Configuring RADIUS Connection from FortiAuthenticator to Fortigate for 2FA Authentication

Preface

This document outlines the steps to configure a RADIUS connection between FortiAuthenticator and FortiGate for enabling two-factor authentication (2FA) within our network infrastructure. Implementing 2FA enhances security by requiring a second verification factor, significantly reducing unauthorized access risks. This guide is intended for network administrators responsible for managing FortiGate firewalls and FortiAuthenticator systems. It assumes familiarity with basic RADIUS concepts, FortiGate, and FortiAuthenticator configuration.

By following this documentation, you will ensure secure user authentication while streamlining the process of integrating 2FA into your FortiGate environment using FortiAuthenticator.

Prerequisite

  • Access to the Fortigate;
  • Access to the FortiAuthenticator.

Assumption

  • There’s already some user (either local/remote) in the FortiAuthenticator that will be used for testing connection.

Procedure

Configure RADIUS Client in FortiAuthenticator

  1. Open Authentication RADIUS Service Clients menu;
  2. Select + Create New button;
  3. In the new opened Create New Authentication Client window:
    1. In Name, enter the common name of the Client;
    2. In Client address, select IP/FQDN, and then enter the value of the IP address;
    3. In Secret, enter your desired secret. Remember/note this secret well, because you will have to use this again on the Fortigate;
    4. Enable Accept RADIUS accounting messages for usage enforcement;
    5. Enable Support RADIUS Disconnect messages;
    6. Select Save.
  4. Create a policy for the client by going to Authentication RADIUS Service Policies menu;
  5. Select + Create New;
  6. In the new opened window, go through the policy wizard:
    1. In Radius clients part, enter the Policy name with a descriptive name, and then choose the RADIUS client you just created before. Click Next;
    2. In RADIUS attribute criteria, you can enable RADIUS authentication request must contain specific attributes if you need to, otherwise keep it disabled. Click Next;
    3. In Authentication Type part, select your needed authentication mode (normally I just select Password/OTP authentication and then enable everything under it), then click Next;
    4. In Identity sources part, keep Eduroam option disabled. Select username@realm for username format, and then in Realms select the realms of the users;
    5. In Authentication factors part, select configuration as needed, and then click Next;
    6. In the final overview part of RADIUS response, just click Save and exit.

At this point, the configuration on FortiAuthenticator part should be enough.

Configure RADIUS Connection on Fortigate

  1. In Fortigate, open User & Authentication RADIUS Servers menu;
  2. Select + Create New button;
  3. Name the RADIUS Server name appropriately;
  4. In Authentication method, select Default except if you need it otherwise;
  5. In Primary Server part, for the IP/Name, enter the IP address/hostname of the FortiAuthenticator, and enter the Secret you set before in FortiAuthenticator;
  6. Select Test Connectivity to check if the connection between your Fortigate and FortiAuthenticator is fine. If not, make sure you can ping the FortiAuthenticator from Fortigate and able to access its RADIUS port (usually 1812 and 1813);
  7. Select Test User Credentials to try if the Fortigate can authenticate correctly to FortiAuthenticator. If not, check the configuration again in the FortiAuthenticator clients/policy.

Conclusion

Successfully configuring the RADIUS connection between FortiAuthenticator and FortiGate ensures seamless two-factor authentication (2FA) for enhanced security. By integrating these systems, we strengthen user authentication processes while maintaining ease of access. Regular testing and monitoring of this configuration are crucial to ensure ongoing reliability and protection of our network infrastructure.

For setting up the users and firewall policy, you can check out this post: Configuring SSL-VPN Access with 2FA on Fortigate with FortiAuthenticator.

References