This article describes how to set up RSA SecureID authentication on a FortiGate unit.


* a FortiGate unit running FortiOS 3.0
* an RSA ACE/Server 5.1
* a RADIUS server

The RADIUS server uses information from the RSA ACE/Server to validate authentication requests from the FortiGate unit.

SecurID configuration
Configure the RADIUS server

You need to configure the RADIUS server to work with the RSA ACE/Server. See the RSA ACE/Server Administrator’s Guide.
Configure the RSA ACE/Server to support the RADIUS server

See the RSA ACE/Server Installation Guide.
Configure the FortiGate unit as an Agent Host

You need to set up the FortiGate unit as an Agent Host within the RSA ACE/Server database.

1. On the RSA ACE/Server computer, go to Start> Programs> RSA ACE/Server, and then Database Administration – Host Mode.
2. On the Agent Host menu, select Add Agent Host.
3. In the Name field, enter a name for the FortiGate unit.
4. In the Network address field, enter the FortiGate unit IP address.
5. Select Secondary Nodes and define all hostname/IP addresses that resolve to the FortiGate unit.

If needed, refer to the RSA ACE/Server documentation for more information.
FortiGate configuration

Add the RADIUS server

The FortiGate unit will use the RADIUS server to authenticate SecurID users.

1. Go to User> RADIUS and select Create New.
2. In the Name field, enter a name for the RADIUS server.
3. In the Server Name/IP and Server Secret fields, enter the appropriate information about the RADIUS server you configured for use with SecureID.

Create a SecurID user group

You need to create a user group with the SecurID RADIUS server as its only member.

1. Go to User> User Group.
2. Select Create New.
3. In the Name field, enter a name for the group.
4. In the Available Users/Groups list, select the RADIUS server you configured for use with SecureID.
5. Select the right arrow button to move the selected server to the Members list.
6. Select OK.

Use the SecurID user group for authentication

You can use the SecureID user group in several FortiGate features that authenticate by user group:

* Firewall policies – select the Authentication checkbox and add the SecurID user group to the Allowed list.
* XAuth in dialup VPN – in the VPN Phase 1 configuration Advanced settings, in the XAuth section, select Enable as Server and choose the SecurID user group.
* PPTP VPN – in the PPTP configuration, choose the SecurID user group.

For more information about configuring these features, see the FortiGate Administration Guide.