FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Somashekara_Hanumant
Article Id 195421

Purpose

This Technical Note describes configuration scenarios when using RADIUS authentication for SSL user groups. Remote users must be authenticated, before they can request services and/or access network resources through the SSL VPN web portal, or using SSL VPN client.

 

The authentication process relies on FortiGate user group definitions, which can use authentication mechanisms such as RADIUS to authenticate remote clients.

 

A member of a user group can be:
 

· Case 1: User, whose user name and password are stored on the FortiGate unit.

· Case 2: User, whose name is stored on the FortiGate unit, and whose password is stored on a remote or external authentication server.

· Case 3: Remote or external authentication server, with a database, that contains the user name and password of each person, who is permitted access.

In this note, we will only deal with users being the case 2 or 3, and the authentication server will be a RADIUS server.


Scope

 

• All FortiGate models

• FortiGate unit or VDOM in NAT mode only

• Tests have been done with firmware version 5.2.7 (build 711) and 5.4.0 (build 1011)

• Focus on SSL VPN tunnels with split tunnelling enabled

• Use of a RADIUS server on Windows server 2008 NPS, RADIUS server integrated with Active directory

• User groups used in the configuration are usrgrp, salesgrp

 

User group information

 

User Name

Member of Group

user1

usrgrp

sales1

salesgrp

 

 

• Protected network information

 

subnet

10.40.0.0/22

Lan-user-range

10.40.0.1-40

Server range

10.40.0.41-50

 

Network behind FortiGate unit is 10.40.0.0/22, LAN users are using IP address range 10.40.0.1-40, and Servers are using ip addresses range 10.40.0.41-50

 


Expectations, Requirements

Users should be able to authenticate using the RADIUS servers, and be assigned to their user group.

 

When user form the group "usrgrp" tries to connect to SSL VPN, user should get access to the LAN-user IP address range 10.40.0.1-40.

 

When user from the group "salesgrp" connects to SSL VPN, user should get access to the Server IP address range 10.40.0.41-50.

 


Configuration

 

 

Configuration of Radius server

 

 

edit "radius"
set server "10.40.0.42"
set secret ENC Qeg/KhAVUX3JSQb+fi1Panx1MNu7INy9LEa1JfrHWGsQrGgu/yZoInj1U6DWEcEotNDKguRM+0twJQ5bQqJMfW4yx1voyGfrA/cGnsDs41MgsqzB
next
end

 

 
 
Configuration of SSLVPN portals
 
 
config vpn ssl web portal
edit "usrgrp-portal"
        set tunnel-mode enable
        set ipv6-tunnel-mode disable
        set web-mode disable
        set cache-cleaner disable
        set host-check none
        set limit-user-logins disable
        set mac-addr-check disable
        set os-check disable
        set virtual-desktop disable
        set ip-mode range
        set auto-connect disable
        set keep-alive disable
        set save-password disable
        set ip-pools "usrgrp-users-range"
        set split-tunneling enable
        set split-tunneling-routing-address "Local-LAN"
        set dns-server1 0.0.0.0
        set dns-server2 0.0.0.0
        set wins-server1 0.0.0.0
        set wins-server2 0.0.0.0
    next
edit "salesgrp-portal"
        set tunnel-mode enable
        set ipv6-tunnel-mode disable
        set web-mode disable
        set cache-cleaner disable
        set host-check none
        set limit-user-logins disable
        set mac-addr-check disable
        set os-check disable
        set virtual-desktop disable
        set ip-mode range
        set auto-connect disable
        set keep-alive disable
        set save-password disable
        set ip-pools "salesgrp-users-range"
        set split-tunneling enable
        set split-tunneling-routing-address "Server-LAN"
        set dns-server1 0.0.0.0
        set dns-server2 0.0.0.0
        set wins-server1 0.0.0.0
        set wins-server2 0.0.0.0
    next
end

 
Configuration of firewall Addresses
 
edit "usrgrp-users-range"
set type iprange
set end-ip 10.212.134.20
set start-ip 10.212.134.10
next
edit "salesgrp-users-range"
set type iprange
set end-ip 10.212.134.40
set start-ip 10.212.134.30
next
edit "Local-LAN"
set type iprange
set end-ip 10.40.0.40
set start-ip 10.40.0.1
next
edit "Server-LAN"
set type iprange
set end-ip 10.40.0.50
set start-ip 10.40.0.41
next
end
 
 
Configuration for Case 2
 
Configuration of the user and user groups
 
The user group is associated with the web portal that the user sees after logging in. If you have multiple portals, you will need multiple user groups.
 
 
config user local
edit "user1"
set type radius
set radius-server "lab_radius"
next
edit "sales1"
set type radius
set radius-server "lab_radius"
next
end
 
 
config user group
edit "local-user1"
set sslvpn-portal "usrgrp-portal"
set member "user1"
next
edit "local-sale1"
set sslvpn-portal "salesgrp-portal"
set member "sales1"
next
end

 

 
 
 



SSLVPN settings:

config vpn ssl settings
    set servercert "self-sign"
    set tunnel-ip-pools "salesgrp-users-range" "usrgrp-users-range"
    set source-interface "port1"
    set source-address "all"
    set source-address6 "all"
    set default-portal "web-access"
        config authentication-rule
            edit 1
                set groups "local_user1"
                set portal "usrgrp-portal"
            next
            edit 2
                set groups "local_sales1"
                set portal "salesgrp-portal"
            next
        end
end


Configuration of SSL VPN security policies for Case 2

SSL VPN policy

 

It is required to create one SSL VPN security policy to authenticate users and provide access to the protected networks. You will need additional security policies only if you have multiple web portals that provide access to different resources.

 

config firewall policy
    edit 4
        set uuid 842b669c-e689-51e5-057d-7b4f89fcc6ef
        set srcintf "ssl.root"
        set dstintf "port2"
        set srcaddr "usrgrp-users-range"
        set dstaddr "Local-LAN"
        set action accept
        set schedule "always"
        set service "ALL"
        set groups "local_user1"
    next
edit 8
        set uuid 8b1180fe-f4b2-51e5-e262-422678589b0e
        set srcintf "ssl.root"
        set dstintf "port2"
        set srcaddr "salesgrp-users-range"
        set dstaddr "Server-LAN"
        set action accept
        set schedule "always"
        set service "ALL"
        set groups "local_sales1"
    next
end
 
 

 

Static Route configuration

With the tunnel mode configuration, you must add a static route, so that replies from the protected network can reach the remote SSL VPN client.

 

config router static

edit 3

set device "ssl.root"

set distance 1

set dst 10.212.134.0 255.255.255.0

next

end

 

Configuration for Case 3

Note - In the configuration example for Case 3, we will use the same SSL VPN portal and address objects used in Case 2, only the SSL VPN firewall policies are reconfigured with new user groups.

 
Configuration of user groups 

edit "user1"

set member "radius"

config match

edit 1

set server-name "radius"

set group-name "user1"

next

end

next

edit "sales1"

set member "radius"

config match

edit 1

set server-name "radius"

set group-name "sales1"

next

end

next

 
Note: The group name, specified in attribute “set group-name", must match the user group on the RADIUS server.
 
 
Configuration of SSL VPN security policies

 

config firewall policy
    edit 9
        set uuid b76b58d4-f4b5-51e5-8931-4b1f1bd265b7
        set srcintf "ssl.root"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "Local-LAN"
        set action accept
        set schedule "always"
        set service "ALL"
        set groups "user1"
    next
 edit 10
        set uuid cc36be52-f4b5-51e5-2a21-e01597444db0
        set srcintf "ssl.root"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "Server-LAN"
        set action accept
        set schedule "always"
        set service "ALL"
        set groups "sales1"
    next
end



 
 


Verification

Verification for the Case 2
(a user, whose name is stored on the FortiGate unit, and whose password is stored on a remote or external authentication server)
 
When user connects to the SSL VPN and supplies the user credentials, FortiOS will scan the list of SSL VPN policies and will look at the groups added to the policies.
 
If the user "user1" logs on to the SSL VPN portal, then the policy 4 will apply, as this user is a member of the group "local-user1", which is specified in policy 4.
If the user "sales1" logs on to the SSL VPN portal, then the policy 8 will apply, as this user is a member of the group "local-sales1", which is specified in policy 8.
 
When the user logs to the SSL VPN portal, the authentication request is sent to the RADIUS server Access Request packet.
When user credentials are correct, the RADIUS server will reply with Access-Accept packet.
A static route will be added on the user’s machine, with the destination = Local-LAN (10.40.0.1-40), and with the tunnel as the gateway.
 
 
 
 
Verification for the Case 3 
(a remote or external authentication server, with a database, that contains the user name and password of each person, who is permitted to access the VPN)
 
In this scenario, when the user authenticates to the SSL VPN portal, the authentication request is sent to the RADIUS server Access Request packet.
When user credentials are correct, the RADIUS server is configured to send back the Fortinet VSA attribute "Fortinet-Group-Name" in the reply Access-Accept packet.
 
If the value of the Fortinet-Group-Name attribute is "salesgrp", then the tunnel will be up (assuming the user tried to authenticate with a user member of "salesgrp" group).
 

 


Troubleshooting
diag debug reset
diag debug disable
diag debug application fnbamd -1
diag debug application sslvpn -1
diag debug enable

1695:root:407]sslvpn_authenticate_user:168 authenticate user: [user1]
[1695:root:407]sslvpn_authenticate_user:175 create fam state
[1695:root:407]fam_auth_send_req:514 with server blacklist:
fnbamd_fsm.c[1890] handle_req-Rcvd auth req 1571178731 for user1 in local_user1 opt=00000100 prot=10
fnbamd_fsm.c[336] __compose_group_list_from_req-Group 'local_user1'
fnbamd_pop3.c[573] fnbamd_pop3_start-user1
fnbamd_cfg.c[519] __fnbamd_cfg_get_radius_list_by_group-Loading RADIUS server 'lab_radius' for usergroup 'local_user1' (7)
fnbamd_radius.c[1060] fnbamd_radius_auth_send-Compose RADIUS request
fnbamd_radius.c[1254] fnbamd_radius_auth_send-Sent radius req to server 'lab_radius': fd=12, IP=10.40.0.42 code=1 id=152 len=105 user="user1" using PAP
fnbamd_auth.c[271] radius_server_auth-Timer of rad 'lab_radius' is added
fnbamd_auth.c[688] auth_tac_plus_start-Didn't find tac_plus servers (0)
fnbamd_auth.c[409] ldap_start-Didn't find ldap servers (0)
fnbamd_fsm.c[425] create_auth_session-Total 1 server(s) to try
[1695:root:407]fam_auth_send_req_internal:414 fnbam_auth return: 4
fnbamd_auth.c[2211] fnbamd_auth_handle_radius_result-Timer of rad 'lab_radius' is deleted
fnbamd_radius.c[365] extract_success_vsas-FORTINET attr, type 1, val usrgrp
fnbamd_radius.c[394] extract_success_vsas-FORTINET attr, type 6, val super_admin
fnbamd_auth.c[2237] fnbamd_auth_handle_radius_result-->Result for radius svr 'lab_radius' 10.40.0.42(0) is 0
fnbamd_auth.c[2265] fnbamd_auth_handle_radius_result-Skipping group matching
fnbamd_fsm.c[822] find_matched_usr_grps-Skipped group matching
fnbamd_comm.c[169] fnbamd_comm_send_result-Sending result 0 for req 1571178731
fnbamd_fsm.c[565] destroy_auth_session-delete session 1571178731
[1695:root:407]Auth successful for group local_user1
fnbamd_fsm.c[2194] handle_req-Rcvd 7 req
fnbamd_acct.c[265] fnbamd_acct_start_START-Error starting acct
fnbamd_fsm.c[1245] create_acct_session-Error start acct type 7
fnbamd_fsm.c[2206] handle_req-Error creating acct session 7
[1695:root:407]fam_do_cb:463 fnbamd return auth success.

Related Articles

Technical Tip: FortiGate Radius VSA Dictionary (vendor-specific attributes)

Contributors