SSL VPN for remote users with MFA and user sensitivity

By default, remote LDAP and RADIUS user names are case sensitive. When a remote user object is applied to SSL VPN authentication, the user must type the exact case that is used in the user definition on the FortiGate.

Case sensitivity and accents can be ignored by disabling the username-sensitivity CLI command, allowing the remote user object to match any case or accents that the end user types in.

In this example, a remote user is configured with multi-factor authentication (MFA). The user group includes the LDAP user and server, and is applied to SSL VPN authentication and the policy.

Topology

Example configuration

To configure the LDAP server:

1. Generate and export a CA certificate from the AD server .
2. Import the CA certificate into FortiGate:
   1. Go to System > Features Visibility and ensure Certificates is enabled.
   2. Go to System > Certificates and select Import > CA Certificate.
   3. Select Local PC and then select the certificate file.

      The CA certificate now appears in the list of External CA Certificates. In this example, it is called CA_Cert_1.

   4. If you want, you can use CLI commands to rename the system-generated CA_Cert_1 to be more descriptive:

      config vpn certificate ca
          rename CA_Cert_1 to LDAPS-CA
      end

3. Configure the LDAP user:
   1. Go to User & Authentication > LDAP Servers and click Create New.
   2. Configure the following options for this example:

      Name	WIN2K16-KLHOME
      Server IP/Name	192.168.20.6
      Server Port	636
      Common Name Identifier	sAMAccountName
      Distinguished Name	dc=KLHOME,dc=local
      Bind Type	Regular
      Username	KLHOME\\Administrator
      Password	*********
      Secure Connection	Enable
      Protocol	LDAPS
      Certificate	CA_Cert_1 This is the CA certificate that you imported in step 2.

      

   3. Click OK.

To configure an LDAP user with MFA:

1. Go to User & Authentication > User Definition and click Create New.
2. Select Remote LDAP User, then click Next.
3. Select the just created LDAP server, then click Next.

   

4. Right click to add the selected user, then click Submit.
5. Edit the user that you just created.

   The username will be pulled from the LDAP server with the same case as it has on the server.

6. Set the Email Address to the address that FortiGate will send the FortiToken to.
7. Enable Two-factor Authentication.
8. Set Authentication Type to FortiToken.
9. Set Token to a FortiToken device. See for more information.

   

10. Click OK.

To disable case and accent sensitivity on the remote user:

This can only be configured in the CLI.

config user local
    edit "fgdocs"
        set type ldap
        set two-factor fortitoken
        set fortitoken "FTKMOBxxxxxxxxxx"
        set email-to "fgdocs@fortinet.com"
        set username-sensitivity disable
        set ldap-server "WIN2K16-KLHOME"
    next
end

To configure a user group with the remote user and the LDAP server:

1. Go to User & Authentication > User Groups and click Create New.
2. Set the Name to LDAP-USERGRP.
3. Set Members to the just created remote user.
4. In the Remote Groups table, click Add:
   1. Set Remote Server to the LDAP server.
   2. Set the group or groups that apply, and right click to add them.
   3. Click OK.

   

5. Click OK.

To apply the user group to the SSL VPN portal:

1. Go to VPN > SSL-VPN Settings.
2. In the Authentication/Portal Mapping table, click Create New.
   1. Set Users/Groups to the just created user group.
   2. Configure the remaining settings as required.
   3. Click OK.

   

3. Click Apply.

To apply the user group to a firewall policy:

1. Go to Policy & Objects > Firewall Policy and click Create New.
2. Configure the following:

   Name	SSLVPNtoInteral
   Incoming Interface	SSL-VPN tunnel interface (ssl.root)
   Outgoing Interface	port3
   Source	Address - SSLVPN_TUNNEL_ADDR1 User - LDAP-USERGRP
   Destination	The address of the internal network. In this case: 192.168.20.0.
   Schedule	always
   Service	ALL
   Action	ACCEPT
   NAT	Enabled

   

3. Configuring the remaining settings as required.
4. Click OK.

To configure this example in the CLI:

1. Configure the LDAP server:

   config user ldap
       edit "WIN2K16-KLHOME"
           set server "192.168.20.6"
           set cnid "sAMAccountName"
           set dn "dc=KLHOME,dc=local"
           set type regular
           set username "KLHOME\\Administrator"
           set password *********
           set secure ldaps
           set ca-cert "CA_Cert_1"
           set port 636
       next
   end

2. Configure an LDAP user with MFA and disable case and accent sensitivity on the remote user:

   config user local
       edit "fgdocs"
           set type ldap
           set two-factor fortitoken
           set fortitoken "FTKMOBxxxxxxxxxx"
           set email-to "fgdocs@fortinet.com"
           set username-sensitivity disable
           set ldap-server "WIN2K16-KLHOME"
       next
   end

3. Configure a user group with the remote user and the LDAP server:

   config user group
       edit "LDAP-USERGRP"
           set member "fgdocs" "WIN2K16-KLHOME"
       next
   end

4. Apply the user group to the SSL VPN portal:

   config vpn ssl settings
       set servercert <server certificate>
       set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
       set source-interface "port1"
       set source-address "all"
       set default-portal "web-access"
       config authentication-rule
           edit 1
               set groups "LDAP-USERGRP"
               set portal "full-access"
           next
       end
   end

5. Apply the user group to a firewall policy:

   config firewall policy
       edit 5
           set name "SSLVPNtoInternal"
           set srcintf "ssl.root"
           set dstintf "port3"
           set srcaddr "SSLVPN_TUNNEL_ADDR1"
           set dstaddr "192.168.20.0"
           set action accept
           set schedule "always"
           set service "ALL"
           set groups "LDAP-USERGRP"
           set nat enable
       next
   end

Verification

To setup the VPN connection:

1. Download FortiClient from www.forticlient.com.
2. Open the FortiClient Console and go to Remote Access.
3. Add a new connection:
   1. Set the connection name.
   2. Set Remote Gateway to the IP of the listening FortiGate interface.
   3. If required, set the Customize Port.
4. Save your settings.

To test the connection with case sensitivity disabled:

1. Connect to the VPN:
   1. Log in to the tunnel with the username, using the same case that it is on the FortiGate.
   2. When prompted, enter your FortiToken code.

      You should now be connected.

2. Check the web portal log in using the CLI:

   # get vpn ssl monitor
   SSL VPN Login Users:
    Index   User    Group   Auth Type      Timeout         From     HTTP in/out   HTTPS in/out
    0       fgdocs          LDAP-USERGRP    16(1)           289     192.168.2.202 0/0      0/0
   
   SSL VPN sessions:
    Index   User    Group   Source IP      Duration        I/O Bytes       Tunnel/Dest IP
    0       fgdocs          LDAP-USERGRP    192.168.2.202   45      99883/5572    10.212.134.200
   

3. Disconnect from the VPN connection.
4. Reconnect to the VPN:
   1. Log in to the tunnel with the username, using a different case than on the FortiGate.
   2. When prompted, enter your FortiToken code.

      You should now be connected.

5. Check the web portal log in using the CLI:

   # get vpn ssl monitor
   SSL VPN Login Users:
    Index   User    Group   Auth Type      Timeout         From     HTTP in/out   HTTPS in/out
    0       FGDOCS          LDAP-USERGRP    16(1)           289     192.168.2.202 0/0      0/0
   
   SSL VPN sessions:
    Index   User    Group   Source IP      Duration        I/O Bytes       Tunnel/Dest IP
    0       FGDOCS          LDAP-USERGRP    192.168.2.202   45      99883/5572    10.212.134.200
   

In both cases, the remote user is matched against the remote LDAP user object and prompted for multi-factor authentication.

To test the connection with case and accent sensitivity enabled:

1. Enable case and accent sensitivity for the user:

   config user local
       edit "fgdocs"
           set username-sensitivity enable
       next
   end
   

2. Connect to the VPN
   1. Log in to the tunnel with the username, using the same case that it is on the FortiGate.
   2. When prompted, enter your FortiToken code.

      You should now be connected.

3. Check the web portal log in using the CLI:

   # get vpn ssl monitor
   SSL VPN Login Users:
    Index   User    Group   Auth Type      Timeout         From     HTTP in/out   HTTPS in/out
    0       fgdocs          LDAP-USERGRP    16(1)           289     192.168.2.202 0/0      0/0
   
   SSL VPN sessions:
    Index   User    Group   Source IP      Duration        I/O Bytes       Tunnel/Dest IP
    0       fgdocs          LDAP-USERGRP    192.168.2.202   45      99883/5572    10.212.134.200
   

1. Disconnect from the VPN connection.
2. Reconnect to the VPN:
   1. Log in to the tunnel with the username, using a different case than on the FortiGate.

      You will not be prompted for your FortiToken code. You should now be connected.

3. Check the web portal log in using the CLI:

   # get vpn ssl monitor
   SSL VPN Login Users:
    Index   User    Group   Auth Type      Timeout         From     HTTP in/out   HTTPS in/out
    0       FGdocs          LDAP-USERGRP    16(1)           289     192.168.2.202 0/0      0/0
   
   SSL VPN sessions:
    Index   User    Group   Source IP      Duration        I/O Bytes       Tunnel/Dest IP
    0       FGdocs          LDAP-USERGRP    192.168.2.202   45      99883/5572    10.212.134.200
   

In this case, the user is allowed to log in without a FortiToken code because the entered user name did not match the name defined on the remote LDAP user object. Authentication continues to be evaluated against the LDAP server though, which is not case sensitive.