Description
This article describes the steps needed to configure the SSL VPN portals that will match against groups on the RADIUS server.
Scope
All Fortigate Firmware.
Solution
In the article, there are two different groups, VPN1 and VPN2, both will fall into different IP address range when connected to SSL VPN tunnel mode. The end goal is to have the user connecting via SSL VPN receive different IPs while getting authenticated from RADIUS.
FortiGate side:
- Connect the RADIUS server from which the user records and mapping will be fetched.
GUI
Go to User & Authentication -> RADIUS Servers, and select Create New, under Edit RADIUS Server, fill in the appropriate Name, Authentication method, and NAS IP (1) followed by the IP of the RADIUS server under the Primary server. Once done select ‘Test Connectivity’ and it should show successful.
At this point, it is also possible to check for user credentials to verify it is getting pulled from the RADIUS server, subject to, if the user already exists.
CLI:
config user radius
edit "radius-server"
set server "192.68.101.25"
set secret ENC 6xFGCGAjPJI+MlFFNkGBKDD7j5mIAme6Xg5iRYXG+iZasE/vYTTcjXOmh3LIOL4i2pciJQuVl4/5oS3xjWJlPgCB/SQZvxZgTAGZ86/s/KHK/JuArt1tP17A6F4WvV1wY4iYvZBfFj98nC8eATCVEingEsY5bjOsQZ9B9hiXLYY8cxcnoa11j/4Qqz6iadCXCXYZNg==
set nas-ip 192.68.101.10
set auth-type ms_chap_v2
next
end
To test the Radius object and see if this is working properly, use the following CLI command (2):
diagnose test authserver radius <radius server_name> <authentication scheme><username><password>
It shall have an output similar to:
authenticate 'username' against 'authentication scheme' succeeded, server=primary assigned_rad_session_id=479084126 session_timeout=0 secs idle_timeout=0 secs!
-
Next, create the user groups, User & Authentication -> User Groups, create new, put in the Name, type would be Firewall, and under Remote Groups select add and then the RADIUS server.
Similarly, add more groups. In this scenario the other group is VPN2.
CLI:
config user group
edit "VPN1"
set member "radius-server"
config match
edit 1
set server-name "radius-server"
set group-name "VPN1"
next
end
next
edit "VPN2"
set member "radius-server"
config match
edit 1
set server-name "radius-server"
set group-name "VPN2"
next
end
next
end
-
Create the SSL VPN portals for which the users will be matched against on RADIUS VPN -> SSL VPN Portals. Here the name is VPN1 and VPN2.
Tunnel mode has been enabled based on the policy destination (3).
In the source IP Pools, it is necessary to put in the range that will have to be provided for VPN1, here the range is 10.212.134.100 - 10.212.134.110.
And similarly, VPN2 range is 10.212.134.111 - 10.212.134.120.
CLI:
config vpn ssl web portal
(portal) # edit "VPN1"
config vpn ssl web portal
edit "VPN1"
set tunnel-mode enable
set web-mode enable
set ip-pools "SSLVPN_TUNNEL_ADDR1"
set dns-suffix "google.com"
config bookmark-group
edit "gui-bookmarks"
next
end
next
end
(portal) # edit "VPN2"config vpn ssl web portal
edit "VPN2"
set tunnel-mode enable
set web-mode enable
set ip-pools "SSLVPN_TUNNEL_ADDR2"
set dns-suffix "google.com"
config bookmark-group
edit "gui-bookmarks"
next
end
next
end
-
Finally, configure the SSL VPN Settings, ensure that under Tunnel Mode Client Settings it is selected ‘Specify custom IP ranges’ and both the addresses are assigned and mapped to the correct portals:
CLI :
config vpn ssl settings
set servercert "Fortinet_Factory"
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1" "SSLVPN_TUNNEL_ADDR2"
set source-interface "port1"
set source-address "all"
set source-address6 "all"
set default-portal "tunnel-access"
config authentication-rule
edit 1
set groups "VPN1"
set portal "VPN1"
next
edit 2
set groups "VPN2"
set portal "VPN2"
next
end
end
RADIUS side:
- If there is already the groups and username in AD this step can be skipped. Here, two groups similar to the one on FortiGate have been created, VPN1 and VPN2, having two members each.
-
Configuring and mapping the network policies on the Network Policy Server is to be done correctly for this mapping to work. Go to Network Policy server -> Policies -> Network Policies -> New:
-
Give the name to the policy, and select Next:
-
Under specific conditions, select Add and then select User Groups:
-
Once the User Group is added the next option will prompt to add the group, followed by the prompt to add the group that exists on the search for the name of the group, in this case, it is VPN1 and VPN2. However, in this case, just make this policy for one group, and this step will be repeated for another group.
Selecting check names should fetch the correct group by itself:
Select OK and next:
-
Allow access in this step:
-
In this step, it is possible to choose what is the authentication that will be used:
Configure Constraints can be modified if necessary:
-
Now at this step configure settings, it will be necessary to make some changes:
Under RADIUS Attributes, go to Vendor Specific:
Select add, under vendor select Custom, and then Vendor-Specific and select Add:
Select Add and then under Specify network access server vendor, select ‘Enter Vendor Code’ as 12356 for a basic setup, for more advanced settings refer to the complete list (4). Also, choose Yes. It conforms and then select ‘Configure Attribute.’
In Configure VSA (RF Compliant), choose the Attribute format as ‘String’ and ‘Attribute Value’ as the desired group name to map it to. In this case, it is VPN1, for another group it would be VPN2.
Select ok and the Attribute Value will be similar to:
Review the final setting.
With this, the Network policy that will allow VPN1 to be mapped to the firewall will be configured, similar policies are to be created depending on the groups concerned.
Testing:
- Testing the user credentials on the FortiGate to see if it is pulling the correct group. It is possible to see that the user is falling under group VPN1.
Checking for the user in VPN2 as well:
-
Now checking on FortiClient:
- For user mjohn, under group VPN1:
- For user Rchang associated with group VPN2:
- For user mjohn, under group VPN1:
Related article:
