FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 194966

This article describes how to reserve virtual IP address assignment for SSLVPN tunnel mode client based on authenticated user, and how to setup a FortiGate unit to work with a RADIUS server to pass RADIUS assigned SSLVPN tunnel end IP address to the SSLVPN tunnel client based on the user authenticated.

FortiGate units, running FortiOS firmware version 5.00 and higher
SSLVPN tunnel mode
During RADIUS authentication, the FortiGate system will look for the 'Framed-IP-Address' attribute (RFC 2865, section 5.8) in the Access-Accept packet. When this attribute is present and the FortiGate units is configured to use it, it will be given back to the client through IPsec, SSL-VPN and PPTP.

This feature is only supported in FortiOS firmware version 5.0 and higher.

For example:


-The Client PC establishes a SSLVPN tunnel mode to the FortiGate unit.
-The FortiGate unit is setup to send authentication request forwarded to RADIUS server.
-If authentication is successful, the RADIUS server sends Access-Accept packets with the RADIUS attribute of Framed-IP-Address (the IP address assigned/reserved for the user.) back to the FortiGate unit.
-The FortiGate unit uses PPP over the SSLVPN (tunnel mode) to deliver the IP address to the client PC.
-The FortiGate unit is running FortiOS 5.0 or higher
-The FortiGate unit is connected to internet
-The FortiGate unit is set up so that remote clients can connect in SSLVPN tunnel mode authenticated by RADIUS server. See the SSLVPN User Guide on the Technical Documentation Web Site ( for general SSLVPN tunnel mode setup.
-The RADIUS server is properly setup for the correct Framed-IP-Address setup for users, so that RADIUS server will send Framed-IP-Address associated with the user in access accept packet.
-Fortinet is not responsible to the setup on RADIUS server.
Here is just a example of setup for FreeRadius:

fortinettest    Auth-Type := CHAP, User-Password == "fortinet"
Service-Type = Framed-User,
Session-Timeout = 180,
Idle-Timeout = 120,
Framed-IP-Address =,
To configure it via CLI on Fortigate:
FortiOS 5.0.X:

#config vpn ssl web portal
edit "SSL-Portal"
set allow-access web
set heading "Welcome to SSL VPN Service"
config widget
edit 3
set name "Tunnel Mode"
set type tunnel
set tunnel-status enable
set split-tunneling enable
set ip-mode usrgrp                <------- address is assigned by a RADIUS user group.

FortiOS 5.2 or above:

#config vpn ssl web portal
edit tunnel-access
set ip-mode user-group            <------- address is assigned by a RADIUS user group.