How to Add WiKID two-factor authentication to a Fortinet VPN

More and more small companies are required to use two-factor authentication for remote access to corporate assets. A Fortinet VPN appliance combined with two-factor authentication from WiKID secures your perimeters in a very cost-effective manner. This document details how to configure a Fortigate VPN to pass authentication requests to the WiKID server. As always, if this is a new Fortigate setup, test logging in without a WiKID one-time password before adding in two-factor authentication. It will make troubleshooting easier.

• First, on the Fortigate VPN configure the RADIUS server settings:
• Log in to the Fortigate admin interface.
• Go to VPN window and go User > RADIUS.
• Enter a name for the WiKID Server. Any name will do.
• Enter the IP address of the WiKID server.
• Enter the shared secret that will be used on the WiKID server.
• Click OK to update the configuration.

• Create a local user in the Fortigate:
• Go to User > Local > Create New
• Enter a username that is valid in the WiKID server.
• Select Radius and then the WiKID server as the authentication server.

• Now, enable RADIUS authentication with a Group on the Fortinet server.
• On the FortiGate VPN Web-based manager, go to User > User Group > Create New
• Enter a Group name. Any name will do.
• Add the user just create to the new Group.

• Now, we'll add the second factor: WiKID.
• Log into the WiKID server and click on the Domains Tab
• Click on Create a New Domain
• Enter the information requested. The Domain Server code is the zero-padded IP address of the WiKID server. So, if the external IP address is 216.239.51.99, the WiKID server code would be 216239051099. Click "Create". N.B.: If you enter the URL for the Fortinet VPN in the "Registered URL:", the domain will support mutual authentication
• Click Network Clients tab and on "Create a new Network Client".
• Enter the information requested. For the IP Address, use the IP address of your Fortinet VPN appliance. Select Radius and the domain you just created. Click "Add" when you're finished.
• On the next page, enter the shared secret you entered on the Fortinet server. You do not have to enter any information under "Return Attributes".
• Important: From the WiKID terminal or via SSH, you will need to run "stop" and then "start" to load the new configuration into the WiKID Radius server.

 

That should be it for setting up the Fortinet for two-factor authentication. Now, let's test the system by setting up user manually:

• starting the WiKID token client
• Select "New Domain" and enter the 12 digit domain identifier you set up on the WiKID server.
• Enter your desired PIN. You will get a registration code back from the WiKID server.
• Login to the WiKID Admin server again and click on the Users tab, then "Manually Validate a User"
• Click on your registration code (it should be the only one) and enter your desired username - it should be a username created in the Fortinet server.
• Your username is now valid. Now start up Fortinet VPN client or browser and try to login with a WiKID one-time password.

If it doesn't work, check the WiKID server logs. When a one-time password is requested, you will see "Passcode Request Successful" in the logs. After that you should see "Successful Online Passcode Validation". If you don't see anything after the "Passcode Request Successful", then the OTP validation is not getting to the WiKID server from the SonicWall. Be sure to run "stop"/"start" on the WiKID server.

The WiKID Strong Authentication System is a very reasonably priced two-factor authentication solution. We invite you to learn more about our technology and architecture and to download and test the Enterprise version.

Fortinet and Fortigate (tm) are trademarks of Fortinet Inc. WiKID(tm) is a trademark of WiKID Systems, Inc.