Description
This article describes how SSL VPN users can bind the IP on Radius server using Framed IP option.
In this case, a Radius server is configured on FortiAuthenticator. On FortiGate, SSL VPN will be configured in tunnel mode.
Framed IP is also a requirement for IP lockout to work (Auth, User Account Policies, Lockouts, Enable IP lockout policy).
Scope
FortiAuthenticator.
Solution
Radius Server Configuration on FortiAuthenticator.
Remote users can also be used for Radius. In this example, LDAP users will be used as Radius users.
Configuring LDAP server on Authenticator.
Import the LDAP users under Authentication -> User Management -> Remote Users -> Import. Select a previously created LDAP server and import the users. In this example 'sslvpn1' and 'sslvpn2' will be imported as below.
Configuring the Framed IP for these users (sslvpn1 and sslvpn2).
While adding the Radius Attributes, make sure to select the vendor as the default, search for the 'Framed-IP-Address' attribute, and configure the IP address to lease for the users when connecting the SSL VPN client.
Configuring a User Group.
Configuring a User Group.
Configuring a Realm.
Configuring the Radius Client.
Configuring FortiGate as a Radius Client.
config user radius
edit "root-radius"
set server "10.40.6.105"
set secret xxxxxxx
next
end
edit "root-radius"
set server "10.40.6.105"
set secret xxxxxxx
next
end
Configuring a Radius Group.
config user group
edit "framed_ip_grp1"
set member "root-radius"
config match
edit 1
set server-name "root-radius"
set group-name "framed_ip_grp1"
next
end
next
edit "framed_ip_grp2"
set member "root-radius"
config match
edit 1
set server-name "root-radius"
set group-name "vpn_users"
next
end
next
end
Make sure to configure the Radius Group in the same way as it was configured on the Radius server.
Configuring SSL VPN.
SSL VPN Portal.
Note: On the appropriate web portal, make sure to set the 'ip-mode' to 'user-group'. By default, it is set to 'range'. This can only be done in the CLI. In this example, 'vpnusers' is the web portal.
Configuring SSL VPN.
SSL VPN Portal.
Note: On the appropriate web portal, make sure to set the 'ip-mode' to 'user-group'. By default, it is set to 'range'. This can only be done in the CLI. In this example, 'vpnusers' is the web portal.
config vpn ssl web portal
edit "vpnusers"
set tunnel-mode enable
set web-mode enable
set ip-mode user-group
set auto-connect enable
set save-password enable
set web-mode enable
set ip-mode user-group
set auto-connect enable
set save-password enable
config bookmark-group
edit "gui-bookmarks"
next
end
next
end
config vpn ssl settings
set servercert "Fortinet_Factory"
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
set source-interface "port1"
set source-address "all"
set source-address6 "all"
set default-portal "web-access"
set servercert "Fortinet_Factory"
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
set source-interface "port1"
set source-address "all"
set source-address6 "all"
set default-portal "web-access"
config authentication-rule
edit 1
set groups "framed_ip_grp2" "framed_ip_grp1"
set portal "vpnusers"
next
end
edit 1
set groups "framed_ip_grp2" "framed_ip_grp1"
set portal "vpnusers"
next
end
end
Configuring the IPV4 firewall policies.
config firewall policy
edit 5
set name "sslvpn_policy"
set uuid a3cbe1e8-afc5-51ea-e268-f2bf29cb77f0
set srcintf "ssl.root"
set dstintf "port2"
set srcaddr "all"
set dstaddr "local"
set action accept
set schedule "always"
set service "ALL"
set groups "framed_ip_grp2" "framed_ip_grp1"
next
end
edit 5
set name "sslvpn_policy"
set uuid a3cbe1e8-afc5-51ea-e268-f2bf29cb77f0
set srcintf "ssl.root"
set dstintf "port2"
set srcaddr "all"
set dstaddr "local"
set action accept
set schedule "always"
set service "ALL"
set groups "framed_ip_grp2" "framed_ip_grp1"
next
end
Troubleshooting.
Use the following commands on FortiGate to further troubleshoot:
diag debug application sslvpn -1
diag debug application fnbamd -1
diag debug enable
In the following scenario, the login is 'sslvpn1' and the IP address is 10.212.134.200.
[2461] fnbamd_auth_handle_radius_result <-- The result for radius svr 'root-radius' 10.40.6.105(1) is 0.
[2385] fnbamd_radius_group_match-Passed group matching
[331] fnbamd_framed_ip_add_ip-Added IP 10.212.134.200
[1070] find_matched_usr_grps-Group 'framed_ip_grp2' failed group matching
[1067] find_matched_usr_grps-Group 'framed_ip_grp1' passed group matching
[1068] find_matched_usr_grps-Add matched group 'framed_ip_grp1'(3)
[2910] fnbamd_fas_send_push-username:sslvpn1, vdom:root, usertype:0, tfc=0, auth_type:2
[181] fnbamd_comm_send_result-Sending result 0 (error 0, nid 0) for req 379326533
[744] destroy_auth_session-delete session 379326533
[242:root:29][fam_auth_proc_resp:1239] Authenticated groups by FNBAM:
[242:root:29]auth_rsp_data.grp_list[0] = framed_ip_grp1
[242:root:29]Auth successful for user sslvpn1 in group framed_ip_grp1
[242:root:29]user sslvpn1 got framed IP 10.212.134.200
[2461] fnbamd_auth_handle_radius_result <-- The result for radius svr 'root-radius' 10.40.6.105(1) is 0.
[2385] fnbamd_radius_group_match-Passed group matching
[331] fnbamd_framed_ip_add_ip-Added IP 10.212.134.201
[1067] find_matched_usr_grps-Group 'framed_ip_grp2' passed group matching
[1068] find_matched_usr_grps-Add matched group 'framed_ip_grp2'(4)
[1070] find_matched_usr_grps-Group 'framed_ip_grp1' failed group matching
[2910] fnbamd_fas_send_push-username:sslvpn2, vdom:root, usertype:0, tfc=0, auth_type:2
[181] fnbamd_comm_send_result-Sending result 0 (error 0, nid 0) for req 379326547
[744] destroy_auth_session-delete session 379326547
[242:root:2b][fam_auth_proc_resp:1239] Authenticated groups by FNBAM:
[242:root:2b]auth_rsp_data.grp_list[0] = framed_ip_grp2
[242:root:2b]Auth successful for user sslvpn2 in group framed_ip_grp2
[242:root:2b]user sslvpn2 got framed IP 10.212.134.201
Related article:
