Dynamic address support for SSL VPN policies
Dynamic SSO user groups can be used in place of address objects when configuring SSL VPN policies. This allows dynamic IP addresses to be used in SSL VPN policies. A remote user group can be used for authentication while an FSSO group is separately used for authorization. Using a dummy policy for remote user authentication and a policy for FSSO group authorization, FSSO can be used with SSL VPN tunnels
This image shows the authentication and authorization flow:
In this example, FortiAuthenticator is used as a RADIUS server. It uses a remote AD/LDAP server for authentication, then returns the authentication results to the FortiGate. This allows the client to have a dynamic IP address after successful authentication.
First, on the LDAP server, create two users each in their own group, user142 in group pc_group1, and user143 in group pc_group2.
Configure the FortiAuthenticator
To add a remote LDAP server and users on the FortiAuthenticator:
- Go to Authentication > Remote Auth. Servers > LDAP.
- Click Create New.
- Set the following:
- Name: ad_ldap_60
- Primary server name/IP: 172.16.200.60
- Base distinguished name: dc=fsso-qa,dc=com
- Bind type: Regular
- Username: cn=administrator,cn=User
- Password: <enter a password>
- Click OK.
- Edit the new LDAP server.
- Import the remote LDAP users.
- Edit each user to confirm that they have the RADIUS attribute Acct-Interim-Interval. This attribute is used by FortiGate to send interim update account messages to the RADIUS server.
To create a RADIUS client for FortiGate as a remote authentication server:
- Go to Authentication > RADIUS Service > Clients.
- Click Create New.
- Set the following:
- Name: fsso_ldap
- Client address: Range 172.16.200.1~172.16.200.10
- Secret: <enter a password>
- In the Realms table, set the realm to the LDAP server that was just added: ad_ldap_60.
- Click OK.
FortiAuthenticator can now be used as a RADIUS server, and the authentication credentials all come from the DC/LDAP server.
Fortinet Single Sign-On Collector Agent
To configure the Fortinet Single Sign-On Collector Agent:
- Select Require authenticated connection from FortiGate and enter a Password.
- Click Advanced Settings.
- Select the RADIUS Accounting tab.
- Select Enable RADIUS accounting server and set the Shared secret.
- Click OK, then click Save&close.
The collector agent can now accept accounting requests from FortiGate, and retrieve the IP addresses and usernames of SSL VPN client from the FortiGate with accounting request messages.
Configure the FortiGate
To configure the FortiGate in the CLI:
- Create a Fortinet Single Sign-On Agent fabric connector:
config user fsso edit "AD_CollectAgent" set server "172.16.200.60" set password 123456 next end
- Add the RADIUS server:
config user radius edit "rad150" set server "172.16.200.150" set secret 123456 set acct-interim-interval 600 config accounting-server edit 1 set status enable set server "172.16.200.60" set secret 123456 next end next end
- Create a user group for the RADIUS server:
config user group edit "rad_group" set member "rad150" next end
- Create user groups for each of the FSSO groups:
config user group edit "fsso_group1" set group-type fsso-service set member "CN=PC_GROUP1,OU=TESTING,DC=FSSO-QA,DC=COM" next edit "fsso_group2" set group-type fsso-service set member "CN=PC_GROUP2,OU=TESTING,DC=FSSO-QA,DC=COM" next end
- Create an SSL VPN portal and assign the RADIUS user group to it:
config vpn ssl web portal edit "testportal" set tunnel-mode enable set ipv6-tunnel-mode enable set web-mode enable ... next end config vpn ssl settings ... set default-portal "full-access" config authentication-rule edit 1 set groups "rad_group" set portal "testportal" next end end
- Create firewall addresses:
config firewall address edit "none" set subnet 0.0.0.0 255.255.255.255 next edit "pc4" set subnet 172.16.200.44 255.255.255.255 next edit "pc5" set subnet 172.16.200.55 255.255.255.255 next end
- Create one dummy policy for authentication only, and two normal policies for authorization:
config firewall policy edit 1 set name "sslvpn_authentication" set srcintf "ssl.vdom1" set dstintf "port1" set srcaddr "all" set dstaddr "none" set action accept set schedule "always" set service "ALL" set logtraffic all set groups "rad_group" set nat enable next edit 3 set name "sslvpn_authorization1" set srcintf "ssl.vdom1" set dstintf "port1" set srcaddr "all" set dstaddr "pc4" set action accept set schedule "always" set service "ALL" set logtraffic all set groups "fsso_group1" set nat enable next edit 4 set name "sslvpn_authorization2" set srcintf "ssl.vdom1" set dstintf "port1" set srcaddr "all" set dstaddr "pc5" set action accept set schedule "always" set service "ALL" set logtraffic all set groups "fsso_group2" set nat enable next end
To create an FSSO agent fabric connector in the GUI:
- Go to Security Fabric > External Connectors.
- Click Create New.
- Click Fortinet Single Sign-On Agent.
- Enter the name and Primary FSSO agent information.
- Click Apply & Refresh.
The FSSO groups are retrieved from the collector agent.
To add the RADIUS server in the GUI:
- Go to User & Authentication > RADIUS Servers.
- Click Create New.
- Enter a name for the server.
- Enter the IP/Name and Secret for the primary server.
- Click Test Connectivity to ensure that there is a successful connection.
- Click OK.
- Configure an accounting server with the following CLI command:
config user radius edit rad150 set acct-interim-interval 600 config accounting-server edit 1 set status enable set server 172.16.200.60 set secret ********* next end next end
To create a user group for the RADIUS server in the GUI:
- Go to User & Authentication > User Groups.
- Click Create New.
- Enter a name for the group and set the Type to Firewall.
- Add the RADIUS server as a remote group.
- Click OK.
To create user groups for each of the FSSO groups in the GUI:
- Go to User & Authentication > User Groups.
- Click Create New.
- Enter a name for the group and set the Type to Fortinet Single Sign-On (FSSO).
- Add PC_GROUP1 as a member:
CN=PC_GROUP1,OU=TESTING,DC=FSSO-QA,DC=COM
- Click OK.
- Add a second user group with PC_GROUP2 as a member:
CN=PC_GROUP1,OU=TESTING,DC=FSSO-QA,DC=COM
- Click OK.
To create an SSL VPN portal and assign the RADIUS user group to it in the GUI:
- Go to VPN > SSL VPN Portals.
- Click Create New.
- Configure the portal, then click OK.
- Go to VPN > SSL VPN Settings.
- Configure the required settings.
- Create an Authentication/Portal Mapping table entry:
- Click Create New.
- Set User/Groups to rad_group.
- Set Portal to testportal.
- Click OK.
- Click OK.
To create policies for authentication and authorization in the GUI:
- Go to Policy & Object > Firewall Policy.
- Configure a dummy policy for authentication. Set the destination to none so that traffic is not allowed through the FortiGate, and add rad_group as a source.
- Configure two authorization policies, with the FSSO groups as sources.
Confirmation
On Client 1, log in to FortiClient using user142. Traffic can go to pc4 (172.16.200.44), but cannot go to pc5 (172.16.200.55).
On Client 2, log in to FortiClient using user143. Traffic can go to pc5 (172.16.200.55), but cannot go to pc4 (172.16.200.44).
On the FortiGate, check the authenticated users list and the SSL VPN status:
# diagnose firewall auth list 10.212.134.200, USER142 type: fsso, id: 0, duration: 173, idled: 173 server: AD_CollectAgent packets: in 0 out 0, bytes: in 0 out 0 user_id: 16777229 group_id: 3 33554434 group_name: fsso_group1 CN=PC_GROUP1,OU=TESTING,DC=FSSO-QA,DC=COM 10.212.134.200, user142 type: fw, id: 0, duration: 174, idled: 174 expire: 259026, allow-idle: 259200 flag(80): sslvpn server: rad150 packets: in 0 out 0, bytes: in 0 out 0 group_id: 4 group_name: rad_group 10.212.134.201, USER143 type: fsso, id: 0, duration: 78, idled: 78 server: AD_CollectAgent packets: in 0 out 0, bytes: in 0 out 0 group_id: 1 33554435 group_name: fsso_group2 CN=PC_GROUP2,OU=TESTING,DC=FSSO-QA,DC=COM 10.212.134.201, user143 type: fw, id: 0, duration: 79, idled: 79 expire: 259121, allow-idle: 259200 flag(80): sslvpn server: rad150 packets: in 0 out 0, bytes: in 0 out 0 group_id: 4 group_name: rad_group ----- 4 listed, 0 filtered ------
# get vpn ssl monitor SSL VPN Login Users: Index User Auth Type Timeout From HTTP in/out HTTPS in/out 0 user142 2(1) 600 10.1.100.145 0/0 0/0 1 user143 2(1) 592 10.1.100.254 0/0 0/0 SSL VPN sessions: Index User Source IP Duration I/O Bytes Tunnel/Dest IP 0 user142 10.1.100.145 104 32190/16480 10.212.134.200 1 user143 10.1.100.254 11 4007/4966 10.212.134.201