Dynamic address support for SSL VPN policies

Dynamic SSO user groups can be used in place of address objects when configuring SSL VPN policies. This allows dynamic IP addresses to be used in SSL VPN policies. A remote user group can be used for authentication while an FSSO group is separately used for authorization. Using a dummy policy for remote user authentication and a policy for FSSO group authorization, FSSO can be used with SSL VPN tunnels.

This image shows the authentication and authorization flow:

In this example, FortiAuthenticator is used as a RADIUS server. It uses a remote AD/LDAP server for authentication, then returns the authentication results to the FortiGate. This allows the client to have a dynamic IP address after successful authentication.

First, on the LDAP server, create two users each in their own group, user142 in group pc_group1, and user143 in group pc_group2.

Configure the FortiAuthenticator

To add a remote LDAP server and users on the FortiAuthenticator:
  1. Go to Authentication > Remote Auth. Servers > LDAP.
  2. Click Create New.
  3. Set the following:
    • Name: ad_ldap_60
    • Primary server name/IP:
    • Base distinguished name: dc=fsso-qa,dc=com
    • Bind type: Regular
    • Username: cn=administrator,cn=User
    • Password: <enter a password>
  4. Click OK.
  5. Edit the new LDAP server.
  6. Import the remote LDAP users.
  7. Edit each user to confirm that they have the RADIUS attribute Acct-Interim-Interval. This attribute is used by FortiGate to send interim update account messages to the RADIUS server.

To create a RADIUS client for FortiGate as a remote authentication server:
  1. Go to Authentication > RADIUS Service > Clients.
  2. Click Create New.
  3. Set the following:
    • Name: fsso_ldap
    • Client address: Range
    • Secret: <enter a password>
  4. In the Realms table, set the realm to the LDAP server that was just added: ad_ldap_60.
  5. Click OK.

    FortiAuthenticator can now be used as a RADIUS server, and the authentication credentials all come from the DC/LDAP server.

Fortinet Single Sign-On Collector Agent

To configure the Fortinet Single Sign-On Collector Agent:
  1. Select Require auth