Staff

Technical Tip: Assign fixed IP address to the users over SSL VPN tunnel with FortiAuthenticator RADIUS service

Forum|Forum|8 years ago
December 6, 2017
0 replies
25019 views

Description

This article describes how to configure the SSL VPN Web Portal on FortiGate to assign a fixed IP address with FortiAuthenticator as a RADIUS server for the users.

Scope

FortiAuthenticator.

Solution

FortiGate Configuration.

Edit Web Portal configured for fixed IPs and set 'ip-mode' to 'user-group'. Once configured, all users in the authentication group must have an assigned IP otherwise authentication will fail:

config vpn ssl settings
    set servercert "Fortinet_Factory"
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
    set source-interface "port1"
    set source-address "all"
    set source-address6 "all"
    set default-portal "web-access"

config authentication-rule
        edit 1
            set groups "framed_ip_grp2" "framed_ip_grp1"
            set portal "test_FixIP"
        next
end

end

config vpn ssl web portal

edit "test_FixIP"

set tunnel-mode enable

set ip-mode user-group <----- Default paramter: range.

set ip-pools "Range_Fix_IP" <----- IP range.

next

config firewall policy
    edit 1
        set name "sslvpnPolicy"
        set srcintf "ssl.root"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "localsubnet"
        set action accept
        set schedule "always"
        set service "ALL"
        set groups "framed_ip_grp2" "framed_ip_grp1"
    next
end

FortiAuthenticator Radius Configuration.

Edit user configuration: Go under Authentication -> User Management -> Local / Remote Users -> Edit the User -> RADIUS Attributes -> Add RADIUS Attribute.

Add the following attribute values:

Vendor: Default.
Attribute ID: Framed-IP-Address.
Value: <IP in the range defined on ip-pools>.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded