Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
bfeng
Staff
Staff

Created on ‎06-23-2009 06:58 PM Edited on ‎07-06-2022 09:24 AM By Anonymous

Article Id 194966

Technical Note: How to setup per user based VIP on FortiGate unit in SSLVPN tunnel mode

Description
This article describes how to reserve virtual IP address assignment for SSLVPN tunnel mode client based on authenticated user, and how to setup a FortiGate unit to work with a RADIUS server to pass RADIUS assigned SSLVPN tunnel end IP address to the SSLVPN tunnel client based on the user authenticated.


Scope
FortiGate units, running FortiOS firmware version 5.00 and higher
RADIUS
SSLVPN tunnel mode
Solution
During RADIUS authentication, the FortiGate system will look for the 'Framed-IP-Address' attribute (RFC 2865, section 5.8) in the Access-Accept packet. When this attribute is present and the FortiGate units is configured to use it, it will be given back to the client through IPsec, SSL-VPN and PPTP.

This feature is only supported in FortiOS firmware version 5.0 and higher.

For example:
bfeng_vpndialupdiagram1.jpg
Summary:
-The Client PC establishes a SSLVPN tunnel mode to the FortiGate unit.
-The FortiGate unit is setup to send authentication request forwarded to RADIUS server.
-If authentication is successful, the RADIUS server sends Access-Accept packets with the RADIUS attribute of Framed-IP-Address (the IP address assigned/reserved for the user.) back to the FortiGate unit.
-The FortiGate unit uses PPP over the SSLVPN (tunnel mode) to deliver the IP address to the client PC.
Prerequisites:
-The FortiGate unit is running FortiOS 5.0 or higher
-The FortiGate unit is connected to internet
-The FortiGate unit is set up so that remote clients can connect in SSLVPN tunnel mode authenticated by RADIUS server. See the SSLVPN User Guide on the Technical Documentation Web Site (https://docs.fortinet.com) for general SSLVPN tunnel mode setup.
-The RADIUS server is properly setup for the correct Framed-IP-Address setup for users, so that RADIUS server will send Framed-IP-Address associated with the user in access accept packet.
-Fortinet is not responsible to the setup on RADIUS server.
 
Here is just a example of setup for FreeRadius:

fortinettest    Auth-Type := CHAP, User-Password == "fortinet"
Service-Type = Framed-User,
Session-Timeout = 180,
Idle-Timeout = 120,
Framed-IP-Address = 192.168.253.25,
 
To configure it via CLI on Fortigate:
FortiOS 5.0.X:
#config vpn ssl web portal
edit "SSL-Portal"
set allow-access web
set heading "Welcome to SSL VPN Service"
config widget
edit 3
set name "Tunnel Mode"
set type tunnel
set tunnel-status enable
set split-tunneling enable
set ip-mode usrgrp                <------- address is assigned by a RADIUS user group.

FortiOS 5.2 or above:
#config vpn ssl web portal
edit tunnel-access
set ip-mode user-group            <------- address is assigned by a RADIUS user group.
Labels:
13452
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.