SSL VPN with RADIUS on FortiAuthenticator

This topic provides a sample configuration of SSL VPN that uses FortiAuthenticator as a RADIUS authentication server.

Sample network topology

Sample configuration

To configure FortiAuthenticator using the GUI:

1. Create a user on the FortiAuthenticator.
   1. On the FortiAuthenticator, go to Authentication > UserManagement > Local Users to create a user sslvpnuser1.
   2. Enable Allow RADIUS authentication and click OK to access additional settings.
   3. Go to Authentication > UserManagement > UserGroups to create a group sslvpngroup.
   4. Add sslvpnuser1 to the group by moving the user from Available users to Selected users.
2. Create the RADIUS client (FortiGate) on the FortiAuthenticator.
   1. On the FortiAuthenticator, go to Authentication > RADIUS Service > Clients to add the FortiGate as a RADIUS client OfficeServer).
   2. Enter the FortiGate IP address and set a Secret.

The secret is a pre-shared secure password that the FortiGate uses to authenticate to the FortiAuthenticator. c. Set Realms to local |Local users.

To configure SSL VPN using the GUI:

1. Configure the interface and firewall address.

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

Port1 interface connects to the internal network.

1. Go to Network > Interface and edit the wan1
2. Set IP/Network Mask to 20.120.123/255.255.255.0.
3. Edit port1 interface and set IP/Network Mask to 168.1.99/255.255.255.0.
4. Click OK.
5. Go to Firewall & Objects > Address and create an address for internet subnet 168.1.0.

2. Create a RADIUS user and user group .
   1. On the FortiGate, go to User& Device > RADIUS Servers to create a user to connect to the RADIUS server

(FortiAuthenticator).

1. For Name, use FAC-RADIUS.
2. Enter the IP address of the FortiAuthenticator, and enter the Secret created above.
3. Click Test Connectivity to ensure you can connect to the RADIUS server.
4. Select Test UserCredentials and enter the credentials for sslvpnuser1.

The FortiGate can now connect to the FortiAuthenticator as the RADIUS client.

1. Go to User& Device > UserGroups and click Create New to map authenticated remote users to a user group on the FortiGate.
2. For Name, use SSLVPNGroup.
3. In Remote Groups, click Add.
4. In the Remote Server dropdown list, select FAC-RADIUS.
5. Leave the Groups field blank.

3. Configure SSL VPN web portal.
   1. Go to VPN > SSL-VPN Portals to edit the full-access

This portal supports both web and tunnel mode.

1. Disable Enable Split Tunneling so that all SSL VPN traffic goes through the FortiGate.

4. Configure SSL VPN settings.
   1. Go to VPN > SSL-VPN Settings.
   2. Choose proper Listen on Interface, in this example, wan1.
   3. Listen on Port 10443.
   4. Set ServerCertificate to the authentication certificate.
   5. Under Authentication/Portal Mapping, set default Portal web-access for All OtherUsers/Groups.
   6. Create new Authentication/Portal Mapping for group sslvpngroup mapping portal full-access.
5. Configure SSL VPN firewall policy.
   1. Go to Policy & Objects > IPv4 Policy.
   2. Fill in the firewall policy name. In this example: sslvpn certificate auth.
   3. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
   4. Set the Source Address to all and Source User to sslvpngroup.
   5. Set the Outgoing Interface to the local network interface so that the remote user can access the internal network. In this example: port1.
   6. Set Destination Address to the internal protected subnet 168.1.0.
   7. Set schedule to always, service to ALL, and Action to Accept.
   8. Enable NAT.
   9. Configure any remaining firewall and security options as desired.
   10. Click OK.

To configure SSL VPN using the CLI:

1. Configure the interface and firewall address.

config system interface edit “wan1” set vdom “root”

set ip 172.20.120.123 255.255.255.0

next

end

Configure internal interface and protected subnet.

Connect Port1 interface to internal network.

config system interface edit “port1” set vdom “root” set ip 192.168.1.99 255.255.255.0

next

end config firewall address edit “192.168.1.0” set subnet192.168.1.0 255.255.255.0

next

end

2. Create a RADIUS user and user group.

config user radius edit “FAC-RADIUS” set server “172.20.120.161” set secret <FAC client secret>

next

end

config user group edit “sslvpngroup” set member “FAC-RADIUS”

next

end

3. Configure SSL VPN web portal.

config vpn ssl web portal edit “full-access” set tunnel-mode enable set web-mode enable set ip-pools “SSLVPN_TUNNEL_ADDR1” set split-tunneling disable

next

end

4. Configure SSL VPN settings.

config vpn ssl settings set servercert “server_certificate” set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1” set source-interface “wan1” set source-address “all” set default-portal “web-access” config authentication-rule edit 1 set groups “sslvpngroup” set portal “full-access”

next

end

5. Configure SSL VPN firewall policy.

Configure one firewall policy to allow remote user to access the internal network.

config firewall policy edit 1 set name “sslvpn web mode access”

set srcintf “ssl.root” set dstintf “port1” set srcaddr “all” set dstaddr “192.168.1.0” set groups “sslvpngroup” set action accept set schedule “always” set service “ALL” set nat enable

next

end

To see the results of web portal:

1. From a remote device, open a web browser and log into the SSL VPN web portal http://172.20.120.123:10443.
2. Log in using the sslvpnuser1
3. On the FortiGate, go to Monitor> SSL-VPN Monitor to confirm the user connection.

To see the results of tunnel connection:

1. Download FortiClient from forticlient.com.
2. Open the FortiClient Console and go to Remote Access > Configure VPN.
3. Add a new connection.
   • Set the connection name.
   • Set Remote Gateway to 20.120.123.
4. Select Customize Port and set it to 10443.
5. Save your settings.
6. Log in using the sslvpnuser1 credentials and check that you are logged into the SSL VPN tunnel.

To check the SSL VPN connection using the GUI:

1. Go to VPN > Monitor> SSL-VPN Monitor to verify the user’s connection.
2. Go to Log & Report > Forward Traffic to view the details of the SSL VPN traffic.

To check the web portal login using the CLI:

get vpn ssl monitor SSL VPN Login Users:
Index User       Auth Type      Timeout	From     HTTP in/out   HTTPS in/out
0        sslvpnuser1          1(1) SSL VPN sessions:	229      10.1.100.254 0/0      0/0
Index User       Source IP      Duration To check the tunnel login using the CLI: get vpn ssl monitor SSL VPN Login Users:	I/O Bytes       Tunnel/Dest IP
Index User       Auth Type      Timeout	From     HTTP in/out   HTTPS in/out
0        sslvpnuser1          1(1)	291      10.1.100.254 0/0      0/0

SSL VPN sessions:

Index User     Source IP    Duration     I/O Bytes    Tunnel/Dest IP 0  sslvpnuser1  10.1.100.254 9      22099/43228  10.212.134.200

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!