< Back
You are here:

HOW TO CONFIGURE OCTOPUS AUTHENTICATOR FOR FORTIGATE SSL VPN

This page shows you how to add multifactor authentication to your Fortigate SSL VPN using the Octopus Authenticator to gain more control and security over how users log into your network.

  • Login to Octopus Authenticator Console
  • Select Services from the left pane
  • Select Add Service
  • Click RADIUS service template

 


Tab 1 – General Information

The following field and values are displayed

<

Field name

Field Value

Service name

FortiGate SSL VPN

Issuer

Fortinet

Description

Service status

Enable

Display icon

 


Tab 2 – Parameters

The following fields and values are displayed

Field name

Field value

RADIUS key name

NAS-Identifier or NAS-IP-Address

RADIUS key value

<FortiGate NAS Identifier or Server IP Address>

Login

Login authentication method for FortiGate VPN

+ Add additional parameter

Do not add any parameters

 


Tab 3 – Sign On

The following fields and values are displayed

Field name

Field value

Multi Factor Authentication (MFA)

Off (default)

Sign on Method

RADIUS

Secret

<FortiGate SSL VPN Secret Code>

Custom message

 


Step 4 – Users

To configure the users of the service

  • Select users either from “Local Users” or “LDAP Users” lists
  • You can select either:
    • A group of users to import, by clicking on the dot next to one of the folders
    • An individual user to import, by clicking on the dot next to that user

The corresponding dot will then be colored blue. When you select only some of the users in the group, the dot adjacent to the group will be colored partially.

After you press SAVE SETTINGS, the selected users will be enrolled in the service.

  • Click SAVE SETTINGS

 


FortiGate SSL VPN Server side configuration

 

  • Login to your FortiGate SSL VPN server console

  • On the FortiGate Administration console select User -> Remote -> RADIUS
  • Click on Create New and enter the following information:

  • At the New RADIUS server page, set the following parameters:
    • Name: Your Octopus Authenticator Server name
    • Primary Server Name/IP: Your Octopus Authenticator Server name or IP address
    • Primary Server Secret: At Octopus Authenticator Management console -> System settings -> Services settings -> Show and copy RADIUS secret value
  • Timeout: The FortiGate Server has a default timeout of 5 seconds, which will fail for anything other than a passcode authentication. The timeout can be increased from the FortiGate command line interface to resolve the issue. Secret Double Octopus recommends defining the authentication timeout for 60 seconds.
    • SSH to your FortiGate server
    • Type the following command lines:
      • ‘config system global’
      • ‘config remoteauthtimeout 60’
      • ‘end’

 

  • Click Ok, to save the settings

 


Forticlient client side Configuration

Prerequisite

  • Download and install FortiClient client

 

  • Under Windows Settings Select Network & Internet settings

 

Select VPN

 

  • Add VPN connection

 

  • Enter VPN connection configuration:
    • VPN provider
    • VPN connection name
    • VPN Server name or IP

  • Click Save