Use JumpCloud RADIUS for FortiGate Group Authentication

JumpCloud delivers single sign-on (SSO) to everything, including RADIUS authentication and authorization for network devices. Multi-factor authentication (MFA) is environment wide, delivering Push MFA for RADIUS. RADIUS is a core network protocol that’s widely used for Wi-Fi authentication, and it provides authentication, authorization, and accounting (AAA). 

JumpCloud Cloud RADIUS simplifies and secures privileged administrative access for network admins. It’s also an option to configure access to LANs for all of your SSL VPN users. JumpCloud eliminates the need to use Fortinet’s FortiTokens for MFA.

This two-part blog series explores two use cases with FortiGate next-generation firewall:

  • Option 1: Use existing local FortiGate groups that contain FortiGate remote users. This approach is ideal for existing appliances that already have settings and users.
  • Option 2: Use remote groups (JumpCloud) and attribute mapping to set up access control on a new Fortinet device. This approach spares admins the work of having to establish local groups using ACLs on the Fortinet appliance.

This article focuses on Option 1.

We’ll demonstrate how to bind the local user to the JumpCloud RADIUS server that is configured inside your FortiGate so that JumpCloud becomes the authentication authority without changing anything in the way the appliance is configured for network posture. 

Note: It’s also possible to accomplish this using a different brand of network appliance.

Configuring JumpCloud RADIUS and Groups

Follow this guide to get started with JumpCloud groups. You may also refer back to this previous tutorial on how to configure SAML access for Fortinet devices if it better suits your requirements. However, RADIUS has the advantage of also mapping groups and authorizations/permissions.

Establishing Groups and MFA

You may have MFA required for individual users or leverage groups with conditional access. Skip this step if you’ve already configured your access control policies.

To require MFA factors for the User Portal on an individual user account:

  1. Edit a user or create a new user in the Admin Portal. See Getting Started: Users.
  2. In the User Security Settings and Permissions section, select Require Multi-Factor Authentication for User Portal option. Note: The enrollment period only affects TOTP MFA. See Considerations
  3. Click save user.

To require MFA factors for the User Portal on existing users from the more actions menu:

  1. Select any users you want to require MFA for.
  2. Click more actions, then select Require MFA on User Portal.
  3. Specify the number of days the user has to enroll in MFA before they are required to have MFA at login. You can specify a number of days between 1 and 365. The default value is 7 days.
  4. Click require to add this requirement to the selected users.

To require MFA factors with a Conditional Access Policy: 

  1. Log in to the Admin Portal: https://console.jumpcloud.com/
  2. Go to SECURITY MANAGEMENT > Conditional Policies. 
  3. Click (+). 
  4. Enter a unique Policy Name.
  5. Optionally, enter a description for the policy.
  6. If you don’t want the policy to take effect right away, toggle the Policy Status to OFF and finish the rest of the configuration. When you’re ready to apply the policy, you can toggle the Policy Status to ON. 
  7. For users, choose one of the following options:
    • Select All Users if you want the policy to apply to all users. 
    • Select Selected User Groups if you want the policy to apply to specific user groups, then search for those user groups and select them. If you need to create user groups, see Getting Started: Groups
    • If there are User Groups you want to exclude from the policy, search for the user groups and select them in the search bar under Excluded User Groups.
  8. Optionally, set the conditions a user needs to meet. Note: Conditions is a premium feature available in the Platform Plus plan. Learn more about conditions in Getting Started: Conditional Access Policies
  9. In Action, select Allow authentication into selected resources, then select the Require MFA option. 
  10. Click create policy. 

Two JumpCloud groups were created for the purpose of this tutorial:

  • RADIUS-FortiGate_VPN_Users
  • RADIUS-FortiGate_Admins

Setting Up RADIUS

Create a RADIUS server in JumpCloud:

  1. Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com/login.
  2. Go to RADIUS.
  3. Click (+). The new RADIUS server panel appears.
  4. Configure the RADIUS server:
    • Enter a name for the server. This value is arbitrary.
    • Enter a public IP address from which your organization’s traffic will originate.
    • Provide a shared secret. This value is shared with the device or service endpoint you’re pairing with the RADIUS server.
  5. Select an identity provider.

Now select an authentication method:

  • To use certificate authentication, select Passwordless.
    • Once Passwordless has been selected, the Save button will be disabled until a certificate has been successfully uploaded (or the authentication method has been changed back to Password).
  • If desired, select Allow password authentication as an alternative method.
    • If this checkbox is selected, admins can enable certificates for some users while allowing others to continue validating by username and password. Users will continue to have the option to validate by username and password, but once they choose to validate with certificates and a valid certificate is found, the password option will no longer be presented.
    • The MFA Configuration section will be available if using JumpCloud as the identity provider, and Passwordless is selected as the Authentication Method, and the Allow password authentication as an alternative method checkbox is selected.
  • Configuring multi-factor authentication (MFA).
    • ​​Toggle the MFA Requirement option to “enabled” for this server. This option is disabled by default.
    • Select Require MFA on all users or Only require MFA on users enrolled in MFA.
      • If selecting Require MFA on all users, a sub-bullet allows for excluding users in a TOTP enrollment period, but this does not apply to JumpCloud Protect™ (users in a TOTP enrollment period who are successfully enrolled in Protect will still be required to complete MFA).
      • If JumpCloud Protec
        t is not yet enabled, users can select the Enable Now link.
  • Uploading a Certificate Authority (CA).
    • To upload your certificate, click on the Choose a File button, navigate to the file location, and select it for uploading.
    • Once the file has uploaded successfully the file name will display on the screen and options will change to replacing or deleting the file. There is also an option to view the full CA chain.
    • Clicking Save will return the user to the main RADIUS screen, where the Certificate badge will display in the Primary Authentication column.
      Note: For more information about where and how to find trusted certificates outside of JumpCloud, see RADIUS-CBA Tools for BYO Certificates.

Select Users for Access to the RADIUS Server (User Groups tab):

  • To grant access to the RADIUS server, click the User Groups tab then select the appropriate groups of users you want to connect to the server.
    • Every user who is active in that group will be granted access.
  • ​​​​​​​Click save.

Note: Users who are being granted access to a RADIUS server and leveraging delegated authentication (with Azure AD as their identity provider) must be imported into JumpCloud and assigned to a User Group.

FortiGate Settings

Follow these instructions to configure the RADIUS server(s) in your FortiGate appliance. Next, we’ll make it possible for your existing users to use JumpCloud’s identity and access management (IAM).

Local Groups with Remote Users

You may enter more than one JumpCloud RADIUS server IP for redundancy. The next section uses the FortiGate command line interface (CLI) to convert your existing local users into RADIUS users. Then, you’ll match the usernames with the respective JumpCloud usernames. Significantly, there will be no changes made from an access control list (ACL) perspective. Yet, you’ll increase your network security and easily meet compliance requirements. The steps are simple, and will spare a small and medium-sized enterprise (SME) the time and expense of allocating/billing blocks of hours with a network technician or MSP partner.

Converting Local Users Into RADIUS Users

The first step is to launch your CLI to convert users that already exist in FortiGate. 

screenshot of an existing user and user group
An existing user and user group

This may be scripted to streamline the process for a group of users. The steps include:

# config user local
(local # edit “USER NAME”
# show
# set type radius
# set radius-server YOUR SERVER
# end

screenshot of code

Checking Your Work

You may verify these settings by entering:

# config user local
(local) # edit USER NAME
# show
# end

The local user is looking at the remote RADIUS user for authentication
The local user is looking at the remote RADIUS user for authentication

Ensure that the user is a member of the corresponding RADIUS group in JumpCloud with the exact same user name as on your appliance. JumpCloud now controls authentication, including enabling MFA without having to engage with FortiTokens or a third-party MFA solution.

This is an example of an existing FortiGate user:

This RADIUS user belongs to the appropriate JumpCloud Group

Reporting

JumpCloud’s Directory Insights captures and logs RADIUS authentications. It makes it possible to determine which user is attempting to access your resources and whether it was successful. Directory Insights is useful for debugging and testing your RADIUS configuration deployments.

screenshot of JumpCloud Directory Insights

Try JumpCloud RADIUS

JumpCloud’s full platform is free for 10 users and devices with premium chat support for the first 10 days to get your started. The open directory platform provides SSO to everything:

  • SAML
  • OIDC/OAUTH
  • LDAP
  • RADIUS

Attribute-based group access control, mobile device management (MDM), commands, and GPO-like policies are included in the platform for advanced identity lifecycle management. JumpCloud also features integrated remote assistance, reporting, and an optional password manager and cross-OS patch management. The directory platform works across Android (soon), Apple, Linux, and Windows devices, managing identities wherever the user is.

Need a Helping Hand? Reach out to professionalservices@jumpcloud.com for assistance to determine which Professional Service option might be right for you.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.


About JumpCloud
At JumpCloud, our mission is to build a world-class cloud directory. Not just the evolution of Active Directory to the cloud, but a reinvention of how modern IT teams get work done. The JumpCloud Directory Platform is a directory for your users, their IT resources, your fleet of devices, and the secure connections between them with full control, security, and visibility.

Why use a managed services provider for your SASE implementation

As described by Gartner, Secure Access Service Edge (SASE) is a combination of networking and security services. Unifying both provides businesses with a streamlined and future-thinking approach to orchestrate their IT infrastructure. However, as a solution, it has its fair share of challenges in terms of deployment, administration, and management.

There are several routes that a business can take to transition to SASE: doing everything themselves or going to a vendor are just some of the options. For this reason, Managed Service Providers (MSPs) can be incredibly useful when making the leap more streamlined and convenient.

How do MSPs help enterprises migrate to SASE?

MSPs can reach out a helping hand to businesses that don’t want or can’t implement SASE by themselves. Enterprise as a client just picks what they need from MSPs, and everything is done for them. Though, it’s not unheard of to have a MSP provider choose the needed components for the organization. This converged approach is more effective and saves client organizations time.

general outline of SASE components

The external experts help businesses that may not have on-site specialists that could help them navigate various specific challenges associated with SASE. Choosing a SASE vendor is one of the most important IT decisions a business can make, so it’s very helpful to have someone to deal with product analysis, narrowing down the needed technologies, and planning network security schemes. It’s one of the most hassle-free methods to ensure optimal user experience when the transition to SASE is completed.

MSP benefits for SASE implementation

illustration of managed service provider benefits

Here is the list of principal benefits that MSPs bring to businesses moving to the SASE framework.

1. Experience

As MSPs provide their security and networking services in a very niche field, they have amassed considerable expertise in helping clients overcome various challenges associated with SASE. Dealing with various vendor platforms is something that MSPs deal with daily, so they already have all the necessary knowledge for in-depth consultations.

2. Scalability

One of the most important benefits that MSPs can provide is scale. Simultaneously they can support thousands of clients as their multi-tenant architectures are equipped to do just that. Most MSPs also invest resources to have multiple points of presence across the globe to provide service without interruptions for globally distributed workforces. A broad reach is paramount in ensuring stable connectivity when setting up SD-WAN elements of SASE infrastructure.

3. Time-saving

MSPs are often regarded as the quickest route to implement SASE. Going from the drawing board to operating infrastructure takes little time. As MSP has all bases covered, this means very rapid implementation of SASE services. In turn, this also cuts the time and creates a quick route to instant value.

4. Prioritization

As SASE is a complex service with many critical components, it can be difficult to wrap your head around what should be done first. MSPs can guide organizations through this minefield by clearly defining priorities that should be achieved. Not to mention that some SASE service components can be implemented only after completing some prerequisites. MSPs, therefore, streamline the whole rollout procedure by keeping it on track.

5. Execution

A typical business could be stuck at the proof of concept level when planning its SASE service approach, which can be costly and time-consuming. MSPs have an in-depth understanding of their client’s pain points, which makes them more equipped to tackle various practical issues. This saves the trouble of going the trial-and-error route when implementing SASE without external help.

How to choose the right MSP for SASE implementation

While MSPs help you to create SASE that works for you, you still need to pick an MSP provider that would be the right fit for you.

1. Know which MSP type is right for you 

The first decision you’ll have to make is to pick one of the main MSP types.

Build and operate — this type handles full SASE deployment, including software and hardware configurations, monitoring performance, and integrated response to incidents. This involves not only the setup but ongoing maintenance.

Build and transfer — MSP designs, configures, and deploys all needed equipment and transfers it to the client. From the handover, the customer is responsible for its maintenance.  

Takeover — after the organization creates and deploys its SASE solution, MSP makes strategic decisions for operations outsourcing.

Note that there still can be varieties and hybrids of these models. The agreements could be time-based, as the provider will maintain everything for a set duration, after which the organization agrees to take over.

2. Do background research on MSP capabilities

The second part of the equation is that MSP should match the organization’s requirements:

  • Can MSP match the enterprise’s scale?
  • Are necessary network security services provided?
  • Does MSP have the required expertise within the customer’s industry?
  • Are connectivity services provided along with security?
  • Is MSP providing an integrated product or combining different tools from separate providers?

A good match should align across the board with your setup requirements.

3. Check the price/value ratio

It’s essential to calculate whether relying on MSP makes sense financially. The return on investment can vary greatly depending on the used services, company size, and other agreements. This is a helpful exercise to rethink priorities and get the best solution that makes sense not only securely but money-wise.

4. Look into the SLA agreement

Finally, there is a question about legally binding contracts. MSPs heavily rely on Service Level Agreements to establish expectations with their clients. The document outlines the services that will be provided, the objectives, and any other relevant prerequisites. SLA metrics can vary greatly from one MSP to another, and it’s a client’s responsibility to ensure that their needs are addressed.

How can NordLayer help?

SASE and its network security component, Secure Service Edge, is an essential cornerstone of most enterprises’ digital transition. SSE combines cybersecurity technologies and concepts like ZTNA to deliver internet access security and network access management. This allows the development of a future-focused approach to an organization’s cybersecurity for growing modern businesses.

NordLayer helps to reduce risks associated with hybrid work or globally distributed workforces. As a complimentary addition to your IT infrastructure, it enhances network access control by segmenting the user base through Virtual Private Gateways and filtering out malicious websites from the employees’ browsing.

Get in touch with our experts today, and learn how NordLayer could improve your network security with a click of a button.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.