Configure the Fortinet Appliance to Interoperate with Okta via RADIUS

You can extend Adaptive MFA to your Fortinet appliance. This guide details how to configure a Fortinet appliance to use the Okta RADIUS Server AgentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations..

There are five parts to the configuration. In addition to the required steps, a troubleshooting section and a list of additional resources are also provided.

Closed Part 1 – Preconfiguration: Installing, and configuring the Okta RADIUS Agent.

Configuring a Fortinet appliance to use the Okta RADIUS Agent requires pre-configuration of the RADIUS agent.

  1. Download the Okta RADIUS Agent from the Settings > Downloads page in Okta.
  2. Install the agent using the instructions in Installing and Configuring the Okta RADIUS Server Agent.
  3. For throughput, availability and other considerations, see Okta RADIUS Server Agent Deployment Best Practices.

After installing the Okta RADIUS Agent ensure that you have met these minimum requirements for network connectivity

Source Destination Port/Protocol Description
Okta RADIUS Agent Okta Identity Cloud tcp/443
http		 Configuration and authentication traffic
Fortinet appliance Okta RADIUS Agent udp/1812 RADIUS (actual port number defined in next step) RADIUS traffic between the firewall (clientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. ) and the RADIUSs Agent (server)

 

Closed Part 2 – Use the Okta Admin Console to Configure the Okta RADIUS Agent

In this step, add the Fortinet Fortigate (RADIUS) appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. from the OINAn acronym for the Okta Integration Network. The OIN is comprised of thousands of public, pre-integrated business and consumer applications. As an on-demand service, OIN integrations are continuously validated, always up to date, and constantly growing both in number and capability. Okta performs a single integration with an ISV or SP, providing thousands of end users with point-and-click customization for their orgs. and apply settings specific to your deployment. In this section we will configure the following:

  • Authentication configuration

  • UDP Port

  • Secret Key

  • Application Username Format

Note: The U2F Security and Windows Hello MFA factors are not compatible with RADIUS-enabled implementations. For additional information about the Radius apps refer to Configuring RADIUS applications in Okta.

There are some optional advanced radius configuration options that are listed at the end of this document to help with Reporting the Client IP and Sending GroupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. information to the firewall.

  1. In Okta, navigate to Applications > Applications> Add Application, search for Fortinet Fortigate (RADIUS), and then click Add Application:

  2. Enter a unique name.

  3. Provide the following Sign On values:

    • Authentication: Retaining this default button allows Okta to perform primary authentication.

    • UDP Port: Required. Each RADIUS app has a unique number. Enter it here.

    • Secret Key: Required. Enter the secret key that will be used to encrypt and decrypt the user password. This key must be identical to what is configured on the Fortinet Fortigate (RADIUS) app.

    • Application username format:This determines how the RADIUS client sends in the username. Select an option from the drop-down menu.

  4. After completing the setup, assign the app to the usersIn Okta literature, we generally refer to "users" as the people who serve as Okta administrators. When we refer to "end users" we are generally referring to the people who the administrators serve. That is, those who use Okta chiclets to access their apps, but have no administrative control./groups that require access.

For additional information, including guidance on advanced authentication and adaptive multifactor configuration options, see Using the Okta RADIUS App.

Closed Part 3 – Configure Your Fortinet FortiGate SSL VPN to use the Fortinet Fortigate (RADIUS) OIN App

In Part 3 you define a RADIUS Server Profile, define a RADIUS server, define a firewall group, define an IPv4 policy, and define Authentication/Portal mapping. Complete these using the Fortinet web based AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. Console.

Step 1 –Define a RADIUS Server Profile

  1. Sign in to the Fortinet Admin console for the VPN appliance with sufficient privileges
  2. Navigate to User & Device > RADIUS Servers, and then click Create New to define a new RADIUS server, as shown below.

  3. Enter the following values to create a New RADIUS Server

    Field Value
    Name Unique and appropriate name (Okta MFA RADIUS)
    Primary Server IP / Name IP or Name of Okta RADIUS Server Agent
    Primary Server Secret Secret Key for the Fortinet Fortigate (RADIUS) App defined in Part 2, Step 3, above
    Secondary Server IP / Name Optional
    Secondary Server Secret Optional
    Authentication Method Specify
    Method PAP
    NAS IP Blank
    Include in every User Group unchecked

    Note: FortiGate defaults to using port 1812. To modify this setting, follow command line instructions below.

  4. Click OK to save these settings.

  5. Set the Remote Authentication Timeout

    The default timeout for Fortinet is 5 seconds; however, this timeout is insufficient when using Okta Verify Push. Run following commands from the command line to increase the timeout to 60 seconds. 

    config system global
    set remoteauthtimeout 60
end

  6. [Optional] Change the Standard Port Definition

    To define a UDP Port other than the default (usually 1812), run the following commands from the command line.

    Note: These commands show the full RADIUS definition. MyRadiusSecretKey is the secret key for the Fortinet Fortigate (RADIUS) App defined in Part 2, Step 3, above. The command to define the RADIUS port is highlighted.

    config user radius
   edit "Okta MFA RADIUS"
      set server "10.20.251.19"
	  set secret MyRadiusSecretKey
      set radius-port 1814
      set auth-type pap
   next
end

Step 2 – Define a Firewall Group

  1. Navigate to User & Device > User Groups, and then click Create New to define a new User Group, as shown below.

  2. Enter the following values to create a New RADIUS Server

    Field Value
    Name Unique and appropriate name (Okta MFA Radius Group)
    Type Firewall
    Single Sign-On (RSSO) Members blank
    Remote Groups

    Create New

    Remote Server: Use the name created in Step 1, above (Okta MFA Radius)

    Group Name: Any
  3. Click OK to save these settings.

Step 3 – Define an IPv4 Policy

  1. Navigate to Policy & Objects > IPv4 Policy, and then locate and edit the policy related to your SSL-VPN interface. Edit the Source, as shown below.

  2. Navigate to the User Define an IPv4 Policy Select Entries dialog.

  3. Select and add the group you created in the previous step (Okta MFA Radius Group).

  4. Click OK to apply and save the settings.

Step 4 – Define Authentication/Portal Mapping

  1. Navigate to VPN > SSL-VPN Settings, and then go to the Authentication/Portal Mapping section,
  2. Create a new or edit an existing mapping, as shown below, to grant access to the Firewall group you just created in the previous step.

  3. Navigate to the User Define an IPv4 Policy Select Entries dialog.

  4. Click Apply to apply and save the settings.

Closed Part 4 – Test your Configuration

There are two tests to verify the Fortinet SSL VPN Appliance is properly configured to work with Okta.

Network Diagram

ClosedTest 1 – Test SSL-VPN with Fortinet

  1. Open the Fortinet app and select Remote Access, as shown below.

  2. Enter your Username and a Password.
    • The username must be in the format you specified when you added the app in Okta in Part 2, above.
    • If configured, you concatenate the Password with a one-time password (OTP) or a keyword; for example Password1,123456, Password1,push, or Password1,sms, as detailed below.
      • 123456 – code from Okta Verify, Google Authenticator, or Yubikey OTP
      • push – trigger push notice to enrolled phone
      • sms – trigger sms to enrolled phone
      • other – any other configuration
  3. Click Connect.
  4. If you receive the Connection Error! screen shown below, check your username and password and try again.

  5. When the challenge screen appears, enter the corresponding number to the appropriate second factor and click Continue, as shown below. Follow the prompts to enter the second factor challenge and then, click OK.

    Note: Users are challenged for a second factor to use based on the devices they have enrolled.

  6. After successfully completing the challenge, you are connected and see the screen shown below.

    The FortiClient Console displays the connection details, as shown below.

    If you enter an incorrect value or take to long to respond to the push notification, you see the screen shown below.

ClosedTest 2 –Test the clientless VPN with the Fortinet web portal
  1. Navigate to the Fortinet web portal URL, as shown below.

  2. Enter your Username and a Password.
    • The username must be in the format you specified when you added the app in Okta in Part 2, above.
    • If configured, you concatenate the Password with a one-time password (OTP) or a keyword; for example Password1,123456, Password1,push, or Password1,sms, as detailed below.
      • 123456 – code from Okta Verify, Google Authenticator, or Yubikey OTP
      • push – trigger push notice to enrolled phone
      • sms – trigger sms to enrolled phone
      • other – any other configuration
  3. Click Connect.
  4. If you receive the Login Failed screen shown below, check your username and password and try again.

  5. When the challenge screen appears, enter the corresponding number to the appropriate second factor, as shown below. Follow the prompts to enter the second factor challenge and then, click Login.

    Note: Users are challenged for a second factor to use based on the devices they have enrolled.

  6. After successfully completing the challenge, you are connected and see the screen shown below.

    If you enter an incorrect value or take to long to respond to the push notification, you see the screen shown below.

Closed Part 5 – Configure Optional Settings

There are two optional settings you can configure, Client IP Reporting and Groups response.

Configure Client IP Reporting

To configure Okta to be able to parse, report on and eventually enforce policy based off of the source client IP Address you need to configure the Cisco ASA VPN (RADIUS) App in Okta as follows:

Enter the following settings in Advanced RADIUS Settings found on the Sign On tab for the RADIUS app in your Okta Admin Console, as shown below.

  • Client IP: Check Report client IP.
  • RADIUS End User IP Attributes: 31 Calling-Station-Id

Configure Groups Response

The Fortinet appliance does not receive groups using the standard Attribute Value Pairs (AVP) of 11 (Filter-Id) and 25 (Class). Instead, it relies on a Vendor Specific Attributes that are not currently supported by Okta.

For additional information on leveraging functionality from Vendor Specific Attributes that are not supported natively in Okta, please contact your Okta Customer Support Manager or Account Representative.

 

ClosedTroubleshooting

You can use the command line interface (CLI) to debug issues that might occur.

ClosedAttempt to Authenticate and Review Messages from the Console

From the CLI console, run the following commands:

# diag debug application fnbamd 7
# diag debug enable

Unsuccessful Results Sample

Bad User or Bad Credentials

[1943] handle_req-Rcvd auth req 1189741811 for baduser in 
       Okta Radius Group opt=00000500 prot=10
[608] fnbamd_pop3_start-baduser
[539] __fnbamd_cfg_get_radius_list_by_group-Loading RADIUS 
      server 'Okta RADIUS' for usergroup 
      'Okta Radius Group' (3)
[314] radius_start-Opened radius socket 12
[1203] fnbamd_radius_auth_send-Compose RADIUS request
[1427] fnbamd_radius_auth_send-Sent radius req to server 
       'Okta RADIUS': fd=12,  IP=10.20.251.19 code=1 
       id=135 len=122 user="baduser" using PAP
[682] auth_tac_plus_start-Didn't find tac_plus servers (0)
[402] ldap_start-Didn't find ldap servers (0)
[460] create_auth_session-Total 1 server(s) to try
[1626] fnbamd_radius_auth_validate_pkt-RADIUS resp code 3
[2580] fnbamd_auth_handle_radius_result-->Result for 
       radius svr 'Okta RADIUS' 10.20.251.19(0) is 1
[180] fnbamd_comm_send_result-Sending result 1 
       (error 0) for req 1189741811
[602] destroy_auth_session-delete session 1189741811
[1943] handle_req-Rcvd auth req 1189741812 for baduser 
       in Special1 opt=00000500 prot=10
[608] fnbamd_pop3_start-baduser
[304] radius_start-Didn't find radius servers (0)
[682] auth_tac_plus_start-Didn't find tac_plus servers (0)
[402] ldap_start-Didn't find ldap servers (0)
[452] create_auth_session-Error starting authentication
[1962] handle_req-Error creating session
[180] fnbamd_comm_send_result-Sending result 3 
      (error 0) for req 1189741812

Successful Results Samples

Good Credentials Entered and Challenge Received

[1943] handle_req-Rcvd auth req 1189741817 for test in Okta Radius Group opt=00000500 prot=10
[608] fnbamd_pop3_start-test
[539] __fnbamd_cfg_get_radius_list_by_group-Loading RADIUS 
      server 'Okta RADIUS' for usergroup 
      'Okta Radius Group' (3)
[314] radius_start-Opened radius socket 12
[1203] fnbamd_radius_auth_send-Compose RADIUS request
[1427] fnbamd_radius_auth_send-Sent radius req to server 
       'Okta RADIUS': fd=12, IP=10.20.251.19 code=1 
       id=143 len=119 user="test" using PAP
[682] auth_tac_plus_start-Didn't find tac_plus servers (0)
[402] ldap_start-Didn't find ldap servers (0)
[460] create_auth_session-Total 1 server(s) to try
[1626] fnbamd_radius_auth_validate_pkt-RADIUS 
       resp code 11
[2580] fnbamd_auth_handle_radius_result-->Result 
       for radius svr 'Okta RADIUS' 10.20.251.19(0) is 2
[180] fnbamd_comm_send_result-Sending 
      result 2 (error 0) for req 1189741817

Security Question Selected for Challenge Method

[2161] handle_req-Rcvd chal rsp for req 1189741817
[1203] fnbamd_radius_auth_send-Compose RADIUS request
[1427] fnbamd_radius_auth_send-Sent radius req to server 
       'Okta RADIUS': fd=12, IP=10.20.251.19 
       code=1 id=144 len=209 user="test" using PAP
[1626] fnbamd_radius_auth_validate_pkt-RADIUS resp code 11
[2580] fnbamd_auth_handle_radius_result-->Result for 
       radius svr 'Okta RADIUS' 10.20.251.19(0) is 2
[180] fnbamd_comm_send_result-Sending result 2 
      (error 0) for req 1189741817

Security Question Answered Successfully

[2161] handle_req-Rcvd chal rsp for req 1189741817
[1203] fnbamd_radius_auth_send-Compose RADIUS request
[1427] fnbamd_radius_auth_send-Sent radius req to server 
       'Okta RADIUS': fd=12, IP=10.20.251.19 
       code=1 id=145 len=209 user="test" using PAP
[1626] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2
[2580] fnbamd_auth_handle_radius_result-->Result
       for radius svr 'Okta RADIUS' 10.20.251.19(0) is 0
[2611] fnbamd_auth_handle_radius_result-Skipping 
       group matching
[863] find_matched_usr_grps-Skipped group matching
[180] fnbamd_comm_send_result-Sending result 0 
       (error 0) for req 1189741817
[602] destroy_auth_session-delete session 1189741817
[2251] handle_req-Rcvd 7 req
[301] fnbamd_acct_start_START-Error starting acct
[1288] create_acct_session-Error start acct type 7
[2265] handle_req-Error creating acct session 7

Successful Sign Out

[2251] handle_req-Rcvd 8 req
[359] fnbamd_acct_start_STOP-Error starting acct
[1288] create_acct_session-Error start acct type 8
[2265] handle_req-Error creating acct session 8
ClosedCapture Packets

From the CLI Console, run the following command:

# diag sniffer packet any 'port 1812' 6 0 a

Substitute the port used with the UDP Port configured in your environment.

Unsuccessful Results Sample

Bad User or Bad Credentials

Successful Results Samples

Good Credentials Entered and Challenge Received

Security Question Selected for Challenge Method

Security Question Answered Successfully

 

Closed Additional Resources
Top

© Copyright 2018 Okta, Inc