FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
bfeng
Staff
Staff
Description
This article describes how to reserve virtual IP address assignment for SSLVPN tunnel mode client based on authenticated user, and how to setup a FortiGate unit to work with a RADIUS server to pass RADIUS assigned SSLVPN tunnel end IP address to the SSLVPN tunnel client based on the user authenticated.


Scope
FortiGate units, running FortiOS firmware version 5.00 and higher
RADIUS
SSLVPN tunnel mode
Solution
During RADIUS authentication, the FortiGate system will look for the 'Framed-IP-Address' attribute (RFC 2865, section 5.8) in the Access-Accept packet. When this attribute is present and the FortiGate units is configured to use it, it will be given back to the client through IPsec, SSL-VPN and PPTP.

This feature is only supported in FortiOS firmware version 5.0 and higher.

For example:

bfeng_vpndialupdiagram1.jpg

Summary:
-The Client PC establishes a SSLVPN tunnel mode to the FortiGate unit.
-The FortiGate unit is setup to send authentication request forwarded to RADIUS server.
-If authentication is successful, the RADIUS server sends Access-Accept packets with the RADIUS attribute of Framed-IP-Address (the IP address assigned/reserved for the user.) back to the FortiGate unit.
-The FortiGate unit uses PPP over the SSLVPN (tunnel mode) to deliver the IP address to the client PC.
Prerequisites:
-The FortiGate unit is running FortiOS 5.0 or higher
-The FortiGate unit is connected to internet
-The FortiGate unit is set up so that remote clients can connect in SSLVPN tunnel mode authenticated by RADIUS server. See the SSLVPN User Guide on the Technical Documentation Web Site (https://docs.fortinet.com) for general SSLVPN tunnel mode setup.
-The RADIUS server is properly setup for the correct Framed-IP-Address setup for users, so that RADIUS server will send Framed-IP-Address associated with the user in access accept packet.
-Fortinet is not responsible to the setup on RADIUS server.

Here is just a example of setup for FreeRadius:

fortinettest    Auth-Type := CHAP, User-Password == "fortinet"
Service-Type = Framed-User,
Session-Timeout = 180,
Idle-Timeout = 120,
Framed-IP-Address = 192.168.253.25,

To configure it via CLI on Fortigate:
FortiOS 5.0.X:

#config vpn ssl web portal
edit "SSL-Portal"
set allow-access web
set heading "Welcome to SSL VPN Service"
config widget
edit 3
set name "Tunnel Mode"
set type tunnel
set tunnel-status enable
set split-tunneling enable
set ip-mode usrgrp                <------- address is assigned by a RADIUS user group.

FortiOS 5.2 or above:

#config vpn ssl web portal
edit tunnel-access
set ip-mode user-group            <------- address is assigned by a RADIUS user group.


Internal Notes
Debug:

Debug on both sslvpn and ppp:

SSLVPN
diag debug app sslvpn 255

PPP
diag debug app ppp 255

See below for a sample of capture from a sccessful case.

FG3K6A3406605059 # diag de app ppp 255
FG3K6A3406605059 # diag de en
FG3K6A3406605059 # diag de app sslvpn 255

 

FG3K6A3406605059 # [163:root]SSL state:before/accept initialization (192.168.183.254)
[163:root]SSL state:SSLv2/v3 read client hello A:(null)(192.168.183.254)
[163:root]SSL state:SSLv3 read client hello A (192.168.183.254)
[163:root]SSL state:SSLv3 write server hello A (192.168.183.254)
[163:root]SSL state:SSLv3 write certificate A (192.168.183.254)
[163:root]SSL state:SSLv3 write key exchange A (192.168.183.254)
[163:root]SSL state:SSLv3 write server done A (192.168.183.254)
[163:root]SSL state:SSLv3 flush data (192.168.183.254)
[163:root]SSL state:SSLv3 read client certificate A:(null)(192.168.183.254)
[163:root]SSL state:SSLv3 read client certificate A:(null)(192.168.183.254)
[163:root]SSL state:SSLv3 read client key exchange A (192.168.183.254)
[163:root]SSL state:SSLv3 read finished A (192.168.183.254)
[163:root]SSL state:SSLv3 write change cipher spec A (192.168.183.254)
[163:root]SSL state:SSLv3 write finished B (192.168.183.254)
[163:root]SSL state:SSLv3 flush data (192.168.183.254)
[163:root]SSL state:SSL negotiation finished successfully (192.168.183.254)
[163:root]rmt_tunnel.c,sslvpn_tunnel_handler,45, Calling rmt_conn_access_ex.
[163:root]rmt_websession.c:294 decode session id ok, user=[fortinettest],group=[sslgrp],host=[192.168.183.254],idx=0,auth=2,login=1234409264
[163:root]rmt_tunnel.c,sslvpn_tunnel_handler,79, Calling tunnel.
[163:root]tunnel_state.c:393 0x8ea01a0:0x8ea4d88 sslvpn user[fortinettest],type 2,logintime 1234409264 vd 0
[163:root]rmt_apsession.c:697 tunnel vd[root] ip[192.168.253.25]             !!!!! Framed-IP-Address returned by RADIUS server
[163:root]vfid=0 local=[172.31.210.237] remote=[192.168.183.254] dynamicip=[192.168.253.25]
[163:root]Prepare to launch pppd...
[163:root]tun: dev located: (nil)
[163:root]tun: ppp 0x8f1f808 dev assigned: 0x8ea5b48 ref 1
SND: LCP Configure_Request id(1) len(10) [Magic_Number 338AA76F]
RCV: LCP Configure_Request id(0) len(45) [Maximum_Received_Unit 1004] [Magic_Number 5D4E4CAA] [Protocol_Field_Compression] [Address-and-Control-Field-Compression] [Multilink_MRRU] [Multilink_Endpoint_Descriminator]
[163:root]lcp_reqci: returning CONFREJ.
SND: LCP Configure_Reject id(0) len(12) [Protocol_Field_Compression] [Address-and-Control-Field-Compression] [Multilink_MRRU]
RCV: LCP Configure_Ack id(1) len(10) [Magic_Number 338AA76F]
RCV: LCP Configure_Request id(1) len(37) [Maximum_Received_Unit 1004] [Magic_Number 5D4E4CAA] [Multilink_Endpoint_Descriminator]
[163:root]lcp_reqci: returning CONFACK.
SND: LCP Configure_Ack id(1) len(37) [Maximum_Received_Unit 1004] [Magic_Number 5D4E4CAA] [Multilink_Endpoint_Descriminator]
[163:root]lcp_up: with mtu 1004
SND: IPCP Configure_Request id(1) [IP_Address 172.31.210.237] [Primary_DNS_IP_Address 0.0.0.0] [Seconday_DNS_IP_Address 0.0.0.0]
RCV: CCP Configure_Request id(2) [Microsoft_PPC]
SND: LCP Protocol_Reject id(2) len(18)
RCV: IPCP Configure_Request id(3) [IP_Address 0.0.0.0] [Primary_DNS_IP_Address 0.0.0.0] [Primary_WINS_IP_Address 0.0.0.0] [Seconday_DNS_IP_Address 0.0.0.0] [Seconday_WINS_IP_Address 0.0.0.0]
[163:root]ipcp: returning Configure-REJ
SND: IPCP Configure_Reject id(3) [Primary_DNS_IP_Address 0.0.0.0] [Primary_WINS_IP_Address 0.0.0.0] [Seconday_DNS_IP_Address 0.0.0.0] [Seconday_WINS_IP_Address 0.0.0.0]
RCV: IPCP Configure_Reject id(1) [Primary_DNS_IP_Address 0.0.0.0] [Seconday_DNS_IP_Address 0.0.0.0]
SND: IPCP Configure_Request id(2) [IP_Address 172.31.210.237]
RCV: IPCP Configure_Request id(4) [IP_Address 0.0.0.0]
[163:root]ipcp: returning Configure-NAK
SND: IPCP Configure_Nak id(4) [IP_Address 192.168.253.25]
RCV: IPCP Configure_Ack id(2) [IP_Address 172.31.210.237]
RCV: IPCP Configure_Request id(5) [IP_Address 192.168.253.25]
[163:root]ipcp: returning Configure-ACK
SND: IPCP Configure_Ack id(5) [IP_Address 192.168.253.25]       !!!!!!!Fortigate uses PPP deliver the IP address to the client
[163:root]ipcp: up ppp:0x8f1f808 tun:0x8ea5b48 ref 1
[163:root]Cannot determine ethernet address for proxy ARP
[163:root]local  IP address 172.31.210.237
[163:root]remote IP address 192.168.253.25
[163:root]sys-fortik.c:700 associate 192.168.253.25 to tun (22)
[165:root]main.c,epollFdHandler,467, sconn=0x8ea5f48[10,-1,-1,-1,-1], event fd=10, event=25.
[165:root]main.c:524 s: 0x8ea5f48 event: 0x19
[165:root]main.c,epollFdHandler,467, sconn=0x8ea5f48[10,-1,-1,-1,-1], event fd=10, event=25.
[165:root]main.c:524 s: 0x8ea5f48 event: 0x19
[165:root]Destroy sconn 0x8ea5f48, connSize=0.
[164:root]SSL state:before/accept initialization (192.168.183.254)
[164:root]SSL state:SSLv2/v3 read client hello A:(null)(192.168.183.254)
[164:root]SSL state:SSLv3 read client hello A (192.168.183.254)
[164:root]SSL state:SSLv3 write server hello A (192.168.183.254)
[164:root]SSL state:SSLv3 write certificate A (192.168.183.254)
[164:root]SSL state:SSLv3 write server done A (192.168.183.254)
[164:root]SSL state:SSLv3 flush data (192.168.183.254)
[164:root]SSL state:SSLv3 read client certificate A:(null)(192.168.183.254)
[164:root]SSL state:SSLv3 read client certificate A:(null)(192.168.183.254)
[164:root]SSL state:SSLv3 read client key exchange A (192.168.183.254)
[164:root]SSL state:SSLv3 read finished A (192.168.183.254)
[164:root]SSL state:SSLv3 write change cipher spec A (192.168.183.254)
[164:root]SSL state:SSLv3 write finished A (192.168.183.254)
[164:root]SSL state:SSLv3 flush data (192.168.183.254)
[164:root]SSL state:SSL negotiation finished successfully (192.168.183.254)
[164:root]rmt_websession.c:294 decode session id ok, user=[fortinettest],group=[sslgrp],host=[192.168.183.254],idx=0,auth=2,login=1234409264
[164:root]rmt_websession.c:294 decode session id ok, user=[fortinettest],group=[sslgrp],host=[192.168.183.254],idx=0,auth=2,login=1234409264


FG3K6A3406605059 #

FG3K6A3406605059 # diag de reset

 
On the Client:
From the PC enable PPP tracing:
netsh – ras – set tracing ppp enable
Log file is saved to c:\windows\tracing



=====================================================
This KB article should be maintained by: TAC-L3
Articles with very similar or duplicate content exist: none
Content of this KB article could be integrated to another article:none
Is this article relevant to currently supported product versions: yes
What currently supported versions is this article relevant to: 4.3/5.0
Is this article ONLY relevant to non-supported versions: no
If this article was written for an unsupported version, can it be modified/updated for a supported one: N
/A
Is this topic already documented in TechDocs: no(how, SSLVPN guide has a section for Tunnel mode settings, only briefing the definition of ip-mode setting in tunnel widget, and no details how it should work)
Do you propose this article to be discontinued/moved to internal KB area: no
Article was rewritten, as a result of this evaluation: no
Changes done:
Other remarks and recommendations:
Date this article was evaluated: 2013-03-26
Evaluated by: (Bryan Feng, bfeng@fortinet.com - Vancouver TAC, escalation)
=====================================================



Contributors