Fortinet black logo

Administration Guide

SSL VPN with multiple RADIUS servers

SSL VPN with multiple RADIUS servers

When configuring two or more RADIUS servers, you can configure a Primary and Secondary server within the same RADIUS server configurations for backup purposes. You can also configure multiple RADIUS servers within the same User Group to service the access request at the same time.

Tooltip

A tertiary server can be configured in the CLI.

Sample topology

Sample configurations

Configure a Primary and Secondary server for backup

When you define a Primary and Secondary RADIUS server, the access request will always be sent to the Primary server first. If the request is denied with an Access-Reject, then the user authentication fails. However, if there is no response from the Primary server after another attempt, the access request will be sent to the Secondary server.

In this example, you will use a Windows NPS server as the Primary server and a FortiAuthenticator as the Secondary server. It is assumed that users are synchronized between the two servers.

To configure the internal and external interfaces:
  1. Go to Network > Interfaces.
  2. Edit the port1 interface and set IP/Network Mask to 192.168.2.5/24.
  3. Edit the port2 interface and set IP/Network Mask to 192.168.20.5/24.
  4. Click OK.
To create a firewall address:
  1. Go to Policy & Objects > Addresses and select Address.
  2. Click Create new.
  3. Set Name to 192.168.20.0.
  4. Leave Type as Subnet
  5. Set IP/Netmask to 192.168.20.0/24.
  6. Click OK.
To add the RADIUS servers:
  1. Go to User & Authentication > RADIUS Servers and click Create New.
  2. Set Name to PrimarySecondary.
  3. Leave Authentication method set to Default. The PAP, MS-CHAPv2, and CHAP methods will be tried in order.
  4. Under Primary Server, set IP/Name to 192.168.20.6 and Secret to the shared secret configured on the RADIUS server.
  5. Click Test Connectivity to test the connection to the server, and ensure that Connection status is Successful.
  6. Under Secondary Server, set IP/Name to 192.168.2.71 and Secret to the shared secret configured on the RADIUS server.
  7. Click Test Connectivity to test the connection to the server, and ensure that Connection status is Successful.
  8. Click OK.
To configure the user group:
  1. Go to User & Authentication > User Groups and click Create New.
  2. In the Name field, enter PrimarySecondaryGroup.
  3. In the Remote Groups area, click Add, and from the Remote Server dropdown, select PrimarySecondary.
  4. Click OK, and then click OK again.
To configure the SSL VPN settings:
  1. Go to VPN > SSL-VPN Settings.
  2. From the Listen on Interface(s) dropdown select port1.
  3. In the Listen on Port field enter 10443.
  4. Optionally, from the Server Certificate dropdown, select the authentication certificate if you have one for this SSL VPN portal.
  5. Under Authentication/Portal Mapping, set the default portal web-access.
    1. Select All Other Users/Groups and click Edit.
    2. From the Portal dropdown, select web-access.
    3. Click OK.
  6. Create a web portal for PrimarySecondaryGroup.
    1. Under Authentication/Portal Mapping, click Create New.
    2. Click Users/Groups and select PrimarySecondaryGroup.
    3. From the Portal dropdown, select full-access.
    4. Click OK.
To configure SSL VPN firewall policy:
  1. Go to Policy & Objects > Firewall Policy.
  2. Click Create New to create a new policy, or double-click an existing policy to edit it and configure the following settings:
    NameEnter a name for the policy.
    Incoming Interface

    SSL-VPN tunnel interface (ssl.root)

    Outgoing interface

    Set to the local network interface so that the remote user can access the internal network.

    For this example, select port3.

    Source

    In the Address tab, select SSLVPN_TUNNEL_ADDR1

    In the User tab, select PrimarySecondaryGroup

    Destination

    Select the internal protected subnet 192.168.20.0.

    Schedule always
    ServiceAll

    Action

    Accept

    NAT

    Enable

  3. Configure any remaining firewall and security options as required.
  4. Click OK.
To configure SSL VPN using the CLI:
  1. Configure the internal interface and firewall address:

    config system interface

    edit "port3"

    set vdom "root"

    set ip 192.168.20.5 255.255.255.0

    set alias "internal"

    next

    end

    config firewall address

    edit "192.168.20.0"

    set uuid cc41eec2-9645-51ea-d481-5c5317f865d0

    set subnet 192.168.20.0 255.255.255.0

    next

    end

  2. Configure the RADIUS server:

    config user radius

    edit "PrimarySecondary"

    set server "192.168.20.6"

    set secret <secret>

    set secondary-server "192.168.2.71"

    set secondary-secret <secret>

    next

    end

  3. Add the RADIUS user to the user group:

    config user group

    edit "PrimarySecondaryGroup"

    set member "PrimarySecondary "

    next

    end

  4. Configure SSL VPN settings:

    config vpn ssl settings

    set servercert "server_certificate"

    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"

    set source-interface "port1"

    set source-address "all"

    set default-portal "web-access"

    config authentication-rule

    edit 1

    set groups "PrimarySecondaryGroup "

    set portal "full-access"

    next

    end

    end

  5. Configure one SSL VPN firewall policy to allow remote users to access the internal network:

    config firewall policy

    edit 1

    set name "sslvpn-radius"

    set srcintf "ssl.root"

    set dstintf "port3"

    set srcaddr "all"

    set dstaddr "192.168.20.0"

    set groups “PrimarySecondaryGroup”

    set action accept

    set schedule "always"

    set service "ALL"

    set nat enable

    next

    end

To verify the connection:

User radkeith is a member of both the NPS server and the FAC server.

When the Primary server is up, it will connect to the SSL VPN tunnel using FortiClient.

# diagnose sniffer packet any 'port 1812' 4 0 l

interfaces=[any]

filters=[port 1812]

2020-05-15 16:26:50.838453 port3 out 192.168.20.5.2374 -> 192.168.20.6.1812: udp 118

2020-05-15 16:26:50.883166 port3 in 192.168.20.6.1812 -> 192.168.20.5.2374: udp 20

2020-05-15 16:26:50.883374 port3 out 192.168.20.5.2374 -> 192.168.20.6.1812: udp 182

2020-05-15 16:26:50.884683 port3 in 192.168.20.6.1812 -> 192.168.20.5.2374: udp 228

The access request is sent to the Primary NPS server 192.168.20.6, and the connection is successful.

# get vpn ssl monitor

SSL VPN Login Users:

Index   User            Group                   Auth Type      Timeout         From     HTTP in/out    HTTPS in/out
0       radkeith       PrimarySecondaryGroup   2(1)            285     192.168.2.202          0/0     0/0

SSL VPN sessions:

Index   User       Group                   Source IP      Duration        I/O Bytes       Tunnel/Dest IP
0       radkeith   PrimarySecondaryGroup   192.168.2.202   62              132477/4966    10.212.134.200

When the Primary server is down, and the Secondary server is up, the connection is made to the SSLVPN tunnel again:

# diagnose sniffer packet any 'port 1812' 4 0 l

interfaces=[any]

filters=[port 1812]

2020-05-15 16:31:23.016875 port3 out 192.168.20.5.7989 -> 192.168.20.6.1812: udp 118

2020-05-15 16:31:28.019470 port3 out 192.168.20.5.7989 -> 192.168.20.6.1812: udp 118

2020-05-15 16:31:30.011874 port1 out 192.168.2.5.23848 -> 192.168.2.71.1812: udp 118

2020-05-15 16:31:30.087564 port1 in 192.168.2.71.1812 -> 192.168.2.5.23848: udp 20

Access request is sent to the Primary NPS server 192.168.20.6, but there was no response. RADIUS authentication falls through to the Secondary FortiAuthenticator 192.168.2.71, and the authentication was accepted. The VPN connection is established.

# get vpn ssl monitor

SSL VPN Login Users:

Index   User            Group                  Auth Type      Timeout         From     HTTP in/out    HTTPS in/out
0       radkeith        PrimarySecondaryGroup   2(1)            287     192.168.2.202        0/0        0/0

SSL VPN sessions:

Index   User            Group                    Source IP      Duration        I/O Bytes       Tunnel/Dest IP
0       radkeith        PrimarySecondaryGroup   192.168.2.202   48              53544/4966     10.212.134.200

Authenticating to two RADIUS servers concurrently

There are times where users are located on separate RADIUS servers. This may be the case when migrating from an old server to a new one for example. In this scenario, a Windows NPS server and a FortiAuthenticator are configured in the same User Group. The access-request is sent to both servers concurrently. If FortiGate receives an access-accept from either server, authentication is successful.

To configure the internal and external interfaces:
  1. Go to Network > Interfaces.
  2. Edit the port1 interface and set IP/Network Mask to 192.168.2.5/24.
  3. Edit the port2 interface and set IP/Network Mask to 192.168.20.5/24.
  4. Click OK.
To create a firewall address:
  1. Go to Policy & Objects > Addresses and select Address.
  2. Click Create new.
  3. Set Name to 192.168.20.0.
  4. Leave Type as Subnet
  5. Set IP/Netmask to 192.168.20.0/24.
  6. Click OK.
To configure the first RADIUS server:
  1. Go to User & Authentication > RADIUS Servers and click Create New.
  2. Set Name to win2k16.
  3. Leave Authentication method set to Default. The PAP, MS-CHAPv2, and CHAP methods will be tried in order.
  4. Under Primary Server, set IP/Name to 192.168.20.6 and Secret to the shared secret configured on the RADIUS server.
  5. Click Test Connectivity to test the connection to the server, and ensure that Connection status is Successful.
  6. Click OK.
To configure the second RADIUS server:
  1. Go to User & Authentication > RADIUS Servers and click Create New.
  2. Set Name to fac.
  3. Leave Authentication method set to Default. The PAP, MS-CHAPv2, and CHAP methods will be tried in order.
  4. Under Primary Server, set IP/Name to 192.168.2.71 and Secret to the shared secret configured on the RADIUS server.
  5. Click Test Connectivity to test the connection to the server, and ensure that Connection status is Successful.
  6. Click OK.
To configure the user group:
  1. Go to User & Authentication > User Groups and click Create New.
  2. In the Name field, enter dualPrimaryGroup..
  3. In the Remote Groups area, click Add, and from the Remote Server dropdown, select fac.
  4. Click Add again. From the Remote Server dropdown select win2k16 and click OK.
  5. Click OK, and then click OK again.
To configure the SSL VPN settings:
  1. Go to VPN > SSL-VPN Settings.
  2. From the Listen on Interface(s) dropdown select port1.
  3. In the Listen on Port field enter 10443.
  4. Optionally, from the Server Certificate dropdown, select the authentication certificate if you have one for this SSL VPN portal.
  5. Under Authentication/Portal Mapping, set the default portal web-access.
    1. Select All Other Users/Groups and click Edit.
    2. From the Portal dropdown, select web-access.
    3. Click OK.
  6. Create a web portal for PrimarySecondaryGroup.
    1. Under Authentication/Portal Mapping, click Create New.
    2. Click Users/Groups and select dualPrimaryGroup.
    3. From the Portal dropdown, select full-access.
    4. Click OK.
To configure SSL VPN firewall policy:
  1. Go to Policy & Objects > Firewall Policy.
  2. Click Create New to create a new policy, or double-click an existing policy to edit it.
    NameEnter a name for the policy.
    Incoming Interface

    SSL-VPN tunnel interface (ssl.root)

    Outgoing interface

    Set to the local network interface so that the remote user can access the internal network.

    For this example, select port3.

    Source

    In the Address tab, select SSLVPN_TUNNEL_ADDR1

    In the User tab, select dualPrimaryGroup

    Destination

    Select the internal protected subnet 192.168.20.0.

    Schedule always
    ServiceAll

    Action

    Accept

    NAT

    Enable

  3. Configure any remaining firewall and security options as required.
  4. Click OK.
To configure SSL VPN using the CLI:
  1. Configure the internal interface and firewall address:

    config system interface

    edit "port3"

    set vdom "root"

    set ip 192.168.20.5 255.255.255.0

    set alias "internal"

    next

    end

    config firewall address

    edit "192.168.20.0"

    set uuid cc41eec2-9645-51ea-d481-5c5317f865d0

    set subnet 192.168.20.0 255.255.255.0

    next

    end

  2. Configure the RADIUS server:

    config user radius

    edit "win2k16"

    set server "192.168.20.6"

    set secret <secret>

    next

    edit "fac"

    set server "192.168.2.71"

    set secret <secret>

    next

    end

  3. Add the RADIUS user to the user group:

    config user group

    edit "dualPrimaryGroup"

    set member "win2k16" “fac”

    next

    end

  4. Configure SSL VPN settings:

    config vpn ssl settings

    set servercert "server_certificate"

    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"

    set source-interface "port1"

    set source-address "all"

    set default-portal "web-access"

    config authentication-rule

    edit 1

    set groups "dualPrimaryGroup"

    set portal "full-access"

    next

    end

    end

  5. Configure one SSL VPN firewall policy to allow remote users to access the internal network:

    config firewall policy

    edit 1

    set name "sslvpn-radius"

    set srcintf "ssl.root"

    set dstintf "port3"

    set srcaddr "all"

    set dstaddr "192.168.20.0"

    set groups “dualPrimaryGroup”

    set action accept

    set schedule "always"

    set service "ALL"

    set nat enable

    next

    end

    To verify the connection:

    User fackeith is a member of the FortiAuthenticator server only.

    User radkeith is a member of both the NPS server and the FortiAuthenticator server, but has different passwords on each server.

    Case 1: Connect to the SSLVPN tunnel using FortiClient with user FacAdmin:

    # diagnose sniffer packet any 'port 1812' 4 0 l

    interfaces=[any]

    filters=[port 1812]

    2020-05-15 17:21:31.217985 port3 out 192.168.20.5.11490 -> 192.168.20.6.1812: udp 118

    2020-05-15 17:21:31.218091 port1 out 192.168.2.5.11490 -> 192.168.2.71.1812: udp 118

    2020-05-15 17:21:31.219314 port3 in 192.168.20.6.1812 -> 192.168.20.5.11490: udp 20 <-- access-reject

    2020-05-15 17:21:31.219519 port3 out 192.168.20.5.11490 -> 192.168.20.6.1812: udp 182

    2020-05-15 17:21:31.220219 port3 in 192.168.20.6.1812 -> 192.168.20.5.11490: udp 42

    2020-05-15 17:21:31.220325 port3 out 192.168.20.5.11490 -> 192.168.20.6.1812: udp 119

    2020-05-15 17:21:31.220801 port3 in 192.168.20.6.1812 -> 192.168.20.5.11490: udp 20

    2020-05-15 17:21:31.236009 port1 in 192.168.2.71.1812 -> 192.168.2.5.11490: udp 20 <--access-accept

    Access is denied by the NPS server because the user does not exist. However, access is accepted by FortiAuthenticator. The end result is the authentication is successful.

    # get vpn ssl monitor

    SSL VPN Login Users:

    Index   User       Group             Auth Type      Timeout         From       HTTP in/out    HTTPS in/out
    0       fackeith  dualPrimaryGroup   2(1)            292        192.168.2.202      0/0         0/0

    SSL VPN sessions:

    Index   User       Group                  Source IP      Duration        I/O Bytes       Tunnel/Dest IP
    0       fackeith  dualPrimaryGroup        192.168.2.202   149              70236/4966     10.212.134.200
    Case 2: Connect to the SSLVPN tunnel using FortiClient with user radkeith:

    # diagnose sniffer packet any 'port 1812' 4 0 l

    interfaces=[any]

    filters=[port 1812]

    2020-05-15 17:26:07.335791 port1 out 192.168.2.5.17988 -> 192.168.2.71.1812: udp 118

    2020-05-15 17:26:07.335911 port3 out 192.168.20.5.17988 -> 192.168.20.6.1812: udp 118

    2020-05-15 17:26:07.337659 port3 in 192.168.20.6.1812 -> 192.168.20.5.17988: udp 20 <--access-accept

    2020-05-15 17:26:07.337914 port3 out 192.168.20.5.17988 -> 192.168.20.6.1812: udp 182

    2020-05-15 17:26:07.339451 port3 in 192.168.20.6.1812 -> 192.168.20.5.17988: udp 228

    2020-05-15 17:26:08.352597 port1 in 192.168.2.71.1812 -> 192.168.2.5.17988: udp 20 <--access-reject

    There is a password mismatch for this user on the Secondary RADIUS server. However, even though the authentication was rejected by FortiAuthenticator, it was accepted by Windows NPS. Therefore, the end result is authentication successful.

    # get vpn ssl monitor

    SSL VPN Login Users:

    Index   User       Group            Auth Type      Timeout         From        HTTP in/out    HTTPS in/out
    0       radkeith  dualPrimaryGroup   2(1)            290        192.168.2.202    0/0           0/0

    SSL VPN sessions:

    Index   User      Group               Source IP      Duration        I/O Bytes       Tunnel/Dest IP
    0       radkeith dualPrimaryGroup   192.168.2.202   142              64875/4966     10.212.134.200

SSL VPN with multiple RADIUS servers

When configuring two or more RADIUS servers, you can configure a Primary and Secondary server within the same RADIUS server configurations for backup purposes. You can also configure multiple RADIUS servers within the same User Group to service the access request at the same time.

Tooltip

A tertiary server can be configured in the CLI.

Sample topology

Sample configurations

Configure a Primary and Secondary server for backup

When you define a Primary and Secondary RADIUS server, the access request will always be sent to the Primary server first. If the request is denied with an Access-Reject, then the user authentication fails. However, if there is no response from the Primary server after another attempt, the access request will be sent to the Secondary server.

In this example, you will use a Windows NPS server as the Primary server and a FortiAuthenticator as the Secondary server. It is assumed that users are synchronized between the two servers.

To configure the internal and external interfaces:
  1. Go to Network > Interfaces.
  2. Edit the port1 interface and set IP/Network Mask to 192.168.2.5/24.
  3. Edit the port2 interface and set IP/Network Mask to 192.168.20.5/24.
  4. Click OK.
To create a firewall address:
  1. Go to Policy & Objects > Addresses and select Address.
  2. Click Create new.
  3. Set Name to 192.168.20.0.
  4. Leave Type as Subnet
  5. Set IP/Netmask to 192.168.20.0/24.
  6. Click OK.
To add the RADIUS servers:
  1. Go to User & Authentication > RADIUS Servers and click Create New.
  2. Set Name to PrimarySecondary.
  3. Leave Authentication method set to Default. The PAP, MS-CHAPv2, and CHAP methods will be tried in order.
  4. Under Primary Server, set IP/Name to 192.168.20.6 and Secret to the shared secret configured on the RADIUS server.
  5. Click Test Connectivity to test the connection to the server, and ensure that Connection status is Successful.
  6. Under Secondary Server, set IP/Name to 192.168.2.71 and Secret to the shared secret configured on the RADIUS server.
  7. Click Test Connectivity to test the connection to the server, and ensure that Connection status is Successful.
  8. Click OK.
To configure the user group:
  1. Go to User & Authentication > User Groups and click Create New.
  2. In the Name field, enter PrimarySecondaryGroup.
  3. In the Remote Groups area, click Add, and from the Remote Server dropdown, select PrimarySecondary.
  4. Click OK, and then click OK again.
To configure the SSL VPN settings:
  1. Go to VPN > SSL-VPN Settings.
  2. From the Listen on Interface(s) dropdown select port1.
  3. In the Listen on Port field enter 10443.
  4. Optionally, from the Server Certificate dropdown, select the authentication certificate if you have one for this SSL VPN portal.
  5. Under Authentication/Portal Mapping, set the default portal web-access.
    1. Select All Other Users/Groups and click Edit.
    2. From the Portal dropdown, select web-access.
    3. Click OK.
  6. Create a web portal for PrimarySecondaryGroup.
    1. Under Authentication/Portal Mapping, click Create New.
    2. Click Users/Groups and select PrimarySecondaryGroup.
    3. From the Portal dropdown, select full-access.
    4. Click OK.
To configure SSL VPN firewall policy:
  1. Go to Policy & Objects > Firewall Policy.
  2. Click Create New to create a new policy, or double-click an existing policy to edit it and configure the following settings:
    NameEnter a name for the policy.
    Incoming Interface

    SSL-VPN tunnel interface (ssl.root)

    Outgoing interface

    Set to the local network interface so that the remote user can access the internal network.

    For this example, select port3.

    Source

    In the Address tab, select SSLVPN_TUNNEL_ADDR1

    In the User tab, select PrimarySecondaryGroup

    Destination

    Select the internal protected subnet 192.168.20.0.

    Schedule always
    ServiceAll

    Action

    Accept

    NAT

    Enable

  3. Configure any remaining firewall and security options as required.
  4. Click OK.
To configure SSL VPN using the CLI:
  1. Configure the internal interface and firewall address:

    config system interface

    edit "port3"

    set vdom "root"

    set ip 192.168.20.5 255.255.255.0

    set alias "internal"

    next

    end

    config firewall address

    edit "192.168.20.0"

    set uuid cc41eec2-9645-51ea-d481-5c5317f865d0

    set subnet 192.168.20.0 255.255.255.0

    next

    end

  2. Configure the RADIUS server:

    config user radius

    edit "PrimarySecondary"

    set server "192.168.20.6"

    set secret <secret>

    set secondary-server "192.168.2.71"

    set secondary-secret <secret>

    next

    end

  3. Add the RADIUS user to the user group:

    config user group

    edit "PrimarySecondaryGroup"

    set member "PrimarySecondary "

    next

    end

  4. Configure SSL VPN settings:

    config vpn ssl settings

    set servercert "server_certificate"

    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"

    set source-interface "port1"

    set source-address "all"

    set default-portal "web-access"

    config authentication-rule

    edit 1

    set groups "PrimarySecondaryGroup "

    set portal "full-access"

    next

    end

    end

  5. Configure one SSL VPN firewall policy to allow remote users to access the internal network:

    config firewall policy

    edit 1

    set name "sslvpn-radius"

    set srcintf "ssl.root"

    set dstintf "port3"

    set srcaddr "all"

    set dstaddr "192.168.20.0"

    set groups “PrimarySecondaryGroup”

    set action accept

    set schedule "always"

    set service "ALL"

    set nat enable

    next

    end

To verify the connection:

User radkeith is a member of both the NPS server and the FAC server.

When the Primary server is up, it will connect to the SSL VPN tunnel using FortiClient.

# diagnose sniffer packet any 'port 1812' 4 0 l

interfaces=[any]

filters=[port 1812]

2020-05-15 16:26:50.838453 port3 out 192.168.20.5.2374 -> 192.168.20.6.1812: udp 118

2020-05-15 16:26:50.883166 port3 in 192.168.20.6.1812 -> 192.168.20.5.2374: udp 20

2020-05-15 16:26:50.883374 port3 out 192.168.20.5.2374 -> 192.168.20.6.1812: udp 182

2020-05-15 16:26:50.884683 port3 in 192.168.20.6.1812 -> 192.168.20.5.2374: udp 228

The access request is sent to the Primary NPS server 192.168.20.6, and the connection is successful.

# get vpn ssl monitor

SSL VPN Login Users:

Index   User            Group                   Auth Type      Timeout         From     HTTP in/out    HTTPS in/out
0       radkeith       PrimarySecondaryGroup   2(1)            285     192.168.2.202          0/0     0/0

SSL VPN sessions:

Index   User       Group                   Source IP      Duration        I/O Bytes       Tunnel/Dest IP
0       radkeith   PrimarySecondaryGroup   192.168.2.202   62              132477/4966    10.212.134.200

When the Primary server is down, and the Secondary server is up, the connection is made to the SSLVPN tunnel again:

# diagnose sniffer packet any 'port 1812' 4 0 l

interfaces=[any]

filters=[port 1812]

2020-05-15 16:31:23.016875 port3 out 192.168.20.5.7989 -> 192.168.20.6.1812: udp 118

2020-05-15 16:31:28.019470 port3 out 192.168.20.5.7989 -> 192.168.20.6.1812: udp 118

2020-05-15 16:31:30.011874 port1 out 192.168.2.5.23848 -> 192.168.2.71.1812: udp 118

2020-05-15 16:31:30.087564 port1 in 192.168.2.71.1812 -> 192.168.2.5.23848: udp 20

Access request is sent to the Primary NPS server 192.168.20.6, but there was no response. RADIUS authentication falls through to the Secondary FortiAuthenticator 192.168.2.71, and the authentication was accepted. The VPN connection is established.

# get vpn ssl monitor

SSL VPN Login Users:

Index   User            Group                  Auth Type      Timeout         From     HTTP in/out    HTTPS in/out
0       radkeith        PrimarySecondaryGroup   2(1)            287     192.168.2.202        0/0        0/0

SSL VPN sessions:

Index   User            Group                    Source IP      Duration        I/O Bytes       Tunnel/Dest IP
0       radkeith        PrimarySecondaryGroup   192.168.2.202   48              53544/4966     10.212.134.200

Authenticating to two RADIUS servers concurrently

There are times where users are located on separate RADIUS servers. This may be the case when migrating from an old server to a new one for example. In this scenario, a Windows NPS server and a FortiAuthenticator are configured in the same User Group. The access-request is sent to both servers concurrently. If FortiGate receives an access-accept from either server, authentication is successful.

To configure the internal and external interfaces:
  1. Go to Network > Interfaces.
  2. Edit the port1 interface and set IP/Network Mask to 192.168.2.5/24.
  3. Edit the port2 interface and set IP/Network Mask to 192.168.20.5/24.
  4. Click OK.
To create a firewall address:
  1. Go to Policy & Objects > Addresses and select Address.
  2. Click Create new.
  3. Set Name to 192.168.20.0.
  4. Leave Type as Subnet
  5. Set IP/Netmask to 192.168.20.0/24.
  6. Click OK.
To configure the first RADIUS server:
  1. Go to User & Authentication > RADIUS Servers and click Create New.
  2. Set Name to win2k16.
  3. Leave Authentication method set to Default. The PAP, MS-CHAPv2, and CHAP methods will be tried in order.
  4. Under Primary Server, set IP/Name to 192.168.20.6 and Secret to the shared secret configured on the RADIUS server.
  5. Click Test Connectivity to test the connection to the server, and ensure that Connection status is Successful.
  6. Click OK.
To configure the second RADIUS server:
  1. Go to User & Authentication > RADIUS Servers and click Create New.
  2. Set Name to fac.
  3. Leave Authentication method set to Default. The PAP, MS-CHAPv2, and CHAP methods will be tried in order.
  4. Under Primary Server, set IP/Name to 192.168.2.71 and Secret to the shared secret configured on the RADIUS server.
  5. Click Test Connectivity to test the connection to the server, and ensure that Connection status is Successful.
  6. Click OK.
To configure the user group:
  1. Go to User & Authentication > User Groups and click Create New.
  2. In the Name field, enter dualPrimaryGroup..
  3. In the Remote Groups area, click Add, and from the Remote Server dropdown, select fac.
  4. Click Add again. From the Remote Server dropdown select win2k16 and click OK.
  5. Click OK, and then click OK again.
To configure the SSL VPN settings:
  1. Go to VPN > SSL-VPN Settings.
  2. From the Listen on Interface(s) dropdown select port1.
  3. In the Listen on Port field enter 10443.
  4. Optionally, from the Server Certificate dropdown, select the authentication certificate if you have one for this SSL VPN portal.
  5. Under Authentication/Portal Mapping, set the default portal web-access.
    1. Select All Other Users/Groups and click Edit.
    2. From the Portal dropdown, select web-access.
    3. Click OK.
  6. Create a web portal for PrimarySecondaryGroup.
    1. Under Authentication/Portal Mapping, click Create New.
    2. Click Users/Groups and select dualPrimaryGroup.
    3. From the Portal dropdown, select full-access.
    4. Click OK.
To configure SSL VPN firewall policy:
  1. Go to Policy & Objects > Firewall Policy.
  2. Click Create New to create a new policy, or double-click an existing policy to edit it.
    NameEnter a name for the policy.
    Incoming Interface

    SSL-VPN tunnel interface (ssl.root)

    Outgoing interface

    Set to the local network interface so that the remote user can access the internal network.

    For this example, select port3.

    Source

    In the Address tab, select SSLVPN_TUNNEL_ADDR1

    In the User tab, select dualPrimaryGroup

    Destination

    Select the internal protected subnet 192.168.20.0.

    Schedule always
    ServiceAll

    Action

    Accept

    NAT

    Enable

  3. Configure any remaining firewall and security options as required.
  4. Click OK.
To configure SSL VPN using the CLI:
  1. Configure the internal interface and firewall address:

    config system interface

    edit "port3"

    set vdom "root"

    set ip 192.168.20.5 255.255.255.0

    set alias "internal"

    next

    end

    config firewall address

    edit "192.168.20.0"

    set uuid cc41eec2-9645-51ea-d481-5c5317f865d0

    set subnet 192.168.20.0 255.255.255.0

    next

    end

  2. Configure the RADIUS server:

    config user radius

    edit "win2k16"

    set server "192.168.20.6"

    set secret <secret>

    next

    edit "fac"

    set server "192.168.2.71"

    set secret <secret>

    next

    end

  3. Add the RADIUS user to the user group:

    config user group

    edit "dualPrimaryGroup"

    set member "win2k16" “fac”

    next

    end

  4. Configure SSL VPN settings:

    config vpn ssl settings

    set servercert "server_certificate"

    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"

    set source-interface "port1"

    set source-address "all"

    set default-portal "web-access"

    config authentication-rule

    edit 1

    set groups "dualPrimaryGroup"

    set portal "full-access"

    next

    end

    end

  5. Configure one SSL VPN firewall policy to allow remote users to access the internal network:

    config firewall policy

    edit 1

    set name "sslvpn-radius"

    set srcintf "ssl.root"

    set dstintf "port3"

    set srcaddr "all"

    set dstaddr "192.168.20.0"

    set groups “dualPrimaryGroup”

    set action accept

    set schedule "always"

    set service "ALL"

    set nat enable

    next

    end

    To verify the connection:

    User fackeith is a member of the FortiAuthenticator server only.

    User radkeith is a member of both the NPS server and the FortiAuthenticator server, but has different passwords on each server.

    Case 1: Connect to the SSLVPN tunnel using FortiClient with user FacAdmin:

    # diagnose sniffer packet any 'port 1812' 4 0 l

    interfaces=[any]

    filters=[port 1812]

    2020-05-15 17:21:31.217985 port3 out 192.168.20.5.11490 -> 192.168.20.6.1812: udp 118

    2020-05-15 17:21:31.218091 port1 out 192.168.2.5.11490 -> 192.168.2.71.1812: udp 118

    2020-05-15 17:21:31.219314 port3 in 192.168.20.6.1812 -> 192.168.20.5.11490: udp 20 <-- access-reject

    2020-05-15 17:21:31.219519 port3 out 192.168.20.5.11490 -> 192.168.20.6.1812: udp 182

    2020-05-15 17:21:31.220219 port3 in 192.168.20.6.1812 -> 192.168.20.5.11490: udp 42

    2020-05-15 17:21:31.220325 port3 out 192.168.20.5.11490 -> 192.168.20.6.1812: udp 119

    2020-05-15 17:21:31.220801 port3 in 192.168.20.6.1812 -> 192.168.20.5.11490: udp 20

    2020-05-15 17:21:31.236009 port1 in 192.168.2.71.1812 -> 192.168.2.5.11490: udp 20 <--access-accept

    Access is denied by the NPS server because the user does not exist. However, access is accepted by FortiAuthenticator. The end result is the authentication is successful.

    # get vpn ssl monitor

    SSL VPN Login Users:

    Index   User       Group             Auth Type      Timeout         From       HTTP in/out    HTTPS in/out
    0       fackeith  dualPrimaryGroup   2(1)            292        192.168.2.202      0/0         0/0

    SSL VPN sessions:

    Index   User       Group                  Source IP      Duration        I/O Bytes       Tunnel/Dest IP
    0       fackeith  dualPrimaryGroup        192.168.2.202   149              70236/4966     10.212.134.200
    Case 2: Connect to the SSLVPN tunnel using FortiClient with user radkeith:

    # diagnose sniffer packet any 'port 1812' 4 0 l

    interfaces=[any]

    filters=[port 1812]

    2020-05-15 17:26:07.335791 port1 out 192.168.2.5.17988 -> 192.168.2.71.1812: udp 118

    2020-05-15 17:26:07.335911 port3 out 192.168.20.5.17988 -> 192.168.20.6.1812: udp 118

    2020-05-15 17:26:07.337659 port3 in 192.168.20.6.1812 -> 192.168.20.5.17988: udp 20 <--access-accept

    2020-05-15 17:26:07.337914 port3 out 192.168.20.5.17988 -> 192.168.20.6.1812: udp 182

    2020-05-15 17:26:07.339451 port3 in 192.168.20.6.1812 -> 192.168.20.5.17988: udp 228

    2020-05-15 17:26:08.352597 port1 in 192.168.2.71.1812 -> 192.168.2.5.17988: udp 20 <--access-reject

    There is a password mismatch for this user on the Secondary RADIUS server. However, even though the authentication was rejected by FortiAuthenticator, it was accepted by Windows NPS. Therefore, the end result is authentication successful.

    # get vpn ssl monitor

    SSL VPN Login Users:

    Index   User       Group            Auth Type      Timeout         From        HTTP in/out    HTTPS in/out
    0       radkeith  dualPrimaryGroup   2(1)            290        192.168.2.202    0/0           0/0

    SSL VPN sessions:

    Index   User      Group               Source IP      Duration        I/O Bytes       Tunnel/Dest IP
    0       radkeith dualPrimaryGroup   192.168.2.202   142              64875/4966     10.212.134.200