Set up Nexus OTP as 2FA for Fortinet Firewall
This article describes how to enable Nexus OTP in Smart ID Digital Access component as two-factor authentication method for Fortinet Firewall, to replace static passwords.
Nexus OTP can be either Nexus TruID Synchronized or Smart ID Mobile App OTP, or any other OATH-based mobile OTP application, such as Google Authenticator or Microsoft Authenticator.
With the setup described in this article, Digital Access functions as a RADIUS server and Fortinet Firewall as a RADIUS client. Nexus TruID is used as an example below and is available for iOS, Android, and Windows.
Network schematic with Nexus TruID Synchronized as an example.
- The end user starts the TruID client and enters the PIN in TruID to generate an OTP.
- Fortinet Firewall request the end user to enter username, password and OTP.
- The end user enters username, domain password and OTP.
- The domain credentials are validated by the Active Directory.
- The OTP authentication request is relayed to Digital Access Authentication Server via RADIUS.
- The authentication server validates the OTP with the associated TruID token and PIN from the user database.
- Upon successful validation, the authentication server responds with successful authentication to Fortinet Firewall.
Fortinet Firewall provides access to the end user.
Make settings in Digital Access
In step 3, enter the IP Address of the RADIUS Client (Fortinet Firewall) and the Shared Secret Key.
In Digital Access Admin, go to Manage System.
Click RADIUS Configuration > Add RADIUS Client...
Enter General Settings and Attributes. Click the ?-sign for help.
Click Save.
Nexus TruID Synchronized is used as an example. Other Nexus OTP authentication methods are enabled in a similar way.
- In step 3, select Nexus Synchronized as method.
- When the default RADIUS replies are shown, click Next. You can also add your custom RADIUS replies or modify the default replies if required.
To add a new authentication method:
- In Digital Access Admin, go to Manage System.
- Click Authentication Methods.
Click Add authentication method..., select the desired method and click Next.
- Enter Display Name, a unique name used in the system to identify the authentication method.
- Select if the method shall be enabled and if it shall be visible in authentication menu.
- Register Authentication Methods Server when applicable.
- Make other configurations as needed for the selected authentication method. For more information , click the ?-sign. Click Next.
- If needed, make settings in RADIUS Replies and Extended Properties.
- Click Next and Finish.
- Click Publish.
Make settings in Fortinet Firewall
Log in to the Fortinet Firewall administrative console.
Expand the User & Device section.
Expand Authentication and select RADIUS Server.
Click Create New to create a new profile.
Enter the RADIUS server details and click OK.
If required, can change the default RADIUS port via the command line.
CODE> config user radius > edit portwise > set radius-port 18124 > endCreate a user and assign the RADIUS authentication.
Examples: Log in to Fortinet Firewall
The following examples show how an end user logs in, using Nexus TruID synchronized and Nexus Mobile Text. Other Nexus OTP methods can be used in a similar way.
On a workstation with FortiClient VPN client installed, launch the application and enter the IP address or DNS name of the Fortinet Firewall.
- Click Apply.
Start Nexus TruID that is installed on your laptop or smartphone - Enter PIN to Generate an OTP.
Select the Connection Profile, enter your Nexus user name, OTP and click Connect.
On a workstation with FortiClient VPN client installed, launch the application and enter the IP address or DNS name of the Fortinet Firewall.
- Click Apply.
Select the Connection Profile, enter your AD credentials and click Connect.
FortiClient will prompt for OTP.
Check your registered mobile or email to get your OTP and enter the OTP in the FortiClient.
