Purpose
This Technical Note describes configuration scenarios when using RADIUS authentication for SSL user groups. Remote users must be authenticated, before they can request services and/or access network resources through the SSL VPN web portal, or using SSL VPN client.
The authentication process relies on FortiGate user group definitions, which can use authentication mechanisms such as RADIUS to authenticate remote clients.
A member of a user group can be:
· Case 1: User, whose user name and password are stored on the FortiGate unit.
· Case 2: User, whose name is stored on the FortiGate unit, and whose password is stored on a remote or external authentication server.
· Case 3: Remote or external authentication server, with a database, that contains the user name and password of each person, who is permitted access.
In this note, we will only deal with users being the case 2 or 3, and the authentication server will be a RADIUS server.
Scope
• All FortiGate models
• FortiGate unit or VDOM in NAT mode only
• Tests have been done with firmware version 5.2.7 (build 711) and 5.4.0 (build 1011)
• Focus on SSL VPN tunnels with split tunnelling enabled
• Use of a RADIUS server on Windows server 2008 NPS, RADIUS server integrated with Active directory
• User groups used in the configuration are usrgrp, salesgrp
User group information
|
User Name |
Member of Group |
|
user1 |
usrgrp |
|
sales1 |
salesgrp |
• Protected network information
|
subnet |
10.40.0.0/22 |
|
Lan-user-range |
10.40.0.1-40 |
|
Server range |
10.40.0.41-50 |
Network behind FortiGate unit is 10.40.0.0/22, LAN users are using IP address range 10.40.0.1-40, and Servers are using ip addresses range 10.40.0.41-50
Expectations, Requirements
Users should be able to authenticate using the RADIUS servers, and be assigned to their user group.
When user form the group "usrgrp" tries to connect to SSL VPN, user should get access to the LAN-user IP address range 10.40.0.1-40.
When user from the group "salesgrp" connects to SSL VPN, user should get access to the Server IP address range 10.40.0.41-50.
Configuration
Configuration of Radius server
|
edit "radius"
set server "10.40.0.42"
set secret ENC Qeg/KhAVUX3JSQb+fi1Panx1MNu7INy9LEa1JfrHWGsQrGgu/yZoInj1U6DWEcEotNDKguRM+0twJQ5bQqJMfW4yx1voyGfrA/cGnsDs41MgsqzB
next
end
|
Configuration of SSLVPN portals
|
config vpn ssl web portal
edit "usrgrp-portal"set tunnel-mode enable set ipv6-tunnel-mode disable set web-mode disable set cache-cleaner disable set host-check none set limit-user-logins disable set mac-addr-check disable set os-check disable set virtual-desktop disable set ip-mode range set auto-connect disable set keep-alive disable set save-password disable set ip-pools "usrgrp-users-range" set split-tunneling enable set split-tunneling-routing-address "Local-LAN" set dns-server1 0.0.0.0 set dns-server2 0.0.0.0 set wins-server1 0.0.0.0 set wins-server2 0.0.0.0 next edit "salesgrp-portal" set tunnel-mode enable set ipv6-tunnel-mode disable set web-mode disable set cache-cleaner disable set host-check none set limit-user-logins disable set mac-addr-check disable set os-check disable set virtual-desktop disable set ip-mode range set auto-connect disable set keep-alive disable set save-password disable set ip-pools "salesgrp-users-range" set split-tunneling enable set split-tunneling-routing-address "Server-LAN" set dns-server1 0.0.0.0 set dns-server2 0.0.0.0 set wins-server1 0.0.0.0 set wins-server2 0.0.0.0 next end |
Configuration of firewall Addresses
|
edit "usrgrp-users-range"
set type iprange
set end-ip 10.212.134.20
set start-ip 10.212.134.10
next
edit "salesgrp-users-range"
set type iprange
set end-ip 10.212.134.40
set start-ip 10.212.134.30
next
edit "Local-LAN"
set type iprange
set end-ip 10.40.0.40
set start-ip 10.40.0.1
next
edit "Server-LAN"
set type iprange
set end-ip 10.40.0.50
set start-ip 10.40.0.41
next
end
|
Configuration for Case 2
Configuration of the user and user groups
The user group is associated with the web portal that the user sees after logging in. If you have multiple portals, you will need multiple user groups.
|
config user local
edit "user1"
set type radius
set radius-server "lab_radius"
next
edit "sales1"
set type radius
set radius-server "lab_radius"
next
end
config user group
edit "local-user1"
set sslvpn-portal "usrgrp-portal"
set member "user1"
next
edit "local-sale1"
set sslvpn-portal "salesgrp-portal"
set member "sales1"
next
end
|
SSLVPN settings:
config vpn ssl settings
set servercert "self-sign"
set tunnel-ip-pools "salesgrp-users-range" "usrgrp-users-range"
set source-interface "port1"
set source-address "all"
set source-address6 "all"
set default-portal "web-access"
config authentication-rule
edit 1
set groups "local_user1"
set portal "usrgrp-portal"
next
edit 2
set groups "local_sales1"
set portal "salesgrp-portal"
next
end
end
Configuration of SSL VPN security policies for Case 2
SSL VPN policy
It is required to create one SSL VPN security policy to authenticate users and provide access to the protected networks. You will need additional security policies only if you have multiple web portals that provide access to different resources.
| config firewall policy edit 4 set uuid 842b669c-e689-51e5-057d-7b4f89fcc6ef set srcintf "ssl.root" set dstintf "port2" set srcaddr "usrgrp-users-range" set dstaddr "Local-LAN" set action accept set schedule "always" set service "ALL" set groups "local_user1" next edit 8 set uuid 8b1180fe-f4b2-51e5-e262-422678589b0e set srcintf "ssl.root" set dstintf "port2" set srcaddr "salesgrp-users-range" set dstaddr "Server-LAN" set action accept set schedule "always" set service "ALL" set groups "local_sales1" next end |
Static Route configuration
With the tunnel mode configuration, you must add a static route, so that replies from the protected network can reach the remote SSL VPN client.
|
config router static edit 3 set device "ssl.root" set distance 1 set dst 10.212.134.0 255.255.255.0 next end |
Configuration for Case 3
Note - In the configuration example for Case 3, we will use the same SSL VPN portal and address objects used in Case 2, only the SSL VPN firewall policies are reconfigured with new user groups.
Configuration of user groups
|
edit "user1" set member "radius" config match edit 1 set server-name "radius" set group-name "user1" next end next edit "sales1" set member "radius" config match edit 1 set server-name "radius" set group-name "sales1" next end next |
Note: The group name, specified in attribute “set group-name", must match the user group on the RADIUS server.
Configuration of SSL VPN security policies
| config firewall policy edit 9 set uuid b76b58d4-f4b5-51e5-8931-4b1f1bd265b7 set srcintf "ssl.root" set dstintf "port2" set srcaddr "all" set dstaddr "Local-LAN" set action accept set schedule "always" set service "ALL" set groups "user1" next edit 10 set uuid cc36be52-f4b5-51e5-2a21-e01597444db0 set srcintf "ssl.root" set dstintf "port2" set srcaddr "all" set dstaddr "Server-LAN" set action accept set schedule "always" set service "ALL" set groups "sales1" next end |
Verification
Verification for the Case 2
(a user, whose name is stored on the FortiGate unit, and whose password is stored on a remote or external authentication server)
When user connects to the SSL VPN and supplies the user credentials, FortiOS will scan the list of SSL VPN policies and will look at the groups added to the policies.
If the user "user1" logs on to the SSL VPN portal, then the policy 4 will apply, as this user is a member of the group "local-user1", which is specified in policy 4.
If the user "sales1" logs on to the SSL VPN portal, then the policy 8 will apply, as this user is a member of the group "local-sales1", which is specified in policy 8.
When the user logs to the SSL VPN portal, the authentication request is sent to the RADIUS server Access Request packet.
When user credentials are correct, the RADIUS server will reply with Access-Accept packet.
A static route will be added on the user’s machine, with the destination = Local-LAN (10.40.0.1-40), and with the tunnel as the gateway.
(a user, whose name is stored on the FortiGate unit, and whose password is stored on a remote or external authentication server)
When user connects to the SSL VPN and supplies the user credentials, FortiOS will scan the list of SSL VPN policies and will look at the groups added to the policies.
If the user "user1" logs on to the SSL VPN portal, then the policy 4 will apply, as this user is a member of the group "local-user1", which is specified in policy 4.
If the user "sales1" logs on to the SSL VPN portal, then the policy 8 will apply, as this user is a member of the group "local-sales1", which is specified in policy 8.
When the user logs to the SSL VPN portal, the authentication request is sent to the RADIUS server Access Request packet.
When user credentials are correct, the RADIUS server will reply with Access-Accept packet.
A static route will be added on the user’s machine, with the destination = Local-LAN (10.40.0.1-40), and with the tunnel as the gateway.
Verification for the Case 3
(a remote or external authentication server, with a database, that contains the user name and password of each person, who is permitted to access the VPN)
In this scenario, when the user authenticates to the SSL VPN portal, the authentication request is sent to the RADIUS server Access Request packet.
When user credentials are correct, the RADIUS server is configured to send back the Fortinet VSA attribute "Fortinet-Group-Name" in the reply Access-Accept packet.
If the value of the Fortinet-Group-Name attribute is "salesgrp", then the tunnel will be up (assuming the user tried to authenticate with a user member of "salesgrp" group).
Troubleshooting
diag debug reset
diag debug disable
diag debug application fnbamd -1
diag debug application sslvpn -1
diag debug enable
1695:root:407]sslvpn_authenticate_user:168 authenticate user: [user1]
[1695:root:407]sslvpn_authenticate_user:175 create fam state
[1695:root:407]fam_auth_send_req:514 with server blacklist:
fnbamd_fsm.c[1890] handle_req-Rcvd auth req 1571178731 for user1 in local_user1 opt=00000100 prot=10
fnbamd_fsm.c[336] __compose_group_list_from_req-Group 'local_user1'
fnbamd_pop3.c[573] fnbamd_pop3_start-user1
fnbamd_cfg.c[519] __fnbamd_cfg_get_radius_list_by_group-Loading RADIUS server 'lab_radius' for usergroup 'local_user1' (7)
fnbamd_radius.c[1060] fnbamd_radius_auth_send-Compose RADIUS request
fnbamd_radius.c[1254] fnbamd_radius_auth_send-Sent radius req to server 'lab_radius': fd=12, IP=10.40.0.42 code=1 id=152 len=105 user="user1" using PAP
fnbamd_auth.c[271] radius_server_auth-Timer of rad 'lab_radius' is added
fnbamd_auth.c[688] auth_tac_plus_start-Didn't find tac_plus servers (0)
fnbamd_auth.c[409] ldap_start-Didn't find ldap servers (0)
fnbamd_fsm.c[425] create_auth_session-Total 1 server(s) to try
[1695:root:407]fam_auth_send_req_internal:414 fnbam_auth return: 4
fnbamd_auth.c[2211] fnbamd_auth_handle_radius_result-Timer of rad 'lab_radius' is deleted
fnbamd_radius.c[365] extract_success_vsas-FORTINET attr, type 1, val usrgrp
fnbamd_radius.c[394] extract_success_vsas-FORTINET attr, type 6, val super_admin
fnbamd_auth.c[2237] fnbamd_auth_handle_radius_result-->Result for radius svr 'lab_radius' 10.40.0.42(0) is 0
fnbamd_auth.c[2265] fnbamd_auth_handle_radius_result-Skipping group matching
fnbamd_fsm.c[822] find_matched_usr_grps-Skipped group matching
fnbamd_comm.c[169] fnbamd_comm_send_result-Sending result 0 for req 1571178731
fnbamd_fsm.c[565] destroy_auth_session-delete session 1571178731
[1695:root:407]Auth successful for group local_user1
fnbamd_fsm.c[2194] handle_req-Rcvd 7 req
fnbamd_acct.c[265] fnbamd_acct_start_START-Error starting acct
fnbamd_fsm.c[1245] create_acct_session-Error start acct type 7
fnbamd_fsm.c[2206] handle_req-Error creating acct session 7
[1695:root:407]fam_do_cb:463 fnbamd return auth success.
Related Articles
Technical Tip: FortiGate Radius VSA Dictionary (vendor-specific attributes)
