Log into Centrify cloud tenant with an administrator account. Navigate to Settings > Authentication > RADIUS Connections. Under Clients tab, click Add.

 

 

 

 

 

 

In the RADIUS Client Settings window, enter a name, internal IP address of FortiGate and create a client secret. Save settings.

 

 

 

 

 

 

 

 

 

Navigate to Settings > Network > Centrify Connectors, double click connectors that you would like to accept RADIUS connections for VPN authentication from FortiGate, navigate to RADIUS section and click check box to enable incoming RADIUS connections. Save settings.

 

 

 

 

 

 

 

 

 

 

Navigate to Settings > Authentication > Authentication Profiles. Click Add Profile to create a new profile for VPN MFA.

 

 

 

 

 

 

 

 

 

For challenge 1, select Password. For challenge 2, select what you would like to use for authentication challenge.

 

 

 

 

 

 

 

 

 

 

 

Navigate to Core Services > Policies to modify current policy or add a new one. Under User Security Policies > RADIUS, need to set “Allow RADIUS connections” to Yes and check the box for “Require authentication challenge”, select VPN authentication profile you created earlier.

 

 

 

 

 

 

 

  

 

Now we will go over configuration on the FortiGate firewall. Log into FortiGate with an admin account. Navigate to users and device > RADIUS servers, click create new button to add a new entry.

 

 

 

 

 

 

 

 

 

 

 

Enter name, IP address of server running Centrify Cloud Connector and server secret.

 

 

 

 

 

 

 

 

 

 

Test to verify successful communication, click test connectivity button, enter a valid username and password to run test.

 

 

 

 

 

 

 

 

 

 

You should see successful result if settings are correct and RADIUS communication isn’t blocked. If not, check basic network communications between Centrify server running Cloud Connector and the FortiGate. Verify that firewalls are not blocking port 1812 used for RADIUS connections.

 

 

 

 

 

 

 

 

Next, we will create a RADIUS VPN user group. Navigate to User & Device > User Groups and click Create New. Give it a name and select Centrify RADIUS server under “Remote groups”.

 

 

 

 

 

 

 

 

 

If you don’t already have a client to site IPsec VPN profile setup, navigate to VPN > IPsec Wizard, select Remote Access and complete steps in wizard. Select RADIUS VPN user group when going through steps.

 

 

 

 

 

 

 

 

When a VPN user authenticates using FortiClient, they will be prompted for MFA.

 

 

 

First enter username and password.

 

 

 

 

 

Now prompted for second form of authentication.

 

 

 

 

 

 

 

 

 

On Centrify portal as an admin user, you can view Core Services > Reports > Built in Reports > Security and run the “MFA Events – Last 30 days” to verify and troubleshoot RADIUS authentication.

 

 

 

Added tip 4/5/2018:

 

It's best to match remote authentication timeout on FortiGate with timeout set in RADIUS server settings on Centrify. The default timeout on FortiGate is 5 seconds so we will increase to 60 to match Centrify.

 

Commands to run on FortiGate to accomplish this:

 

#config system global

#set remoteauthtimeout 60

#end