Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiGate / FortiOS 7.6.6 Administration Guide
    7.6.6
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.13
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.19
    7.0.18
    7.0.17
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.0

    Agentless VPN with RADIUS on Windows NPS

    Agentless VPN with RADIUS on Windows NPS

    This is an example configuration of Agentless VPN that uses Windows Network Policy Server (NPS) as a RADIUS authentication server.

    The NPS must already be configured to accept the FortiGate as a RADIUS client and the choice of authentication method, such as MS-CHAPv2. A shared key must also have been created.

    Example

    The user is connecting from their PC to the FortiGate's port1 interface. RADIUS authentication occurs between the FortiGate and the Windows NPS, and the Agentless VPN connection is established once the authentication is successful.

    Configure Agentless VPN with RADIUS on Windows NPS in the GUI

    To configure the internal and external interfaces:

    1. Go to Network > Interfaces

    2. Edit the port1 interface and set IP/Network Mask to 192.168.2.5/24.

    3. Edit the port2 interface and set IP/Network Mask to 192.168.20.5/24.

    4. Click OK.

    To create a firewall address:

    1. Go to Policy & Objects > Addresses and select Address.

    2. Click Create new.

    3. Set Name to 192.168.20.0.

    4. Leave Type as Subnet

    5. Set IP/Netmask to 192.168.20.0/24.

    6. Click OK.

    To add the RADIUS server:

    1. Go to User & Authentication > RADIUS Servers and click Create New.

    2. Set Name to rad-server.

    3. Leave Authentication method set to Default. The PAP, MS-CHAPv2, and CHAP methods will be tried in order.

    4. Under Primary Server, set IP/Name to 192.168.20.6 and Secret to the shared secret configured on the RADIUS server.

    5. Click Test Connectivity to test the connection to the server, and ensure that Connection status is Successful.

    6. Optionally, click Test User Credentials to test user credentials. Testing from the GUI is limited to PAP.

    7. Click OK.

    To configure a user group:

    1. Go to User & Authentication > User Groups and click Create New.

    2. Set Name to rad-group.

    3. Under Remote Groups, click Add and add the rad-server.

    4. Click OK.

    To configure Agentless VPN portals:

    1. Configure Agentless VPN portals.

      1. Go to VPN > Agentless VPN Portals, and click Create New.

      2. Enter a name, such as agentless-portal.

      3. Under Predefined Bookmarks, click Create New, and enter the following details:

        Field

        Value

        Name

        Windows Server

        Type

        RDP

        Host

        192.168.1.114

        Port

        3389

        Single Sign-On

        Disable

        Username

        Set the username to log in to Windows Server.

        Password

        Set the password to log in to Windows Server.

        Port

        3389

      4. Click OK to save the predefined bookmark.

      5. Click OK to save the portal settings.

      6. Create another Agentless VPN portal and name it portal-access-disabled.

      7. Click OK to save the portal settings.

      8. Disable Agentless VPN for the newly created portal (that is, portal-access-disabled) using CLI:

        config vpn ssl web portal
    edit "portal-access-disabled"
        set web-mode disable
    next
end
    To configure Agentless VPN settings:

    1. Go to VPN > Agentless VPN Settings.

    2. Set Agentless VPN to Enable.

    3. Set the Listen on Interface(s) to wan1.

    4. Set Listen on Port to 10443.

    5. Set Server Certificate to the authentication certificate.

    6. In Authentication/Portal Mapping, select All Other Users/Groups, and click Edit.

    7. Use Portal dropdown to select portal-access-disabled.

    8. In Authentication/Portal Mapping, click Create New.

      1. Set Users/Groups to rad-group.

      2. Set Portal to agentless-portal.

      3. Click OK.

    9. Click Apply to save the Agentless VPN settings.

    To configure an Agentless VPN firewall policy:

    1. Go to Policy & Objects > Firewall Policy and click Create New.

    2. Set Name as Agentless VPN firewall policy.

    3. Set Schedule to always and Action to Accept.

    4. Set Incoming Interface to Agentless VPN tunnel interface (ssl.root).

    5. Choose an Outgoing Interface. This example uses port1.

    6. Set Source to all and User/group to rad-group.

    7. In this example, the Destination is the internal, protected subnet 192.168.20.0.

    8. Set Service to ALL.

    9. Click OK.

    Configure Agentless VPN with RADIUS on Windows NPS in the CLI

    To configure Agentless VPN using the CLI:

    1. Configure the internal and external interfaces:

      config system interface 
    edit "port1"
        set vdom "root"
        set ip 192.168.2.5 255.255.255.0
        set alias internal
    next
    edit "port2"
        set vdom "root"
        set ip 192.168.20.5 255.255.255.0
        set alias external
    next
end

    2. Configure the firewall address:

      config firewall address
    edit "192.168.20.0"
        set subnet 192.168.20.0 255.255.255.0
    next
end

    3. Add the RADIUS server:

      config user radius
    edit "rad-server"
        set server "192.168.20.6"
        set secret *********
    next
end

    4. Create a user group and add the RADIUS server to it:.

      config user group
    edit "rad-group"
        set member "rad-server"
    next
end

    5. Configure Agentless VPN portal and predefine RDP bookmark for windows server.

      config vpn ssl web portal
    edit "agentless-portal"
        set web-mode enable
        config bookmark-group
            edit "gui-bookmarks"
                config bookmarks
                    edit "Windows Server"
                        set apptype rdp
                        set host "192.168.1.114"
                        set port 3389
                        set logon-user "your-windows-server-user-name"
                        set logon-password your-windows-server-password
                    next
                end
            next
        end
    next
end

    6. Configure another Agentless VPN portal and disable Agentless VPN on it.

      config vpn ssl web portal
    edit "portal-access-disabled"
        set web-mode disable
    next
end

    7. Configure Agentless VPN settings:

      config vpn ssl settings
    set servercert "server_certificate"
    set source-interface "wan1"
    set source-address "all"
    set default-portal "portal-access-disabled"
    config authentication-rule
        edit 1
            set groups "rad-group"
            set portal "agentless-portal"
        next        
    end
end

    8. Configure Agentless VPN firewall policy to allow remote user to access the internal network. . This policy does not allow traffic initiated from internal network to remote client.

      config firewall policy 
   edit 1
        set name "Agentless VPN firewall policy"
        set srcintf "ssl.root"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "192.168.1.0"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
        set groups “rad-group”
    next
end

    Results

    To check the Agentless VPN connection using the GUI:

    1. On FortiGate, go to Dashboard > Agentless VPN Monitor to verify the list of Agentless VPN users.

      If the Agentless VPN Monitor is hidden, click + under the Dashboard, search for Agentless VPN Monitor, and add it to the display.

    2. Go to Log & Report > System Events, and use the dropdown to select VPN Events to view VPN logs.

    To check Agentless VPN connection using the CLI:
    # get vpn ssl monitor
Agentless VPN Login Users:
 Index   User    Group   Auth Type      Timeout         From     HTTP in/out    HTTPS in/out
 0       radkeith        rad-group        2(1)            295     192.168.2.202  0/0     0/0

Agentless VPN sessions:
 Index   User    Group   Source IP      Duration        I/O Bytes       Tunnel/Dest IP
    Previous
    Next

    More Links

    How to test a FortiGate user authentication to RADIUS server

    Agentless VPN with RADIUS on Windows NPS

    Agentless VPN with RADIUS on Windows NPS

    This is an example configuration of Agentless VPN that uses Windows Network Policy Server (NPS) as a RADIUS authentication server.

    The NPS must already be configured to accept the FortiGate as a RADIUS client and the choice of authentication method, such as MS-CHAPv2. A shared key must also have been created.

    Example

    The user is connecting from their PC to the FortiGate's port1 interface. RADIUS authentication occurs between the FortiGate and the Windows NPS, and the Agentless VPN connection is established once the authentication is successful.

    Configure Agentless VPN with RADIUS on Windows NPS in the GUI

    To configure the internal and external interfaces:

    1. Go to Network > Interfaces

    2. Edit the port1 interface and set IP/Network Mask to 192.168.2.5/24.

    3. Edit the port2 interface and set IP/Network Mask to 192.168.20.5/24.

    4. Click OK.

    To create a firewall address:

    1. Go to Policy & Objects > Addresses and select Address.

    2. Click Create new.

    3. Set Name to 192.168.20.0.

    4. Leave Type as Subnet

    5. Set IP/Netmask to 192.168.20.0/24.

    6. Click OK.

    To add the RADIUS server:

    1. Go to User & Authentication > RADIUS Servers and click Create New.

    2. Set Name to rad-server.

    3. Leave Authentication method set to Default. The PAP, MS-CHAPv2, and CHAP methods will be tried in order.

    4. Under Primary Server, set IP/Name to 192.168.20.6 and Secret to the shared secret configured on the RADIUS server.

    5. Click Test Connectivity to test the connection to the server, and ensure that Connection status is Successful.

    6. Optionally, click Test User Credentials to test user credentials. Testing from the GUI is limited to PAP.

    7. Click OK.

    To configure a user group:

    1. Go to User & Authentication > User Groups and click Create New.

    2. Set Name to rad-group.

    3. Under Remote Groups, click Add and add the rad-server.

    4. Click OK.

    To configure Agentless VPN portals:

    1. Configure Agentless VPN portals.

      1. Go to VPN > Agentless VPN Portals, and click Create New.

      2. Enter a name, such as agentless-portal.

      3. Under Predefined Bookmarks, click Create New, and enter the following details:

        Field

        Value

        Name

        Windows Server

        Type

        RDP

        Host

        192.168.1.114

        Port

        3389

        Single Sign-On

        Disable

        Username

        Set the username to log in to Windows Server.

        Password

        Set the password to log in to Windows Server.

        Port

        3389

      4. Click OK to save the predefined bookmark.

      5. Click OK to save the portal settings.

      6. Create another Agentless VPN portal and name it portal-access-disabled.

      7. Click OK to save the portal settings.

      8. Disable Agentless VPN for the newly created portal (that is, portal-access-disabled) using CLI:

        config vpn ssl web portal
    edit "portal-access-disabled"
        set web-mode disable
    next
end
    To configure Agentless VPN settings:

    1. Go to VPN > Agentless VPN Settings.

    2. Set Agentless VPN to Enable.

    3. Set the Listen on Interface(s) to wan1.

    4. Set Listen on Port to 10443.

    5. Set Server Certificate to the authentication certificate.

    6. In Authentication/Portal Mapping, select All Other Users/Groups, and click Edit.

    7. Use Portal dropdown to select portal-access-disabled.

    8. In Authentication/Portal Mapping, click Create New.

      1. Set Users/Groups to rad-group.

      2. Set Portal to agentless-portal.

      3. Click OK.

    9. Click Apply to save the Agentless VPN settings.

    To configure an Agentless VPN firewall policy:

    1. Go to Policy & Objects > Firewall Policy and click Create New.

    2. Set Name as Agentless VPN firewall policy.

    3. Set Schedule to always and Action to Accept.

    4. Set Incoming Interface to Agentless VPN tunnel interface (ssl.root).

    5. Choose an Outgoing Interface. This example uses port1.

    6. Set Source to all and User/group to rad-group.

    7. In this example, the Destination is the internal, protected subnet 192.168.20.0.

    8. Set Service to ALL.

    9. Click OK.

    Configure Agentless VPN with RADIUS on Windows NPS in the CLI

    To configure Agentless VPN using the CLI:

    1. Configure the internal and external interfaces:

      config system interface 
    edit "port1"
        set vdom "root"
        set ip 192.168.2.5 255.255.255.0
        set alias internal
    next
    edit "port2"
        set vdom "root"
        set ip 192.168.20.5 255.255.255.0
        set alias external
    next
end

    2. Configure the firewall address:

      config firewall address
    edit "192.168.20.0"
        set subnet 192.168.20.0 255.255.255.0
    next
end

    3. Add the RADIUS server:

      config user radius
    edit "rad-server"
        set server "192.168.20.6"
        set secret *********
    next
end

    4. Create a user group and add the RADIUS server to it:.

      config user group
    edit "rad-group"
        set member "rad-server"
    next
end

    5. Configure Agentless VPN portal and predefine RDP bookmark for windows server.

      config vpn ssl web portal
    edit "agentless-portal"
        set web-mode enable
        config bookmark-group
            edit "gui-bookmarks"
                config bookmarks
                    edit "Windows Server"
                        set apptype rdp
                        set host "192.168.1.114"
                        set port 3389
                        set logon-user "your-windows-server-user-name"
                        set logon-password your-windows-server-password
                    next
                end
            next
        end
    next
end

    6. Configure another Agentless VPN portal and disable Agentless VPN on it.

      config vpn ssl web portal
    edit "portal-access-disabled"
        set web-mode disable
    next
end

    7. Configure Agentless VPN settings:

      config vpn ssl settings
    set servercert "server_certificate"
    set source-interface "wan1"
    set source-address "all"
    set default-portal "portal-access-disabled"
    config authentication-rule
        edit 1
            set groups "rad-group"
            set portal "agentless-portal"
        next        
    end
end

    8. Configure Agentless VPN firewall policy to allow remote user to access the internal network. . This policy does not allow traffic initiated from internal network to remote client.

      config firewall policy 
   edit 1
        set name "Agentless VPN firewall policy"
        set srcintf "ssl.root"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "192.168.1.0"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
        set groups “rad-group”
    next
end

    Results

    To check the Agentless VPN connection using the GUI:

    1. On FortiGate, go to Dashboard > Agentless VPN Monitor to verify the list of Agentless VPN users.

      If the Agentless VPN Monitor is hidden, click + under the Dashboard, search for Agentless VPN Monitor, and add it to the display.

    2. Go to Log & Report > System Events, and use the dropdown to select VPN Events to view VPN logs.

    To check Agentless VPN connection using the CLI:
    # get vpn ssl monitor
Agentless VPN Login Users:
 Index   User    Group   Auth Type      Timeout         From     HTTP in/out    HTTPS in/out
 0       radkeith        rad-group        2(1)            295     192.168.2.202  0/0     0/0

Agentless VPN sessions:
 Index   User    Group   Source IP      Duration        I/O Bytes       Tunnel/Dest IP
    Previous
    Next