Fortinet black logo

Cookbook

Dynamic address support for SSL VPN policies

Copy Link
Copy Doc ID 4e2e9371-e0d6-11ea-96b9-00505692583a:639646
Download PDF

Dynamic address support for SSL VPN policies

Dynamic SSO user groups can be used in place of address objects when configuring SSL VPN policies. This allows dynamic IP addresses to be used in SSL VPN policies. A remote user group can be used for authentication while an FSSO group is separately used for authorization. Using a dummy policy for remote user authentication and a policy for FSSO group authorization, FSSO can be used with SSL VPN tunnels

This image shows the authentication and authorization flow:

In this example, FortiAuthenticator is used as a RADIUS server. It uses a remote AD/LDAP server for authentication, then returns the authentication results to the FortiGate. This allows the client to have a dynamic IP address after successful authentication.

First, on the LDAP server, create two users each in their own group, user142 in group pc_group1, and user143 in group pc_group2.

Configure the FortiAuthenticator

To add a remote LDAP server and users on the FortiAuthenticator:
  1. Go to Authentication > Remote Auth. Servers > LDAP.
  2. Click Create New.
  3. Set the following:
    • Name: ad_ldap_60
    • Primary server name/IP: 172.16.200.60
    • Base distinguished name: dc=fsso-qa,dc=com
    • Bind type: Regular
    • Username: cn=administrator,cn=User
    • Password: <enter a password>
  4. Click OK.
  5. Edit the new LDAP server.
  6. Import the remote LDAP users.
  7. Edit each user to confirm that they have the RADIUS attribute Acct-Interim-Interval. This attribute is used by FortiGate to send interim update account messages to the RADIUS server.

To create a RADIUS client for FortiGate as a remote authentication server:
  1. Go to Authentication > RADIUS Service > Clients.
  2. Click Create New.
  3. Set the following:
    • Name: fsso_ldap
    • Client address: Range 172.16.200.1~172.16.200.10
    • Secret: <enter a password>
  4. In the Realms table, set the realm to the LDAP server that was just added: ad_ldap_60.
  5. Click OK.

    FortiAuthenticator can now be used as a RADIUS server, and the authentication credentials all come from the DC/LDAP server.

Fortinet Single Sign-On Collector Agent

To configure the Fortinet Single Sign-On Collector Agent:
  1. Select Require authenticated connection from FortiGate and enter a Password.
  2. Click Advanced Settings.
  3. Select the RADIUS Accounting tab.
  4. Select Enable RADIUS accounting server and set the Shared secret.

  5. Click OK, then click Save&close.

    The collector agent can now accept accounting requests from FortiGate, and retrieve the IP addresses and usernames of SSL VPN client from the FortiGate with accounting request messages.

Configure the FortiGate

To configure the FortiGate in the CLI:
  1. Create a Fortinet Single Sign-On Agent fabric connector:
    config user fsso
        edit "AD_CollectAgent"
            set server "172.16.200.60"
            set password 123456
        next
    end
  2. Add the RADIUS server:
    config user radius
        edit "rad150"
            set server "172.16.200.150"
            set secret 123456
            set acct-interim-interval 600
            config accounting-server
                edit 1
                    set status enable
                    set server "172.16.200.60"
                    set secret 123456
                next
            end
        next
    end
  3. Create a user group for the RADIUS server:
    config user group
        edit "rad_group"
            set member "rad150"
        next
    end
  4. Create user groups for each of the FSSO groups:
    config user group
        edit "fsso_group1"
            set group-type fsso-service
            set member "CN=PC_GROUP1,OU=TESTING,DC=FSSO-QA,DC=COM"
        next
        edit "fsso_group2"
            set group-type fsso-service
            set member "CN=PC_GROUP2,OU=TESTING,DC=FSSO-QA,DC=COM"
        next
    end
  5. Create an SSL VPN portal and assign the RADIUS user group to it:
    config vpn ssl web portal
        edit "testportal"
            set tunnel-mode enable
            set ipv6-tunnel-mode enable
            set web-mode enable
            ...
        next
    end
    config vpn ssl settings
        ...
        set default-portal "full-access"
        config authentication-rule
            edit 1
                set groups "rad_group"
                set portal "testportal"
            next
        end
    end
  6. Create firewall addresses:
    config firewall address
        edit "none"
            set subnet 0.0.0.0 255.255.255.255
        next
        edit "pc4"
            set subnet 172.16.200.44 255.255.255.255
        next
        edit "pc5"
            set subnet 172.16.200.55 255.255.255.255
        next
    end
  7. Create one dummy policy for authentication only, and two normal policies for authorization:
    config firewall policy
        edit 1
            set name "sslvpn_authentication"
            set srcintf "ssl.vdom1"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "none"
            set action accept
            set schedule "always"
            set service "ALL"
            set logtraffic all
            set groups "rad_group"
            set nat enable
        next
        edit 3
            set name "sslvpn_authorization1"
            set srcintf "ssl.vdom1"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "pc4"
            set action accept
            set schedule "always"
            set service "ALL"
            set logtraffic all
            set groups "fsso_group1"
            set nat enable
        next
        edit 4
            set name "sslvpn_authorization2"
            set srcintf "ssl.vdom1"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "pc5"
            set action accept
            set schedule "always"
            set service "ALL"
            set logtraffic all
            set groups "fsso_group2"
            set nat enable
        next
    end
To create an FSSO agent fabric connector in the GUI:
  1. Go to Security Fabric > Fabric Connectors.
  2. Click Create New.
  3. Click Fortinet Single Sign-On Agent.
  4. Enter the name and Primary FSSO agent information.

  5. Click Apply & Refresh.

    The FSSO groups are retrieved from the collector agent.

To add the RADIUS server in the GUI:
  1. Go to User & Device > RADIUS Servers.
  2. Click Create New.
  3. Enter a name for the server.
  4. Enter the IP/Name and Secret for the primary server.
  5. Click Test Connectivity to ensure that there is a successful connection.

  6. Click OK.
  7. Configure an accounting server with the following CLI command:
    config user radius
        edit rad150
            set acct-interim-interval 600
            config accounting-server
                edit 1
                    set status enable
                    set server 172.16.200.60
                    set secret *********
                next
            end
        next
    end
To create a user group for the RADIUS server in the GUI:
  1. Go to User & Device > User Groups.
  2. Click Create New.
  3. Enter a name for the group and set the Type to Firewall.
  4. Add the RADIUS server as a remote group.

  5. Click OK.
To create user groups for each of the FSSO groups in the GUI:
  1. Go to User & Device > User Groups.
  2. Click Create New.
  3. Enter a name for the group and set the Type to Fortinet Single Sign-On (FSSO).
  4. Add PC_GROUP1 as a member:

    CN=PC_GROUP1,OU=TESTING,DC=FSSO-QA,DC=COM

  5. Click OK.
  6. Add a second user group with PC_GROUP2 as a member:

    CN=PC_GROUP1,OU=TESTING,DC=FSSO-QA,DC=COM

  7. Click OK.
To create an SSL VPN portal and assign the RADIUS user group to it in the GUI:
  1. Go to VPN > SSL VPN Portals.
  2. Click Create New.
  3. Configure the portal, then click OK.
  4. Go to VPN > SSL VPN Settings.
  5. Configure the required settings.
  6. Create an Authentication/Portal Mapping table entry:
    1. Click Create New.
    2. Set User/Groups to rad_group.
    3. Set Portal to testportal.
    4. Click OK.
  7. Click OK.
To create policies for authentication and authorization in the GUI:
  1. Go to Policy & Object > IPv4 Policy.
  2. Configure a dummy policy for authentication. Set the destination to none so that traffic is not allowed through the FortiGate, and add rad_group as a source.
  3. Configure two authorization policies, with the FSSO groups as sources.

Confirmation

On Client 1, log in to FortiClient using user142. Traffic can go to pc4 (172.16.200.44), but cannot go to pc5 (172.16.200.55).

On Client 2, log in to FortiClient using user143. Traffic can go to pc5 (172.16.200.55), but cannot go to pc4 (172.16.200.44).

On the FortiGate, check the authenticated users list and the SSL VPN status:

# diagnose firewall auth list

10.212.134.200, USER142
        type: fsso, id: 0, duration: 173, idled: 173
        server: AD_CollectAgent
        packets: in 0 out 0, bytes: in 0 out 0
        user_id: 16777229
        group_id: 3 33554434
        group_name: fsso_group1 CN=PC_GROUP1,OU=TESTING,DC=FSSO-QA,DC=COM

10.212.134.200, user142
        type: fw, id: 0, duration: 174, idled: 174
        expire: 259026, allow-idle: 259200
        flag(80): sslvpn
        server: rad150
        packets: in 0 out 0, bytes: in 0 out 0
        group_id: 4
        group_name: rad_group

10.212.134.201, USER143
        type: fsso, id: 0, duration: 78, idled: 78
        server: AD_CollectAgent
        packets: in 0 out 0, bytes: in 0 out 0
        group_id: 1 33554435
        group_name: fsso_group2 CN=PC_GROUP2,OU=TESTING,DC=FSSO-QA,DC=COM

10.212.134.201, user143
        type: fw, id: 0, duration: 79, idled: 79
        expire: 259121, allow-idle: 259200
        flag(80): sslvpn
        server: rad150
        packets: in 0 out 0, bytes: in 0 out 0
        group_id: 4
        group_name: rad_group

----- 4 listed, 0 filtered ------
# get vpn ssl monitor
SSL VPN Login Users:
 Index   User    Auth Type      Timeout         From     HTTP in/out    HTTPS in/out
 0       user142         2(1)            600     10.1.100.145   0/0     0/0
 1       user143         2(1)            592     10.1.100.254   0/0     0/0

SSL VPN sessions:
 Index   User    Source IP      Duration        I/O Bytes       Tunnel/Dest IP
 0       user142         10.1.100.145    104     32190/16480    10.212.134.200
 1       user143         10.1.100.254    11      4007/4966      10.212.134.201

Dynamic address support for SSL VPN policies

Dynamic SSO user groups can be used in place of address objects when configuring SSL VPN policies. This allows dynamic IP addresses to be used in SSL VPN policies. A remote user group can be used for authentication while an FSSO group is separately used for authorization. Using a dummy policy for remote user authentication and a policy for FSSO group authorization, FSSO can be used with SSL VPN tunnels

This image shows the authentication and authorization flow:

In this example, FortiAuthenticator is used as a RADIUS server. It uses a remote AD/LDAP server for authentication, then returns the authentication results to the FortiGate. This allows the client to have a dynamic IP address after successful authentication.

First, on the LDAP server, create two users each in their own group, user142 in group pc_group1, and user143 in group pc_group2.

Configure the FortiAuthenticator

To add a remote LDAP server and users on the FortiAuthenticator:
  1. Go to Authentication > Remote Auth. Servers > LDAP.
  2. Click Create New.
  3. Set the following:
    • Name: ad_ldap_60
    • Primary server name/IP: 172.16.200.60
    • Base distinguished name: dc=fsso-qa,dc=com
    • Bind type: Regular
    • Username: cn=administrator,cn=User
    • Password: <enter a password>
  4. Click OK.
  5. Edit the new LDAP server.
  6. Import the remote LDAP users.
  7. Edit each user to confirm that they have the RADIUS attribute Acct-Interim-Interval. This attribute is used by FortiGate to send interim update account messages to the RADIUS server.

To create a RADIUS client for FortiGate as a remote authentication server:
  1. Go to Authentication > RADIUS Service > Clients.
  2. Click Create New.
  3. Set the following:
    • Name: fsso_ldap
    • Client address: Range 172.16.200.1~172.16.200.10
    • Secret: <enter a password>
  4. In the Realms table, set the realm to the LDAP server that was just added: ad_ldap_60.
  5. Click OK.

    FortiAuthenticator can now be used as a RADIUS server, and the authentication credentials all come from the DC/LDAP server.

Fortinet Single Sign-On Collector Agent

To configure the Fortinet Single Sign-On Collector Agent:
  1. Select Require authenticated connection from FortiGate and enter a Password.
  2. Click Advanced Settings.
  3. Select the RADIUS Accounting tab.
  4. Select Enable RADIUS accounting server and set the Shared secret.

  5. Click OK, then click Save&close.

    The collector agent can now accept accounting requests from FortiGate, and retrieve the IP addresses and usernames of SSL VPN client from the FortiGate with accounting request messages.

Configure the FortiGate

To configure the FortiGate in the CLI:
  1. Create a Fortinet Single Sign-On Agent fabric connector:
    config user fsso
        edit "AD_CollectAgent"
            set server "172.16.200.60"
            set password 123456
        next
    end
  2. Add the RADIUS server:
    config user radius
        edit "rad150"
            set server "172.16.200.150"
            set secret 123456
            set acct-interim-interval 600
            config accounting-server
                edit 1
                    set status enable
                    set server "172.16.200.60"
                    set secret 123456
                next
            end
        next
    end
  3. Create a user group for the RADIUS server:
    config user group
        edit "rad_group"
            set member "rad150"
        next
    end
  4. Create user groups for each of the FSSO groups:
    config user group
        edit "fsso_group1"
            set group-type fsso-service
            set member "CN=PC_GROUP1,OU=TESTING,DC=FSSO-QA,DC=COM"
        next
        edit "fsso_group2"
            set group-type fsso-service
            set member "CN=PC_GROUP2,OU=TESTING,DC=FSSO-QA,DC=COM"
        next
    end
  5. Create an SSL VPN portal and assign the RADIUS user group to it:
    config vpn ssl web portal
        edit "testportal"
            set tunnel-mode enable
            set ipv6-tunnel-mode enable
            set web-mode enable
            ...
        next
    end
    config vpn ssl settings
        ...
        set default-portal "full-access"
        config authentication-rule
            edit 1
                set groups "rad_group"
                set portal "testportal"
            next
        end
    end
  6. Create firewall addresses:
    config firewall address
        edit "none"
            set subnet 0.0.0.0 255.255.255.255
        next
        edit "pc4"
            set subnet 172.16.200.44 255.255.255.255
        next
        edit "pc5"
            set subnet 172.16.200.55 255.255.255.255
        next
    end
  7. Create one dummy policy for authentication only, and two normal policies for authorization:
    config firewall policy
        edit 1
            set name "sslvpn_authentication"
            set srcintf "ssl.vdom1"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "none"
            set action accept
            set schedule "always"
            set service "ALL"
            set logtraffic all
            set groups "rad_group"
            set nat enable
        next
        edit 3
            set name "sslvpn_authorization1"
            set srcintf "ssl.vdom1"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "pc4"
            set action accept
            set schedule "always"
            set service "ALL"
            set logtraffic all
            set groups "fsso_group1"
            set nat enable
        next
        edit 4
            set name "sslvpn_authorization2"
            set srcintf "ssl.vdom1"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "pc5"
            set action accept
            set schedule "always"
            set service "ALL"
            set logtraffic all
            set groups "fsso_group2"
            set nat enable
        next
    end
To create an FSSO agent fabric connector in the GUI:
  1. Go to Security Fabric > Fabric Connectors.
  2. Click Create New.
  3. Click Fortinet Single Sign-On Agent.
  4. Enter the name and Primary FSSO agent information.

  5. Click Apply & Refresh.

    The FSSO groups are retrieved from the collector agent.

To add the RADIUS server in the GUI:
  1. Go to User & Device > RADIUS Servers.
  2. Click Create New.
  3. Enter a name for the server.
  4. Enter the IP/Name and Secret for the primary server.
  5. Click Test Connectivity to ensure that there is a successful connection.

  6. Click OK.
  7. Configure an accounting server with the following CLI command:
    config user radius
        edit rad150
            set acct-interim-interval 600
            config accounting-server
                edit 1
                    set status enable
                    set server 172.16.200.60
                    set secret *********
                next
            end
        next
    end
To create a user group for the RADIUS server in the GUI:
  1. Go to User & Device > User Groups.
  2. Click Create New.
  3. Enter a name for the group and set the Type to Firewall.
  4. Add the RADIUS server as a remote group.

  5. Click OK.
To create user groups for each of the FSSO groups in the GUI:
  1. Go to User & Device > User Groups.
  2. Click Create New.
  3. Enter a name for the group and set the Type to Fortinet Single Sign-On (FSSO).
  4. Add PC_GROUP1 as a member:

    CN=PC_GROUP1,OU=TESTING,DC=FSSO-QA,DC=COM

  5. Click OK.
  6. Add a second user group with PC_GROUP2 as a member:

    CN=PC_GROUP1,OU=TESTING,DC=FSSO-QA,DC=COM

  7. Click OK.
To create an SSL VPN portal and assign the RADIUS user group to it in the GUI:
  1. Go to VPN > SSL VPN Portals.
  2. Click Create New.
  3. Configure the portal, then click OK.
  4. Go to VPN > SSL VPN Settings.
  5. Configure the required settings.
  6. Create an Authentication/Portal Mapping table entry:
    1. Click Create New.
    2. Set User/Groups to rad_group.
    3. Set Portal to testportal.
    4. Click OK.
  7. Click OK.
To create policies for authentication and authorization in the GUI:
  1. Go to Policy & Object > IPv4 Policy.
  2. Configure a dummy policy for authentication. Set the destination to none so that traffic is not allowed through the FortiGate, and add rad_group as a source.
  3. Configure two authorization policies, with the FSSO groups as sources.

Confirmation

On Client 1, log in to FortiClient using user142. Traffic can go to pc4 (172.16.200.44), but cannot go to pc5 (172.16.200.55).

On Client 2, log in to FortiClient using user143. Traffic can go to pc5 (172.16.200.55), but cannot go to pc4 (172.16.200.44).

On the FortiGate, check the authenticated users list and the SSL VPN status:

# diagnose firewall auth list

10.212.134.200, USER142
        type: fsso, id: 0, duration: 173, idled: 173
        server: AD_CollectAgent
        packets: in 0 out 0, bytes: in 0 out 0
        user_id: 16777229
        group_id: 3 33554434
        group_name: fsso_group1 CN=PC_GROUP1,OU=TESTING,DC=FSSO-QA,DC=COM

10.212.134.200, user142
        type: fw, id: 0, duration: 174, idled: 174
        expire: 259026, allow-idle: 259200
        flag(80): sslvpn
        server: rad150
        packets: in 0 out 0, bytes: in 0 out 0
        group_id: 4
        group_name: rad_group

10.212.134.201, USER143
        type: fsso, id: 0, duration: 78, idled: 78
        server: AD_CollectAgent
        packets: in 0 out 0, bytes: in 0 out 0
        group_id: 1 33554435
        group_name: fsso_group2 CN=PC_GROUP2,OU=TESTING,DC=FSSO-QA,DC=COM

10.212.134.201, user143
        type: fw, id: 0, duration: 79, idled: 79
        expire: 259121, allow-idle: 259200
        flag(80): sslvpn
        server: rad150
        packets: in 0 out 0, bytes: in 0 out 0
        group_id: 4
        group_name: rad_group

----- 4 listed, 0 filtered ------
# get vpn ssl monitor
SSL VPN Login Users:
 Index   User    Auth Type      Timeout         From     HTTP in/out    HTTPS in/out
 0       user142         2(1)            600     10.1.100.145   0/0     0/0
 1       user143         2(1)            592     10.1.100.254   0/0     0/0

SSL VPN sessions:
 Index   User    Source IP      Duration        I/O Bytes       Tunnel/Dest IP
 0       user142         10.1.100.145    104     32190/16480    10.212.134.200
 1       user143         10.1.100.254    11      4007/4966      10.212.134.201