Skip to main content
bfeng
Staff
bfeng
Staff
June 24, 2009

Technical Tip: How to setup per user based VIP on FortiGate unit in SSLVPN tunnel mode

  • June 24, 2009
  • 0 replies
  • 15945 views

Description

 

This article describes how to reserve virtual IP address assignment for SSLVPN tunnel mode client based on authenticated user, and how to setup a FortiGate unit to work with a RADIUS server to pass RADIUS assigned SSLVPN tunnel end IP address to the SSLVPN tunnel client based on the user authenticated.

Scope

 

FortiGate units running FortiOS firmware version 5.00 and higher.

RADIUS.
SSL VPN tunnel mode.


Solution

 

During RADIUS authentication, the FortiGate system will look for the 'Framed-IP-Address' attribute (RFC 2865, section 5.8) in the Access-Accept packet. When this attribute is present and the FortiGate units are configured to use it, it will be given back to the client through IPsec, SSL-VPN, and PPTP.

This feature is only supported in FortiOS firmware version 5.0 and higher.

For example:

 

updatetopology.jpg

 

Summary:

  • The client PC establishes an SSL VPN tunnel mode to the FortiGate unit.
  • The FortiGate unit is setup to send authentication requests forwarded to the RADIUS server.
  • If authentication is successful, the RADIUS server sends Access-Accept packets with the RADIUS attribute of Framed-IP-Address (the IP address assigned/reserved for the user) back to the FortiGate unit.
  • The FortiGate unit uses PPP over the SSLVPN (tunnel mode) to deliver the IP address to the client PC.

 

Prerequisites:

  • The FortiGate unit is running FortiOS 5.0 or higher
  • The FortiGate unit is connected to the internet
  • The FortiGate unit is set up so that remote clients can connect in SSL VPN tunnel mode authenticated by the RADIUS server. See the SSL VPN User Guide on the Fortinet Document Library for general SSL VPN tunnel mode setup.
  • The RADIUS server is properly setup for the correct Framed-IP-Address setup for users, so that RADIUS server will send Framed-IP-Address associated with the user in access accept packet.
  • Fortinet is not responsible for the setup on the RADIUS server.

 

 
The following is an example of setup for FreeRadius:

  • fortinettest
  • Auth-Type := CHAP,
  • User-Password == 'fortinet',
  • Service-Type = Framed-User,
  • Session-Timeout = 180,
  • Idle-Timeout = 120,
  • Framed-IP-Address = 192.168.253.25
 
To configure it via the CLI on FortiGate:
 
FortiOS 5.0.X:

config vpn ssl web portal
    edit "SSL-Portal"
        set allow-access web
        set heading "Welcome to SSL VPN Service"
            config widget
                edit 3
                    set name "Tunnel Mode"
                    set type tunnel
                    set tunnel-status enable
                    set split-tunneling enable
                    set ip-mode usrgrp                <----- Address is assigned by a RADIUS user group.
 
FortiOS 5.2 or above:

config vpn ssl web portal
    edit tunnel-access
        set ip-mode user-group            <----- Address is assigned by a RADIUS user group.
Terms & ConditionsAccessibility statement