Fortinet white logo
Fortinet white logo

Administration Guide

SSL VPN for remote users with MFA and user sensitivity

SSL VPN for remote users with MFA and user sensitivity

By default, remote LDAP and RADIUS user names are case sensitive. When a remote user object is applied to SSL VPN authentication, the user must type the exact case that is used in the user definition on the FortiGate.

Case sensitivity and accents can be ignored by disabling the username-sensitivity CLI command, allowing the remote user object to match any case or accents that the end user types in.

In this example, a remote user is configured with multi-factor authentication (MFA). The user group includes the LDAP user and server, and is applied to SSL VPN authentication and the policy.

Topology

Example configuration

To configure the LDAP server:
  1. Generate and export a CA certificate from the AD server .
  2. Import the CA certificate into FortiGate:
    1. Go to System > Features Visibility and ensure Certificates is enabled.
    2. Go to System > Certificates and select Import > CA Certificate.
    3. Select Local PC and then select the certificate file.

      The CA certificate now appears in the list of External CA Certificates. In this example, it is called CA_Cert_1.

    4. If you want, you can use CLI commands to rename the system-generated CA_Cert_1 to be more descriptive:
      config vpn certificate ca
          rename CA_Cert_1 to LDAPS-CA
      end
  3. Configure the LDAP user:
    1. Go to User & Authentication > LDAP Servers and click Create New.
    2. Configure the following options for this example:

      Name

      WIN2K16-KLHOME

      Server IP/Name

      192.168.20.6

      Server Port

      636

      Common Name Identifier

      sAMAccountName

      Distinguished Name

      dc=KLHOME,dc=local

      Bind Type

      Regular

      Username

      KLHOME\\Administrator

      Password

      *********

      Secure Connection

      Enable

      Protocol

      LDAPS

      Certificate

      CA_Cert_1

      This is the CA certificate that you imported in step 2.

    3. Click OK.
To configure an LDAP user with MFA:
  1. Go to User & Authentication > User Definition and click Create New.
  2. Select Remote LDAP User, then click Next.
  3. Select the just created LDAP server, then click Next.

  4. Right click to add the selected user, then click Submit.
  5. Edit the user that you just created.

    The username will be pulled from the LDAP server with the same case as it has on the server.

  6. Set the Email Address to the address that FortiGate will send the FortiToken to.
  7. Enable Two-factor Authentication.
  8. Set Authentication Type to FortiToken.
  9. Set Token to a FortiToken device. See for more information.

  10. Click OK.
To disable case and accent sensitivity on the remote user:

This can only be configured in the CLI.

config user local
    edit "fgdocs"
        set type ldap
        set two-factor fortitoken
        set fortitoken "FTKMOBxxxxxxxxxx"
        set email-to "fgdocs@fortinet.com"
        set username-sensitivity disable
        set ldap-server "WIN2K16-KLHOME"
    next
end
To configure a user group with the remote user and the LDAP server:
  1. Go to User & Authentication > User Groups and click Create New.
  2. Set the Name to LDAP-USERGRP.
  3. Set Members to the just created remote user.
  4. In the Remote Groups table, click Add:
    1. Set Remote Server to the LDAP server.
    2. Set the group or groups that apply, and right click to add them.
    3. Click OK.

  5. Click OK.
To apply the user group to the SSL VPN portal:
  1. Go to VPN > SSL-VPN Settings.
  2. In the Authentication/Portal Mapping table, click Create New.
    1. Set Users/Groups to the just created user group.
    2. Configure the remaining settings as required.
    3. Click OK.

  3. Click Apply.
To apply the user group to a firewall policy:
  1. Go to Policy & Objects > Firewall Policy and click Create New.
  2. Configure the following:

    Name

    SSLVPNtoInteral

    Incoming Interface

    SSL-VPN tunnel interface (ssl.root)

    Outgoing Interface

    port3

    Source

    Address - SSLVPN_TUNNEL_ADDR1

    User - LDAP-USERGRP

    Destination

    The address of the internal network.

    In this case: 192.168.20.0.

    Schedule

    always

    Service

    ALL

    Action

    ACCEPT

    NAT

    Enabled

  3. Configuring the remaining settings as required.
  4. Click OK.
To configure this example in the CLI:
  1. Configure the LDAP server:
    config user ldap
        edit "WIN2K16-KLHOME"
            set server "192.168.20.6"
            set cnid "sAMAccountName"
            set dn "dc=KLHOME,dc=local"
            set type regular
            set username "KLHOME\\Administrator"
            set password *********
            set secure ldaps
            set ca-cert "CA_Cert_1"
            set port 636
        next
    end
  2. Configure an LDAP user with MFA and disable case and accent sensitivity on the remote user:
    config user local
        edit "fgdocs"
            set type ldap
            set two-factor fortitoken
            set fortitoken "FTKMOBxxxxxxxxxx"
            set email-to "fgdocs@fortinet.com"
            set username-sensitivity disable
            set ldap-server "WIN2K16-KLHOME"
        next
    end
  3. Configure a user group with the remote user and the LDAP server:
    config user group
        edit "LDAP-USERGRP"
            set member "fgdocs" "WIN2K16-KLHOME"
        next
    end
  4. Apply the user group to the SSL VPN portal:
    config vpn ssl settings
        set servercert <server certificate>
        set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
        set source-interface "port1"
        set source-address "all"
        set default-portal "web-access"
        config authentication-rule
            edit 1
                set groups "LDAP-USERGRP"
                set portal "full-access"
            next
        end
    end
  5. Apply the user group to a firewall policy:
    config firewall policy
        edit 5
            set name "SSLVPNtoInternal"
            set srcintf "ssl.root"
            set dstintf "port3"
            set srcaddr "SSLVPN_TUNNEL_ADDR1"
            set dstaddr "192.168.20.0"
            set action accept
            set schedule "always"
            set service "ALL"
            set groups "LDAP-USERGRP"
            set nat enable
        next
    end

Verification

To setup the VPN connection:
  1. Download FortiClient from www.forticlient.com.
  2. Open the FortiClient Console and go to Remote Access.
  3. Add a new connection:
    1. Set the connection name.
    2. Set Remote Gateway to the IP of the listening FortiGate interface.
    3. If required, set the Customize Port.
  4. Save your settings.
To test the connection with case sensitivity disabled:
  1. Connect to the VPN:
    1. Log in to the tunnel with the username, using the same case that it is on the FortiGate.
    2. When prompted, enter your FortiToken code.

      You should now be connected.

  2. Check the web portal log in using the CLI:
    # get vpn ssl monitor
    SSL VPN Login Users:
     Index   User    Group   Auth Type      Timeout         From     HTTP in/out   HTTPS in/out
     0       fgdocs          LDAP-USERGRP    16(1)           289     192.168.2.202 0/0      0/0
    
    SSL VPN sessions:
     Index   User    Group   Source IP      Duration        I/O Bytes       Tunnel/Dest IP
     0       fgdocs          LDAP-USERGRP    192.168.2.202   45      99883/5572    10.212.134.200
    
  3. Disconnect from the VPN connection.
  4. Reconnect to the VPN:
    1. Log in to the tunnel with the username, using a different case than on the FortiGate.
    2. When prompted, enter your FortiToken code.

      You should now be connected.

  5. Check the web portal log in using the CLI:
    # get vpn ssl monitor
    SSL VPN Login Users:
     Index   User    Group   Auth Type      Timeout         From     HTTP in/out   HTTPS in/out
     0       FGDOCS          LDAP-USERGRP    16(1)           289     192.168.2.202 0/0      0/0
    
    SSL VPN sessions:
     Index   User    Group   Source IP      Duration        I/O Bytes       Tunnel/Dest IP
     0       FGDOCS          LDAP-USERGRP    192.168.2.202   45      99883/5572    10.212.134.200
    

In both cases, the remote user is matched against the remote LDAP user object and prompted for multi-factor authentication.

To test the connection with case and accent sensitivity enabled:
  1. Enable case and accent sensitivity for the user:
    config user local
        edit "fgdocs"
            set username-sensitivity enable
        next
    end
    
  2. Connect to the VPN
    1. Log in to the tunnel with the username, using the same case that it is on the FortiGate.
    2. When prompted, enter your FortiToken code.

      You should now be connected.

  3. Check the web portal log in using the CLI:
    # get vpn ssl monitor
    SSL VPN Login Users:
     Index   User    Group   Auth Type      Timeout         From     HTTP in/out   HTTPS in/out
     0       fgdocs          LDAP-USERGRP    16(1)           289     192.168.2.202 0/0      0/0
    
    SSL VPN sessions:
     Index   User    Group   Source IP      Duration        I/O Bytes       Tunnel/Dest IP
     0       fgdocs          LDAP-USERGRP    192.168.2.202   45      99883/5572    10.212.134.200
    
  1. Disconnect from the VPN connection.
  2. Reconnect to the VPN:
    1. Log in to the tunnel with the username, using a different case than on the FortiGate.

      You will not be prompted for your FortiToken code. You should now be connected.

  3. Check the web portal log in using the CLI:
    # get vpn ssl monitor
    SSL VPN Login Users:
     Index   User    Group   Auth Type      Timeout         From     HTTP in/out   HTTPS in/out
     0       FGdocs          LDAP-USERGRP    16(1)           289     192.168.2.202 0/0      0/0
    
    SSL VPN sessions:
     Index   User    Group   Source IP      Duration        I/O Bytes       Tunnel/Dest IP
     0       FGdocs          LDAP-USERGRP    192.168.2.202   45      99883/5572    10.212.134.200
    

In this case, the user is allowed to log in without a FortiToken code because the entered user name did not match the name defined on the remote LDAP user object. Authentication continues to be evaluated against the LDAP server though, which is not case sensitive.

SSL VPN for remote users with MFA and user sensitivity

SSL VPN for remote users with MFA and user sensitivity

By default, remote LDAP and RADIUS user names are case sensitive. When a remote user object is applied to SSL VPN authentication, the user must type the exact case that is used in the user definition on the FortiGate.

Case sensitivity and accents can be ignored by disabling the username-sensitivity CLI command, allowing the remote user object to match any case or accents that the end user types in.

In this example, a remote user is configured with multi-factor authentication (MFA). The user group includes the LDAP user and server, and is applied to SSL VPN authentication and the policy.

Topology

Example configuration

To configure the LDAP server:
  1. Generate and export a CA certificate from the AD server .
  2. Import the CA certificate into FortiGate:
    1. Go to System > Features Visibility and ensure Certificates is enabled.
    2. Go to System > Certificates and select Import > CA Certificate.
    3. Select Local PC and then select the certificate file.

      The CA certificate now appears in the list of External CA Certificates. In this example, it is called CA_Cert_1.

    4. If you want, you can use CLI commands to rename the system-generated CA_Cert_1 to be more descriptive:
      config vpn certificate ca
          rename CA_Cert_1 to LDAPS-CA
      end
  3. Configure the LDAP user:
    1. Go to User & Authentication > LDAP Servers and click Create New.
    2. Configure the following options for this example:

      Name

      WIN2K16-KLHOME

      Server IP/Name

      192.168.20.6

      Server Port

      636

      Common Name Identifier

      sAMAccountName

      Distinguished Name

      dc=KLHOME,dc=local

      Bind Type

      Regular

      Username

      KLHOME\\Administrator

      Password

      *********

      Secure Connection

      Enable

      Protocol

      LDAPS

      Certificate

      CA_Cert_1

      This is the CA certificate that you imported in step 2.

    3. Click OK.
To configure an LDAP user with MFA:
  1. Go to User & Authentication > User Definition and click Create New.
  2. Select Remote LDAP User, then click Next.
  3. Select the just created LDAP server, then click Next.

  4. Right click to add the selected user, then click Submit.
  5. Edit the user that you just created.

    The username will be pulled from the LDAP server with the same case as it has on the server.

  6. Set the Email Address to the address that FortiGate will send the FortiToken to.
  7. Enable Two-factor Authentication.
  8. Set Authentication Type to FortiToken.
  9. Set Token to a FortiToken device. See for more information.

  10. Click OK.
To disable case and accent sensitivity on the remote user:

This can only be configured in the CLI.

config user local
    edit "fgdocs"
        set type ldap
        set two-factor fortitoken
        set fortitoken "FTKMOBxxxxxxxxxx"
        set email-to "fgdocs@fortinet.com"
        set username-sensitivity disable
        set ldap-server "WIN2K16-KLHOME"
    next
end
To configure a user group with the remote user and the LDAP server:
  1. Go to User & Authentication > User Groups and click Create New.
  2. Set the Name to LDAP-USERGRP.
  3. Set Members to the just created remote user.
  4. In the Remote Groups table, click Add:
    1. Set Remote Server to the LDAP server.
    2. Set the group or groups that apply, and right click to add them.
    3. Click OK.

  5. Click OK.
To apply the user group to the SSL VPN portal:
  1. Go to VPN > SSL-VPN Settings.
  2. In the Authentication/Portal Mapping table, click Create New.
    1. Set Users/Groups to the just created user group.
    2. Configure the remaining settings as required.
    3. Click OK.

  3. Click Apply.
To apply the user group to a firewall policy:
  1. Go to Policy & Objects > Firewall Policy and click Create New.
  2. Configure the following:

    Name

    SSLVPNtoInteral

    Incoming Interface

    SSL-VPN tunnel interface (ssl.root)

    Outgoing Interface

    port3

    Source

    Address - SSLVPN_TUNNEL_ADDR1

    User - LDAP-USERGRP

    Destination

    The address of the internal network.

    In this case: 192.168.20.0.

    Schedule

    always

    Service

    ALL

    Action

    ACCEPT

    NAT

    Enabled

  3. Configuring the remaining settings as required.
  4. Click OK.
To configure this example in the CLI:
  1. Configure the LDAP server:
    config user ldap
        edit "WIN2K16-KLHOME"
            set server "192.168.20.6"
            set cnid "sAMAccountName"
            set dn "dc=KLHOME,dc=local"
            set type regular
            set username "KLHOME\\Administrator"
            set password *********
            set secure ldaps
            set ca-cert "CA_Cert_1"
            set port 636
        next
    end
  2. Configure an LDAP user with MFA and disable case and accent sensitivity on the remote user:
    config user local
        edit "fgdocs"
            set type ldap
            set two-factor fortitoken
            set fortitoken "FTKMOBxxxxxxxxxx"
            set email-to "fgdocs@fortinet.com"
            set username-sensitivity disable
            set ldap-server "WIN2K16-KLHOME"
        next
    end
  3. Configure a user group with the remote user and the LDAP server:
    config user group
        edit "LDAP-USERGRP"
            set member "fgdocs" "WIN2K16-KLHOME"
        next
    end
  4. Apply the user group to the SSL VPN portal:
    config vpn ssl settings
        set servercert <server certificate>
        set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
        set source-interface "port1"
        set source-address "all"
        set default-portal "web-access"
        config authentication-rule
            edit 1
                set groups "LDAP-USERGRP"
                set portal "full-access"
            next
        end
    end
  5. Apply the user group to a firewall policy:
    config firewall policy
        edit 5
            set name "SSLVPNtoInternal"
            set srcintf "ssl.root"
            set dstintf "port3"
            set srcaddr "SSLVPN_TUNNEL_ADDR1"
            set dstaddr "192.168.20.0"
            set action accept
            set schedule "always"
            set service "ALL"
            set groups "LDAP-USERGRP"
            set nat enable
        next
    end

Verification

To setup the VPN connection:
  1. Download FortiClient from www.forticlient.com.
  2. Open the FortiClient Console and go to Remote Access.
  3. Add a new connection:
    1. Set the connection name.
    2. Set Remote Gateway to the IP of the listening FortiGate interface.
    3. If required, set the Customize Port.
  4. Save your settings.
To test the connection with case sensitivity disabled:
  1. Connect to the VPN:
    1. Log in to the tunnel with the username, using the same case that it is on the FortiGate.
    2. When prompted, enter your FortiToken code.

      You should now be connected.

  2. Check the web portal log in using the CLI:
    # get vpn ssl monitor
    SSL VPN Login Users:
     Index   User    Group   Auth Type      Timeout         From     HTTP in/out   HTTPS in/out
     0       fgdocs          LDAP-USERGRP    16(1)           289     192.168.2.202 0/0      0/0
    
    SSL VPN sessions:
     Index   User    Group   Source IP      Duration        I/O Bytes       Tunnel/Dest IP
     0       fgdocs          LDAP-USERGRP    192.168.2.202   45      99883/5572    10.212.134.200
    
  3. Disconnect from the VPN connection.
  4. Reconnect to the VPN:
    1. Log in to the tunnel with the username, using a different case than on the FortiGate.
    2. When prompted, enter your FortiToken code.

      You should now be connected.

  5. Check the web portal log in using the CLI:
    # get vpn ssl monitor
    SSL VPN Login Users:
     Index   User    Group   Auth Type      Timeout         From     HTTP in/out   HTTPS in/out
     0       FGDOCS          LDAP-USERGRP    16(1)           289     192.168.2.202 0/0      0/0
    
    SSL VPN sessions:
     Index   User    Group   Source IP      Duration        I/O Bytes       Tunnel/Dest IP
     0       FGDOCS          LDAP-USERGRP    192.168.2.202   45      99883/5572    10.212.134.200
    

In both cases, the remote user is matched against the remote LDAP user object and prompted for multi-factor authentication.

To test the connection with case and accent sensitivity enabled:
  1. Enable case and accent sensitivity for the user:
    config user local
        edit "fgdocs"
            set username-sensitivity enable
        next
    end
    
  2. Connect to the VPN
    1. Log in to the tunnel with the username, using the same case that it is on the FortiGate.
    2. When prompted, enter your FortiToken code.

      You should now be connected.

  3. Check the web portal log in using the CLI:
    # get vpn ssl monitor
    SSL VPN Login Users:
     Index   User    Group   Auth Type      Timeout         From     HTTP in/out   HTTPS in/out
     0       fgdocs          LDAP-USERGRP    16(1)           289     192.168.2.202 0/0      0/0
    
    SSL VPN sessions:
     Index   User    Group   Source IP      Duration        I/O Bytes       Tunnel/Dest IP
     0       fgdocs          LDAP-USERGRP    192.168.2.202   45      99883/5572    10.212.134.200
    
  1. Disconnect from the VPN connection.
  2. Reconnect to the VPN:
    1. Log in to the tunnel with the username, using a different case than on the FortiGate.

      You will not be prompted for your FortiToken code. You should now be connected.

  3. Check the web portal log in using the CLI:
    # get vpn ssl monitor
    SSL VPN Login Users:
     Index   User    Group   Auth Type      Timeout         From     HTTP in/out   HTTPS in/out
     0       FGdocs          LDAP-USERGRP    16(1)           289     192.168.2.202 0/0      0/0
    
    SSL VPN sessions:
     Index   User    Group   Source IP      Duration        I/O Bytes       Tunnel/Dest IP
     0       FGdocs          LDAP-USERGRP    192.168.2.202   45      99883/5572    10.212.134.200
    

In this case, the user is allowed to log in without a FortiToken code because the entered user name did not match the name defined on the remote LDAP user object. Authentication continues to be evaluated against the LDAP server though, which is not case sensitive.