
[1203] fnbamd_radius_auth_send-Compose RADIUS request
[1427] fnbamd_radius_auth_send-Sent radius req to server 
       'Okta RADIUS': fd=12, IP=10.20.251.19 
       code=1 id=145 len=209 user="test" using PAP
[1626] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2
[2580] fnbamd_auth_handle_radius_result-->Result
       for radius svr 'Okta RADIUS' 10.20.251.19(0) is 0
[2611] fnbamd_auth_handle_radius_result-Skipping 
       group matching
[863] find_matched_usr_grps-Skipped group matching
[180] fnbamd_comm_send_result-Sending result 0 
       (error 0) for req 1189741817
[602] destroy_auth_session-delete session 1189741817
[2251] handle_req-Rcvd 7 req
[301] fnbamd_acct_start_START-Error starting acct
[1288] create_acct_session-Error start acct type 7
[2265] handle_req-Error creating acct session 7

Successful Sign Out

[2251] handle_req-Rcvd 8 req
[359] fnbamd_acct_start_STOP-Error starting acct
[1288] create_acct_session-Error start acct type 8
[2265] handle_req-Error creating acct session 8

Additional Resources

Okta Documentation - Configuring Sign On Policies
Fortinet Document Library for FortiGate/FortiOS - https://docs.fortinet.com/fortigate/admin-guides
Fortinet remote group match and troubleshooting - http://kb.fortinet.com/kb/documentLink.do?externalID=FD36464