Description
This article describes how to reserve a virtual ip address assignment for IPSec VPN client based on authenticated user and how to setup a FortiGate unit to work with RADIUS server to pass RADIUS assigned virtual ip address to ipsec vpn client based on the user authenticated.
Scope
Fortigate 4.0
RADIUS
IPSec,
FortiClient, or ipsec client supports xauth and DHCP-IPSec.
Solution
During RADIUS authentication, the FortiGate unit will look for the 'Framed-IP-Address' attribute (RFC 2865, section 5.8) in the Access-Accept packet. When this attribute is present and the FortiGate unit is configured to use it, it will be given back to the client through IPsec, SSL-VPN and PPTP.
This is only supported in FortiOS 4.0 and higher.
For Example:
Summary:
- Client PC establishes a VPN tunnel to the FortiGate unit.
- The FortiGate unit is setup to send authentication request forwarded to a RADIUS server.
- If authentication is successful, RADIUS server sends Access Accept packets with the RADIUS attribute of Framed-IP-Address (the IP address assigned/reserved for the user.) back to the FortiGate unit.
- The Client requests an IP address over DHCP-IPsec.
- The FortiGate unit passes the address received from the RADIUS server to the client over DHCP-IPsec.
- In this example port2 is the external port facing the client, and port5 is the interface facing the internal 10.166.0.0 subnet.
•
Prerequisite:
- A FortiGate unit running FortiOS 4.0 or higher
- The FortiGate unit is connected to internet
- The FortiGate unit can reach the RADIUS server
- The RADIUS server is properly setup and has the correct Framed-IP-Address setup for users, so that the RADIUS server will send Framed-IP-Address associated with the user in access accept packet.
- As there are all kinds of RADIUS servers available, Fortinet is not responsible for the setup of the RADIUS server.
The following is a simple example of a user setup for FreeRadius:
fortinettest Auth-Type := CHAP, User-Password == "fortinet"
Service-Type = Framed-User,
Session-Timeout = 180,
Idle-Timeout = 120,
Framed-IP-Address = 192.168.253.25,
FortiGate Configuration:
In this example we used route based (aka. interface mode)Config RADIUS profile and user group:
config user radius
edit "RADIUS"
set nas-ip 10.100.0.109
set secret ENC t8JMeRJkFjDf
set server "10.100.0.9"
next
config user group
edit "RADIUS-Client"
set member "RADIUS"
next
Setup dialup ipsec vpn
config vpn ipsec phase1-interface
edit "Radius-test"
set type dynamic
set interface "port2"
set proposal 3des-sha1
set xauthtype pap <------ enable xauth
set psksecret ENC ldspei00
set authusrgrp "RADIUS-Client" <------ authenticate by the user group created above
next
config vpn ipsec phase2-interface
edit "Radius-test_ph2"
set add-route enable <------ Optional
set phase1name "Radius-test"
set proposal 3des-sha1
set dhcp-ipsec enable <------ enable dhcp over ipsec
next
end
end
Setup DHCP over IPsec:
Setup dhcp server from CLI: In this example, we used "DHCP-radius" as the name,config system dhcp server
edit "DHCP-radius"
set interface Radius-test <----- DHCP server is bind to the ipsec sub-interface
set netmask 255.255.255.255 <-----Netmask must be set to 255.255.255.255
set server-type ipsec
set ip-mode usrgrp
next
end
end
Setup firewall policy:
config firewall policy
edit 1
set srcintf "Radius-test"
set dstintf "port5"
set srcaddr "forticlient"
set dstaddr "internal subnets"
set action accept
set schedule "always"
set service "ANY"
next
edit 2
set srcintf "port5"
set dstintf "Radius-test"
set srcaddr "internal subnets"
set dstaddr "forticlient"
set action accept
set schedule "always"
set service "ANY"
next
FortiClient setup:
This setup is transparent to FortiClient. The FortiClient setup is the same as usual client setup with xauthentication enabled and accquire virtual ip address via DHCP over IPsec.
