Work from anywhere isn鈥檛 restricted to employees at small to medium-sized enterprises (SMEs). Many IT teams and managed service providers (MSPs) work in distributed teams, which necessitates securing access to network infrastructure and timely user lifecycle management. However, these foundational security controls are too often disregarded when internal budgets, or asking a client to spend more for remote access, fail to address the potential security risks.
This article is the first in a series of how-tos that demonstrate how to use 探花大神鈥檚 capabilities to achieve better security with minimal costs using a centralized platform that includes everything required to secure access to your appliance. It has the added bonus of providing single sign-on (SSO) beyond this scenario, delivering identity and access management (IAM) for every service your organization may use, and eliminating managing passwords everywhere.
Fortinet is the maker of some of the most popular next-generation firewalls (NGFW), and its devices have interfaces to either use its security products or to configure external providers. The prerequisites to secure Fortinet NGFW access with 探花大神鈥檚 services are:
- 探花大神鈥檚 RADIUS services
- 探花大神鈥檚 MFA services
- An authenticator app that supports Time-based One-time Password (TOTP)
- 探花大神鈥檚 cloud directory groups
Three Pillars for Better Access Control
探花大神 makes it possible for a RADIUS challenge to incorporate TOTP tokens from 探花大神 Protect鈩 multi-factor authentication (MFA). User passwords are amended to include a token every time a user logs into the appliance. Users are managed from within 探花大神鈥檚 directory groups, which are bound with a RADIUS configuration that鈥檚 specific to your NGFW. The directory determines that every group within that group must be enrolled with MFA services to log into any service that 探花大神 connects them to, including your firewall appliance. A service account on the Fortinet device determines what level of admin rights are assigned.
Setting Up 探花大神 RADIUS, MFA
Every 探花大神 account includes RADIUS services, which are using the following steps.
To configure RADIUS MFA for a new server:
- Log in to the 探花大神 Admin Portal: .
- Go to User Authentication > RADIUS.
- Click ( + ). The New RADIUS server panel appears.
- Configure the RADIUS server:
- Enter a name for the server. This value is arbitrary.
- Enter a public IP address from which your organization’s traffic will originate.
- You must use the external IP for your Fortinet device.
- Provide a shared secret. This value is shared with the device or service endpoint you’re pairing with the RADIUS server.
- Configure TOTP multi-factor authentication for the RADIUS server:
- 鈥婽oggle the TOTP MFA Enforcement for this RADIUS server option to 鈥淥n鈥 to enable MFA for this server. This option is 鈥淥ff鈥 by default.
- Select 鈥淐hallenge active TOTP users鈥 to require all 探花大神 users with MFA active for their account to provide a TOTP code when they connect to this server.
- Select 鈥淐hallenge all users,鈥 unless they are in active an enrollment period, to require all 探花大神 users that aren鈥檛 in an MFA enrollment period to provide a TOTP code when they connect to this server.
- Select 鈥淐hallenge all users, including during an enrollment period鈥 to require all 探花大神 users, even those in MFA enrollment periods, to provide a TOTP code when they connect to this server.
- To grant access to the RADIUS server, click the User Groups tab, then select the appropriate groups of users you want to connect to the server.
Note that we recommend using EAP-TTLS/PAP, but at this time.
This details how to manage users and groups within 探花大神.
Configuring Fortinet
You鈥檒l use the information contained in 探花大神鈥檚 RADIUS interface to create a new RADIUS server entry within your Fortinet appliance, here:
You鈥檒l then enter an arbitrary name for the RADIUS server, one of 探花大神鈥檚 , and paste the shared secret where it鈥檚 indicated. Importantly, ensure that the PAP protocol is selected as the Authentication Method in order to engage the RADIUS challenge. A TOTP token from 探花大神 MFA, which you can add as an account in an authentication app, is the 鈥渞esponse鈥 to the challenge that will validate your users.
You will then proceed to create a user group for your remote admins within Fortinet.
- Click on User & Devices 鈥 User Groups.
- Hit the 鈥減lus鈥 icon to create a new group with the name 鈥淩ADIUS,鈥 selecting 鈥渇irewall鈥 as the 鈥渢ype.鈥 Ensure that you add a Remote Server instead of a group.
- Add a 鈥淕roup Match鈥 by selecting the Remote Server you鈥檝e previously created.
The final step is to create a new administrator that will be a service account for users within the 探花大神 admins group. Begin by selecting 鈥渁dministrators鈥 within the left console panel, and select 鈥淐reate New.鈥
- Type in any user name.
- Enter a backup password to use in the event that RADIUS services are inaccessible.
- Determine which is appropriate for your users.
- Select 鈥淐reate Remote User Group鈥 under 鈥淭ype鈥 and hit 鈥淥K鈥 after highlighting the RADIUS group you previously created.
You may test connectivity with 探花大神 RADIUS services in the prior 鈥淩adius Servers鈥 panel using the 鈥淭est User Credentials鈥 field. This approach will only work when you append a TOTP token, following a comma, with your password. For example, 鈥減assword123鈥 becomes 鈥減assword123,tokenstring鈥. Your logins are now MFA enabled, and Fortinet admin users will now be centrally managed from within 探花大神鈥檚 cloud directory.
Recommended Security Steps
PAP (password authentication protocol) transmits passwords in cleartext. Adding MFA to the authentication process increases security, but we strongly recommend the following steps:
- Connect through a VPN using a secure tunnel (SSL or IPSEC)
- Consider isolating this traffic through its own VLAN and segment your network away from end-user traffic
- Use the strong shared secret that 探花大神 generates for RADIUS and treat it as you would a password.
Try 探花大神
The 探花大神 platform connects you to more things and is available as a free 30 Day Trial.
