-The Client PC establishes a SSLVPN tunnel mode to the FortiGate unit.
-The FortiGate unit is setup to send authentication request forwarded to RADIUS server.
-If authentication is successful, the RADIUS server sends Access-Accept packets with the RADIUS attribute of Framed-IP-Address (the IP address assigned/reserved for the user.) back to the FortiGate unit.
-The FortiGate unit uses PPP over the SSLVPN (tunnel mode) to deliver the IP address to the client PC.
Prerequisites: -The FortiGate unit is running FortiOS 5.0 or higher -The FortiGate unit is connected to internet -The FortiGate unit is set up so that remote clients can connect in SSLVPN tunnel mode authenticated by RADIUS server. See the SSLVPN User Guide on the Technical Documentation Web Site (https://docs.fortinet.com) for general SSLVPN tunnel mode setup. -The RADIUS server is properly setup for the correct Framed-IP-Address setup for users, so that RADIUS server will send Framed-IP-Address associated with the user in access accept packet. -Fortinet is not responsible to the setup on RADIUS server. Here is just a example of setup for FreeRadius:
fortinettest Auth-Type := CHAP, User-Password == "fortinet"
Service-Type = Framed-User,
Session-Timeout = 180,
Idle-Timeout = 120,
Framed-IP-Address = 192.168.253.25,
To configure it via CLI on Fortigate: FortiOS 5.0.X: #config vpn ssl web portal edit "SSL-Portal" set allow-access web set heading "Welcome to SSL VPN Service" config widget edit 3 set name "Tunnel Mode" set type tunnel set tunnel-status enable set split-tunneling enable set ip-mode usrgrp <------- address is assigned by a RADIUS user group. FortiOS 5.2 or above: #config vpn ssl web portal edit tunnel-access set ip-mode user-group <------- address is assigned by a RADIUS user group.