Fortinet black logo

Administration Guide

SSL VPN with RADIUS on Windows NPS

SSL VPN with RADIUS on Windows NPS

This is an example configuration of SSL VPN that uses Windows Network Policy Server (NPS) as a RADIUS authentication server.

The NPS must already be configured to accept the FortiGate as a RADIUS client and the choice of authentication method, such as MS-CHAPv2. A shared key must also have been created.

Example

The user is connecting from their PC to the FortiGate's port1 interface. RADIUS authentication occurs between the FortiGate and the Windows NPS, and the SSL-VPN connection is established once the authentication is successful.

Configure SSL-VPN with RADIUS on Windows NPS in the GUI

To configure the internal and external interfaces:
  1. Go to Network > Interfaces
  2. Edit the port1 interface and set IP/Network Mask to 192.168.2.5/24.
  3. Edit the port2 interface and set IP/Network Mask to 192.168.20.5/24.
  4. Click OK.
To create a firewall address:
  1. Go to Policy & Objects > Addresses and click Create New > Address.
  2. Set Name to 192.168.20.0.
  3. Leave Type as Subnet
  4. Set IP/Netmask to 192.168.20.0/24.
  5. Click OK.
To add the RADIUS server:
  1. Go to User & Authentication > RADIUS Servers and click Create New.
  2. Set Name to rad-server.
  3. Leave Authentication method set to Default. The PAP, MS-CHAPv2, and CHAP methods will be tried in order.
  4. Under Primary Server, set IP/Name to 192.168.20.6 and Secret to the shared secret configured on the RADIUS server.
  5. Click Test Connectivity to test the connection to the server, and ensure that Connection status is Successful.
  6. Optionally, click Test User Credentials to test user credentials. Testing from the GUI is limited to PAP.

  7. Click OK.
To configure a user group:
  1. Go to User & Authentication > User Groups and click Create New.
  2. Set Name to rad-group.
  3. Under Remote Groups, click Add and add the rad-server.

  4. Click OK.
To configure SSL VPN settings:
  1. Go to VPN > SSL-VPN Settings.
  2. Select the Listen on Interface(s), in this example, port1.
  3. Set Listen on Port to 10443.
  4. If you have a server certificate, set Server Certificate to the authentication certificate.
  5. Under Authentication/Portal Mapping:
    1. Edit All Other Users/Groups and set Portal to web-access.
    2. Click Create New and create a mapping for the rad-group user group with Portal set to full-access.

    3. Click OK.
  6. Click Apply.
To configure an SSL VPN firewall policy:
  1. Go to Policy & Objects > Firewall Policy and click Create New.
  2. Set the policy name, in this example, sslvpn-radius.
  3. Set Incoming Interface to SSL-VPN tunnel interface(ssl.root).
  4. Set Outgoing Interface to the local network interface so that the remote user can access the internal network. In this example, port2.
  5. Set the Source > Address to all and Source > User to rad-group.
  6. Set Destination > Address to the internal protected subnet 192.168.20.0.
  7. Set Schedule to always, Service to ALL, and Action to Accept.
  8. Enable NAT.

  9. Configure the remaining options as required.
  10. Click OK.

Configure SSL-VPN with RADIUS on Windows NPS in the CLI

To configure SSL VPN using the CLI:
  1. Configure the internal and external interfaces:
    config system interface 
        edit "port1"
            set vdom "root"
            set ip 192.168.2.5 255.255.255.0
            set alias internal
        next
        edit "port2"
            set vdom "root"
            set ip 192.168.20.5 255.255.255.0
            set alias external
        next
    end
  2. Configure the firewall address:
    config firewall address
        edit "192.168.20.0"
            set subnet 192.168.20.0 255.255.255.0
        next
    end
  3. Add the RADIUS server:
    config user radius
        edit "rad-server"
            set server "192.168.20.6"
            set secret *********
        next
    end 
  4. Create a user group and add the RADIUS server to it:.
    config user group
        edit "rad-group"
            set member "rad-server"
        next
    end
  5. Configure SSL VPN settings:
    config vpn ssl settings
        set servercert "server_certificate"
        set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
        set source-interface "port1"
        set source-address "all"
        set default-portal "web-access"
        config authentication-rule
            edit 1
                set groups "rad-group"
                set portal "full-access"
            next        
        end
    end
  6. Configure an SSL VPN firewall policy to allow remote user to access the internal network.
    config firewall policy 
        edit 1
            set name "sslvpn-radius"
            set srcintf "ssl.root"
            set dstintf "port2"
            set srcaddr "all"
            set dstaddr "192.168.20.0"
            set groups “rad-group”
            set action accept
            set schedule "always"
            set service "ALL"
            set nat enable
        next
    end

Results

To connect with FortiClient in tunnel mode:
  1. Download FortiClient from www.forticlient.com.
  2. Open the FortiClient Console and go to Remote Access > Configure VPN.
  3. Add a new connection:
    1. Set the connection name.
    2. Set Remote Gateway to 192.168.2.5.
    3. Select Customize Port and set it to 10443.
  4. Save your settings.
  5. Log in using the RADIUS user credentials.
To check the SSL VPN connection using the GUI:
  1. Go to Dashboard > Network and expand the SSL-VPN widget to verify the user’s connection.
  2. Go to Log & Report > System Events and select the VPN Events card to view the details of the SSL VPN connection event log.
  3. Go to Log & Report > Forward Traffic to view the details of the SSL VPN traffic.
To check the login using the CLI:
# get vpn ssl monitor
SSL VPN Login Users:
 Index   User    Group   Auth Type      Timeout         From     HTTP in/out    HTTPS in/out
 0       radkeith        rad-group        2(1)            295     192.168.2.202  0/0     0/0

SSL VPN sessions:
 Index   User    Group   Source IP      Duration        I/O Bytes       Tunnel/Dest IP
 0       radkeith        rad-group        192.168.2.202   18      28502/4966     10.212.134.200

SSL VPN with RADIUS on Windows NPS

This is an example configuration of SSL VPN that uses Windows Network Policy Server (NPS) as a RADIUS authentication server.

The NPS must already be configured to accept the FortiGate as a RADIUS client and the choice of authentication method, such as MS-CHAPv2. A shared key must also have been created.

Example

The user is connecting from their PC to the FortiGate's port1 interface. RADIUS authentication occurs between the FortiGate and the Windows NPS, and the SSL-VPN connection is established once the authentication is successful.

Configure SSL-VPN with RADIUS on Windows NPS in the GUI

To configure the internal and external interfaces:
  1. Go to Network > Interfaces
  2. Edit the port1 interface and set IP/Network Mask to 192.168.2.5/24.
  3. Edit the port2 interface and set IP/Network Mask to 192.168.20.5/24.
  4. Click OK.
To create a firewall address:
  1. Go to Policy & Objects > Addresses and click Create New > Address.
  2. Set Name to 192.168.20.0.
  3. Leave Type as Subnet
  4. Set IP/Netmask to 192.168.20.0/24.
  5. Click OK.
To add the RADIUS server:
  1. Go to User & Authentication > RADIUS Servers and click Create New.
  2. Set Name to rad-server.
  3. Leave Authentication method set to Default. The PAP, MS-CHAPv2, and CHAP methods will be tried in order.
  4. Under Primary Server, set IP/Name to 192.168.20.6 and Secret to the shared secret configured on the RADIUS server.
  5. Click Test Connectivity to test the connection to the server, and ensure that Connection status is Successful.
  6. Optionally, click Test User Credentials to test user credentials. Testing from the GUI is limited to PAP.

  7. Click OK.
To configure a user group:
  1. Go to User & Authentication > User Groups and click Create New.
  2. Set Name to rad-group.
  3. Under Remote Groups, click Add and add the rad-server.

  4. Click OK.
To configure SSL VPN settings:
  1. Go to VPN > SSL-VPN Settings.
  2. Select the Listen on Interface(s), in this example, port1.
  3. Set Listen on Port to 10443.
  4. If you have a server certificate, set Server Certificate to the authentication certificate.
  5. Under Authentication/Portal Mapping:
    1. Edit All Other Users/Groups and set Portal to web-access.
    2. Click Create New and create a mapping for the rad-group user group with Portal set to full-access.

    3. Click OK.
  6. Click Apply.
To configure an SSL VPN firewall policy:
  1. Go to Policy & Objects > Firewall Policy and click Create New.
  2. Set the policy name, in this example, sslvpn-radius.
  3. Set Incoming Interface to SSL-VPN tunnel interface(ssl.root).
  4. Set Outgoing Interface to the local network interface so that the remote user can access the internal network. In this example, port2.
  5. Set the Source > Address to all and Source > User to rad-group.
  6. Set Destination > Address to the internal protected subnet 192.168.20.0.
  7. Set Schedule to always, Service to ALL, and Action to Accept.
  8. Enable NAT.

  9. Configure the remaining options as required.
  10. Click OK.

Configure SSL-VPN with RADIUS on Windows NPS in the CLI

To configure SSL VPN using the CLI:
  1. Configure the internal and external interfaces:
    config system interface 
        edit "port1"
            set vdom "root"
            set ip 192.168.2.5 255.255.255.0
            set alias internal
        next
        edit "port2"
            set vdom "root"
            set ip 192.168.20.5 255.255.255.0
            set alias external
        next
    end
  2. Configure the firewall address:
    config firewall address
        edit "192.168.20.0"
            set subnet 192.168.20.0 255.255.255.0
        next
    end
  3. Add the RADIUS server:
    config user radius
        edit "rad-server"
            set server "192.168.20.6"
            set secret *********
        next
    end 
  4. Create a user group and add the RADIUS server to it:.
    config user group
        edit "rad-group"
            set member "rad-server"
        next
    end
  5. Configure SSL VPN settings:
    config vpn ssl settings
        set servercert "server_certificate"
        set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
        set source-interface "port1"
        set source-address "all"
        set default-portal "web-access"
        config authentication-rule
            edit 1
                set groups "rad-group"
                set portal "full-access"
            next        
        end
    end
  6. Configure an SSL VPN firewall policy to allow remote user to access the internal network.
    config firewall policy 
        edit 1
            set name "sslvpn-radius"
            set srcintf "ssl.root"
            set dstintf "port2"
            set srcaddr "all"
            set dstaddr "192.168.20.0"
            set groups “rad-group”
            set action accept
            set schedule "always"
            set service "ALL"
            set nat enable
        next
    end

Results

To connect with FortiClient in tunnel mode:
  1. Download FortiClient from www.forticlient.com.
  2. Open the FortiClient Console and go to Remote Access > Configure VPN.
  3. Add a new connection:
    1. Set the connection name.
    2. Set Remote Gateway to 192.168.2.5.
    3. Select Customize Port and set it to 10443.
  4. Save your settings.
  5. Log in using the RADIUS user credentials.
To check the SSL VPN connection using the GUI:
  1. Go to Dashboard > Network and expand the SSL-VPN widget to verify the user’s connection.
  2. Go to Log & Report > System Events and select the VPN Events card to view the details of the SSL VPN connection event log.
  3. Go to Log & Report > Forward Traffic to view the details of the SSL VPN traffic.
To check the login using the CLI:
# get vpn ssl monitor
SSL VPN Login Users:
 Index   User    Group   Auth Type      Timeout         From     HTTP in/out    HTTPS in/out
 0       radkeith        rad-group        2(1)            295     192.168.2.202  0/0     0/0

SSL VPN sessions:
 Index   User    Group   Source IP      Duration        I/O Bytes       Tunnel/Dest IP
 0       radkeith        rad-group        192.168.2.202   18      28502/4966     10.212.134.200