Wednesday, 5 March 2014

How-to: Configure SMS Two Factor Authentication on a FortiGate

A while ago I wrote a 'How-to' guide on the steps required to configure SMS Two Factor Authentication using a FortiAuthenticator and a FortiGate. This involved configuring the a SMS gateway on the FortiAuthenticator using HTTP and then getting the FortiGate to send authentication requests to it.

A little known fact is that the FortiGate can actually do two factor SMS authentication out of the box, all for free and with no licenses required! There's two ways of configuring the SMS authentication. Firstly with the prepaid FortiGuard SMS servers (preconfigured) and then with your own custom SMS server.

Ttoday I decided to test out this feature with my custom SMS server and initially struggled as there's no proper documentation on how it actually works, what it sends etc. Below are the steps I took and the bits of information that I gleamed during the configuration.

For this example I'm using SMSglobal as I did in my previous blog. It's easy to setup and pretty cheap, but any provider should be fine as long as they can convert emails to sms.

Let's start with the steps required:

1. Configure SMTP server
2. Configure SMS service on FortiGate
3. Configure SMS service on SMS provider
4. Create admin user with SMS two factor enabled
5. Test out the login

1. Configure SMTP server:


The first point is that all SMS messages are sent via SMTP (email). This means your SMS gateway will need to be able to convert email to SMS. Previously on the FortiAuthenticator blog we went through sending SMS requests via HTTP; this will not work on the FortiGate.

Goto System > Config > Messaging Servers and configure the 'SMTP Server' and the 'Default Reply To' variables.

2. Configure SMS service on FortiGate


Next click on 'Create New' and enter a name and address for the SMS gateway. For this example I used the name of smsglobal and the address as email.smsglobal.com (check with your SMS gateway on what their address is).


There's a few things I'd like to highlight here.

Firstly the SMTP server you configure is going to be the one that the FortiGate uses to send to the SMS servers. This means that your SMTP server will need to allow the FortiGate to relay through it. I spent a while trying to figure out why my messages weren't working until I packet sniffed the FortiGate and saw that it was getting 'Relay denied' messages back from my server.

Secondly the SMS Service 'Address' is going to be the domain of the email address the FortiGate sends it's emails to.

So for example using the above config; if my mobile is 61414867514 then the FortiGate will send an email to 61414867514@email.smsglobal.com through 192.168.101.110.

3. Configure SMS service on SMS provider


This is really dependent on your SMS provider. I'll go through what I needed to configure to get it working on SMSGlobal.

For SMSGlobal, simply login to the portal and navigate to Tools > Settings. From here tick 'Enable Email to SMS/MMS' then enter your domain (or email address of the FortiGate). Click 'Update Settings' to save.


4. Create admin user with SMS two factor enabled


For this example I'll be creating an admin user (username 'tokenadmin') with SMS two factor authentication enabled. You could also create local users with two factor to be used in SSL/IPSEC VPNs. 

The configuration needs to be done via the CLI as some options cannot be configured via the GUI.

config system admin
edit tokenadmin
set sms-server custom
set sms-custom-server smsglobal
set sms-phone 61414867514
set two-factor sms
set password password123
set accprofile super_admin
end

You should now see this user under System > Admin > Administrators with a green tick under 'Two-factor Authentication'.


Edit the user and you'll now see a new 'SMS based two-factor authentication' option that was enabled via the CLI.


 5. Test out the login

Now to test the config. Login to the FortiGate unit using your newly created tokenadmin username and password.

When you click on 'Login' you'll get the following 'Token Code' request and a SMS will be sent to your phone.




Type in the the one time code and login to your FortiGate!


That should be it regarding the config. I've included for reference below a capture of what your FortiGate sends when everything is configured correctly, and another capture of what happens when your mail server doesn't allow the FortiGate to relay through it.

Both these captures were made on the FortiGate using the following filter:

diagnose sniffer packet any 'port 25' 6

Firstly we can see the FortiGate sending an email with Subject: Authcode: 584056 successfully and that the message has been accepted and queued for delivery.


Next is a rejected email with a 'Relaying denied' error.


I'll close with a few security points I'd like to highlight. With the above example using SMSGlobal, the only restriction was based on the sending domain name. This is bad, since anyone can send an email to SMSGlobal with the mail from address being your own. I would recommend either using your own internal email to SMS server or choose a service based one that allows you to do IP and email based restrictions.

Secondly the emails are sent via SMTP which is in cleartext. If you're using an external SMS provider I'd suggest using one that supports SMTPS.

Anyway that's it from me!

7 comments:

Patrick said...

Hey Al,

Great website! Wanted to get your thoughts on this.
I'm trying to implement this, but when I recieve the code I get a message saying "unable to contact server".

Also trying to do this on the SSLVPN side as well, however a code is not sent from the fortigate. A packet capture verifies this as well.

Would like to hear your thoguhts on it. Thanks in advance!

Patrick

dVoid said...

Couldn't you also go directly to the phone provider and do this for free (You'd have to know which phone provider it was):
e.g.
http://martinfitzpatrick.name/list-of-email-to-sms-gateways/

dVoid said...

FYI, I validated that in fact you can setup the Fortigate to go directly to the Cell Provider's SMS Gateway for free ;-). For example, setup a custom SMS provider as "Verizon" with a domain of vtext.com . The hardest part was getting the mail relaying configured properly on my SMTP server. Once that was setup it works like a champ ;-).

Allan Mouawad said...

Hey dVoid, are you based in America? From my understanding the American gateways charge the recipient for messages so provide free SMS services. In Australia there are no free providers :`(

Patrick said...

Maybe it depends on the provider. From what I know most of the major carriers in the US don't charge, Verizon and T-mobile. I can confirm that they do not charge the recipients.

Patrick said...

dVoid, good find. I didn't think of trying to use my cell provider directly. I'll have to try this when I get home.

Anonymous said...

I know this thread is nearly 2 years old, but I thought I'd give it a go. I'm trying to setup 2-factor using SMSGlobal and http for guest wifi (Not controlled by the Fortigate.) It works great until after the authentication completes on SMSGlobal's side. When it returns control the FortiAuth. Then the internal onboard messages begin, which is totally unneeded. It essentially takes you back through the 2-factor and ends with a 'requested parameter missing." Any thoughts on how to bypass the interaction after the 2-factor with SMSGlobal? Thanks - tc