Fortinet black logo

Handbook

User accounts and groups

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:760321
Download PDF

User accounts and groups

The first step for an SSL VPN tunnel is to add the users and user groups that will access the tunnel. You may already have users defined for other authentication-based security policies.

The user group is associated with the web portal that the user sees after logging in. You can use one policy for multiple groups, or multiple policies to handle differences between the groups such as access to different services, or different schedules.

To create a user account:
  • In the GUI, go to User & Device > User Definition, and select Create New.
  • In the CLI, use the commands in config user local.

All users accessing the SSL tunnel must be in a firewall user group. User names can be up to 64 characters long.

To create user groups:
  • In the GUI, go to User & Device > User Groups and select Create New.
  • In the CLI, use the commands in config user group.

note icon

Guest group and SSO group have been removed from config user group and config vpn ssl web user-group-bookmark.

Authentication

Remote users must be authenticated before they can request services and/or access network resources through the web portal. The authentication process can use a password defined on the FortiGate unit or optionally use established external authentication mechanisms such as RADIUS or LDAP.

To authenticate users, you can use a plain text password on the local FortiGate unit, forward authentication requests to an external RADIUS, LDAP or TACACS+ server, or utilize PKI certificates.

note icon

FortiOS supports LDAP password renewal notification and updates through SSL VPN. Configuration is enabled using the CLI commands:

config user ldap
edit <username>
set server <domain>
set password-expiry-warning enable
set password-renewal enable
next

end

MAC host check

When a remote client attempts to log in to the portal, you can have the FortiGate unit check against the client’s MAC address to ensure that only a specific computer or device is connecting to the tunnel. This can ensure better security should a password be compromised.

MAC addresses can be tied to specific portals and can be either the entire MAC address or a subset of the address. MAC host checking is configured in the CLI using the following commands:

conf vpn ssl web portal

edit portal

set mac-addr-check enable

set mac-addr-action allow

config mac-addr-check-rule

edit "rule1"

set mac-addr-list 01:01:01:01:01:01 08:00:27:d4:06:5d

set mac-addr-mask 48

end

end

IP addresses for users

After the FortiGate unit authenticates a request for a tunnel-mode connection, the FortiGate unit assigns the SSL VPN client an IP address for the session. The address is assigned from an IP Pool, which is a firewall address defining an IP address range.

caution icon

Take care to prevent overlapping IP addresses. Do not assign to clients any IP addresses that are already in use on the private network. As a precaution, consider assigning IP addresses from a network that is not commonly used (for example, 10.254.254.0/24).

To set tunnel-mode client IP address range - GUI:
  1. Go to Policy & Objects > Addresses and select Create New.
  2. Enter an Name, for example, SSL_VPN_tunnel_range.
  3. Select a Type of IP Range.
  4. In the Subnet/IP Range field, enter the starting and ending IP addresses that you want to assign to SSL VPN clients, for example 10.254.254.[80-100].
  5. In Interface, select Any.
  6. Select OK.
To set tunnel-mode client IP address range - CLI:

If your SSL VPN tunnel range is for example 10.254.254.80 - 10.254.254.100, you could enter

config firewall address

edit SSL_tunnel_users

set type iprange

set end-ip 10.254.254.100

set start-ip 10.254.254.80

end

Authentication of remote users

When remote users connect to the SSL VPN tunnel, they must perform authentication before being able to use the internal network resources. This can be as simple as assigning users with their own passwords, connecting to an LDAP server or using more secure options. FortiOS provides a number of options for authentication as well as security option for those connected users.

The web portal can include bookmarks to connect to internal network resources. A web (HTTP/HTTPS) bookmark can include login credentials so that the FortiGate unit automatically logs the user into the website. This means that the user logs into the SSL VPN and then does not have to enter any more credentials to visit preconfigured web sites.

Both the administrator and the end user can configure bookmarks, including SSO bookmarks. To add bookmarks as a web portal user, see Using the Bookmarks widget.

Setting the client authentication timeout

The client authentication timeout controls how long an authenticated user will remain connected. When this time expires, the system forces the remote client to authenticate again. As with the idle timeout, a shorter period of time is more secure. The default value is 28800 seconds (8 hours). You can only modify this timeout value in the CLI.

For example, to change the authentication timeout to 18 000 seconds, enter the following commands in the CLI:

config vpn ssl settings

set auth-timeout 18000

end

You can also set the idle timeout for the client, to define how long the user does not access the remote resources before they are logged out.

Additional timeout settings

SSL VPN timeout settings are also available to counter 'Slowloris' and 'R-U-Dead-Yet' vulnerabilities that allow remote attackers to cause a denial of service via partial HTTP requests.

The FortiGate solution involves two attributes (http-request-header-timeout and http-request-body-timeout).

CLI syntax

config vpn ssl settings

set http-request-header-timeout [1-60] (seconds)

set http-request-body-timeout [1-60] (seconds)

end

Allow one-time login per user

You can set the SSL VPN tunnel such that each user can only log into the tunnel one time concurrently per user per login. That is, once logged into the portal, they cannot go to another system and log in with the same credentials again.

To allow one-time login per user - GUI:

Go to VPN > SSL-VPN Portals, select a portal, and enable Limit Users to One SSL-VPN Connection at a Time. It is disabled by default.

To allow one-time login per user - CLI:

config vpn ssl web portal

edit <portal_name>

set limit-user-logins enable

end

Strong authentication with security certificates

The FortiGate unit supports strong (two-factor) authentication through X.509 security certificates (version 1 or 3). The FortiGate unit can require clients to authenticate using a certificate, and the client can require the FortiGate unit to authenticate using a certificate.

You can select the Require Client Certificate option so that clients must authenticate using certificates. The client browser must have a local certificate installed, and the FortiGate unit must have the corresponding CA certificate installed.

When the remote client initiates a connection, the FortiGate unit prompts the client browser for its client-side certificate as part of the authentication process.

To require client authentication by security certificates - GUI:
  1. Go to VPN > SSL-VPN Settings.
  2. Select Require Client Certificate.
  3. Select Apply.
To require client authentication by security certificates - CLI:

config vpn ssl settings

set reqclientcert enable

end

If your SSL VPN clients require strong authentication, the FortiGate unit must offer a CA certificate that the client browser has installed.

In the FortiGate unit SSL VPN settings, you can select which certificate the FortiGate offers to authenticate itself. By default, the FortiGate unit offers its factory installed (Fortinet_CA_SSLProxy) certificate from Fortinet to remote clients when they connect. If you leave the default setting, a warning appears that recommends you purchase a certificate for your domain and upload it for use.

To enable FortiGate unit authentication by certificate - GUI:
  1. Go to VPN > SSL-VPN Settings.
  2. From the Server Certificate list, select the certificate that the FortiGate unit uses to identify itself to SSL VPN clients.
  3. Select Apply.
To enable FortiGate unit authentication by certificate - CLI:

For example, to use the example_cert certificate

config vpn ssl settings

set servercert example_cert

end

note icon

FortiOS checks the server certificate to verify that the certificate is valid. Only use valid server certificates.

NSA Suite B cryptography support

FortiOS supports the use of ECDSA Local Certificates for SSL VPN Suite B. The National Security Agency (NSA) developed Suite B algorithms in 2005 to serve as a cryptographic base for both classified and unclassified information at an interoperable level.

FortiOS allows you to import, generate, and use ECDSA certificates defined by the Suite B cryptography set. To generate ECDSA certificates, use the following command in the CLI:

exec vpn certificate local generate ec <certificate‑name_str> <elliptic-curve-name> <subject_str> [<optional_information>]

User accounts and groups

The first step for an SSL VPN tunnel is to add the users and user groups that will access the tunnel. You may already have users defined for other authentication-based security policies.

The user group is associated with the web portal that the user sees after logging in. You can use one policy for multiple groups, or multiple policies to handle differences between the groups such as access to different services, or different schedules.

To create a user account:
  • In the GUI, go to User & Device > User Definition, and select Create New.
  • In the CLI, use the commands in config user local.

All users accessing the SSL tunnel must be in a firewall user group. User names can be up to 64 characters long.

To create user groups:
  • In the GUI, go to User & Device > User Groups and select Create New.
  • In the CLI, use the commands in config user group.

note icon

Guest group and SSO group have been removed from config user group and config vpn ssl web user-group-bookmark.

Authentication

Remote users must be authenticated before they can request services and/or access network resources through the web portal. The authentication process can use a password defined on the FortiGate unit or optionally use established external authentication mechanisms such as RADIUS or LDAP.

To authenticate users, you can use a plain text password on the local FortiGate unit, forward authentication requests to an external RADIUS, LDAP or TACACS+ server, or utilize PKI certificates.

note icon

FortiOS supports LDAP password renewal notification and updates through SSL VPN. Configuration is enabled using the CLI commands:

config user ldap
edit <username>
set server <domain>
set password-expiry-warning enable
set password-renewal enable
next

end

MAC host check

When a remote client attempts to log in to the portal, you can have the FortiGate unit check against the client’s MAC address to ensure that only a specific computer or device is connecting to the tunnel. This can ensure better security should a password be compromised.

MAC addresses can be tied to specific portals and can be either the entire MAC address or a subset of the address. MAC host checking is configured in the CLI using the following commands:

conf vpn ssl web portal

edit portal

set mac-addr-check enable

set mac-addr-action allow

config mac-addr-check-rule

edit "rule1"

set mac-addr-list 01:01:01:01:01:01 08:00:27:d4:06:5d

set mac-addr-mask 48

end

end

IP addresses for users

After the FortiGate unit authenticates a request for a tunnel-mode connection, the FortiGate unit assigns the SSL VPN client an IP address for the session. The address is assigned from an IP Pool, which is a firewall address defining an IP address range.

caution icon

Take care to prevent overlapping IP addresses. Do not assign to clients any IP addresses that are already in use on the private network. As a precaution, consider assigning IP addresses from a network that is not commonly used (for example, 10.254.254.0/24).

To set tunnel-mode client IP address range - GUI:
  1. Go to Policy & Objects > Addresses and select Create New.
  2. Enter an Name, for example, SSL_VPN_tunnel_range.
  3. Select a Type of IP Range.
  4. In the Subnet/IP Range field, enter the starting and ending IP addresses that you want to assign to SSL VPN clients, for example 10.254.254.[80-100].
  5. In Interface, select Any.
  6. Select OK.
To set tunnel-mode client IP address range - CLI:

If your SSL VPN tunnel range is for example 10.254.254.80 - 10.254.254.100, you could enter

config firewall address

edit SSL_tunnel_users

set type iprange

set end-ip 10.254.254.100

set start-ip 10.254.254.80

end

Authentication of remote users

When remote users connect to the SSL VPN tunnel, they must perform authentication before being able to use the internal network resources. This can be as simple as assigning users with their own passwords, connecting to an LDAP server or using more secure options. FortiOS provides a number of options for authentication as well as security option for those connected users.

The web portal can include bookmarks to connect to internal network resources. A web (HTTP/HTTPS) bookmark can include login credentials so that the FortiGate unit automatically logs the user into the website. This means that the user logs into the SSL VPN and then does not have to enter any more credentials to visit preconfigured web sites.

Both the administrator and the end user can configure bookmarks, including SSO bookmarks. To add bookmarks as a web portal user, see Using the Bookmarks widget.

Setting the client authentication timeout

The client authentication timeout controls how long an authenticated user will remain connected. When this time expires, the system forces the remote client to authenticate again. As with the idle timeout, a shorter period of time is more secure. The default value is 28800 seconds (8 hours). You can only modify this timeout value in the CLI.

For example, to change the authentication timeout to 18 000 seconds, enter the following commands in the CLI:

config vpn ssl settings

set auth-timeout 18000

end

You can also set the idle timeout for the client, to define how long the user does not access the remote resources before they are logged out.

Additional timeout settings

SSL VPN timeout settings are also available to counter 'Slowloris' and 'R-U-Dead-Yet' vulnerabilities that allow remote attackers to cause a denial of service via partial HTTP requests.

The FortiGate solution involves two attributes (http-request-header-timeout and http-request-body-timeout).

CLI syntax

config vpn ssl settings

set http-request-header-timeout [1-60] (seconds)

set http-request-body-timeout [1-60] (seconds)

end

Allow one-time login per user

You can set the SSL VPN tunnel such that each user can only log into the tunnel one time concurrently per user per login. That is, once logged into the portal, they cannot go to another system and log in with the same credentials again.

To allow one-time login per user - GUI:

Go to VPN > SSL-VPN Portals, select a portal, and enable Limit Users to One SSL-VPN Connection at a Time. It is disabled by default.

To allow one-time login per user - CLI:

config vpn ssl web portal

edit <portal_name>

set limit-user-logins enable

end

Strong authentication with security certificates

The FortiGate unit supports strong (two-factor) authentication through X.509 security certificates (version 1 or 3). The FortiGate unit can require clients to authenticate using a certificate, and the client can require the FortiGate unit to authenticate using a certificate.

You can select the Require Client Certificate option so that clients must authenticate using certificates. The client browser must have a local certificate installed, and the FortiGate unit must have the corresponding CA certificate installed.

When the remote client initiates a connection, the FortiGate unit prompts the client browser for its client-side certificate as part of the authentication process.

To require client authentication by security certificates - GUI:
  1. Go to VPN > SSL-VPN Settings.
  2. Select Require Client Certificate.
  3. Select Apply.
To require client authentication by security certificates - CLI:

config vpn ssl settings

set reqclientcert enable

end

If your SSL VPN clients require strong authentication, the FortiGate unit must offer a CA certificate that the client browser has installed.

In the FortiGate unit SSL VPN settings, you can select which certificate the FortiGate offers to authenticate itself. By default, the FortiGate unit offers its factory installed (Fortinet_CA_SSLProxy) certificate from Fortinet to remote clients when they connect. If you leave the default setting, a warning appears that recommends you purchase a certificate for your domain and upload it for use.

To enable FortiGate unit authentication by certificate - GUI:
  1. Go to VPN > SSL-VPN Settings.
  2. From the Server Certificate list, select the certificate that the FortiGate unit uses to identify itself to SSL VPN clients.
  3. Select Apply.
To enable FortiGate unit authentication by certificate - CLI:

For example, to use the example_cert certificate

config vpn ssl settings

set servercert example_cert

end

note icon

FortiOS checks the server certificate to verify that the certificate is valid. Only use valid server certificates.

NSA Suite B cryptography support

FortiOS supports the use of ECDSA Local Certificates for SSL VPN Suite B. The National Security Agency (NSA) developed Suite B algorithms in 2005 to serve as a cryptographic base for both classified and unclassified information at an interoperable level.

FortiOS allows you to import, generate, and use ECDSA certificates defined by the Suite B cryptography set. To generate ECDSA certificates, use the following command in the CLI:

exec vpn certificate local generate ec <certificate‑name_str> <elliptic-curve-name> <subject_str> [<optional_information>]