Description
This article describes the configuration steps necessary to apply FSSO rules to SSL VPN users.
Scope
FortiOS 7.0 and newer versions.
Solution
FSSO rules can be used for the traffic generated by remote access VPN users.
In order to have a proper and actual mapping of the username to the IP address that was assigned to the user by a FortiGate, the collector agent has to be aware of the IP address that was assigned to a given VPN user.
This can be done with RADIUS accounting messages. See the following document for an explanation:
Dynamic address support for SSL VPN policies.
However, the environment may not have a RADIUS server or cannot support a RADIUS server.
If this is the case, the user identity information can be delivered to the collector agent through Syslog.
A remote user group can be used for authentication while an FSSO group is separately used for authorization. Using a dummy policy for remote user authentication and a policy for FSSO group authorization, FSSO can be used with SSL VPN tunnels.
This image shows the authentication and authorization flow:
In this example, the Collector Agent is used as a syslog server. It gets syslog messages when the user connects to the VPN. By doing so, it gets the username and the actual IP Address that was received during the VPN connection queries the LDAP server for the group membership, and forms the FSSO entry, which later is sent to the FortiGate.
The user PC here is the PC with the IP address 192.168.180.99.
The Collector Agent is running on a dedicated server with IP address 192.168.180.203.
AD is running on a server with IP address 192.168.180.200.
AD is already configured with a group called sslvpn-users. The group sslvpn-users-fsso and user jsmith are members of these two groups.
Configure the Fortinet Single Sign-On Collector Agent.
- Configure a password for FSSO:
-
Enable the Syslog Listener:
-
Configure the LDAP Server:
The LDAP server is necessary to configure the user group membership for the SSLVPN user.
-
Configure Syslog Rules:
NOTE: Due to the nature of the FortiOS log message structure, the field 'Client IPv4 Field' must be configured as stated in the image with a space character at the end of the line:
tunnelip={{:client_ip}}
The remaining fields should not contain a space character at the end of the line:
Name: fsso-sslvpn-syslog
Trigger: logdesc=”SSL
Logon: 0101039947
Update: 0101039949
Logoff: 0101039948
Username Field: user=”{{:user}}”
Test the configured rule. If the rule is configured properly, the result will be as shown:
-
Map the configured rule to the FortiGate and LDAP:
Here, 192.168.100.1 is the IP address of the FortiGate.
Configure the FortiGate:
To configure the FortiGate in the CLI:
- Set up the LDAP server:
config user ldap
edit "AD"
set server "192.168.100.200"
set cnid "samaccountname"
set dn "dc=test,dc=lab"
set type regular
set username "TEST\\Administrator"
set password admin_password
next
end
-
Setup FSSO connector:
config user fsso
edit "FSSO_CA"
set server "192.168.100.203"
set password 123456
set ldap-server "AD"
next
end
-
Create a user group for the LDAP server:
config user group
edit "sslvpn_users"
set member "AD"
config match
edit 1
set server-name "AD"
set group-name "CN=sslvpn-users,CN=Users,DC=TEST,DC=LAB"
next
end -
Create an FSSO user group:
config user group
edit "sslvpn-users-fsso"
set group-type fsso-service
set member "CN=fsso_group1,CN=Users,DC=TEST,DC=LAB"
next
end
-
Configure appropriate SSLVPN portal and authentication rules:
config vpn ssl web portal
edit "none"
next
edit "test_portal"
set tunnel-mode enable
set ip-pools "SSLVPN_TUNNEL_ADDR1"
nextconfig vpn ssl settings
set servercert "Fortinet_Factory"
set idle-timeout 0
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
set dns-server1 192.168.100.200
set source-interface "port1"
set source-address "all"
set source-address6 "all"
set default-portal "none"
config authentication-rule
edit 1
set groups "sslvpn_users"
set portal "test_portal"
next
end
end
-
Configure firewall addresses:
config firewall address
edit "none"
set subnet 0.0.0.0 255.255.255.255
next
-
Create one dummy policy for authentication only, and one regular FSSO policy for authorization:
config firewall policy
edit 1
set name "sslvpn-authentication-policy "
set srcintf "ssl.root"
set dstintf "port1"
set action accept
set srcaddr "all"
set dstaddr "none"
set schedule "always"
set service "ALL"
set groups "sslvpn_users"
next
edit 2
set name " sslvpn-authorization-policy "
set srcintf "ssl.root"
set dstintf "port1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set groups "sslvpn-users-fsso"
next
-
Configure Syslog logging:
Only the specific syslog messages that are listed in the free-style log filter will be sent to the collector agent:config log syslogd setting
set status enable
set server "192.168.100.203"
end
config log syslogd filter
set forward-traffic disable
set local-traffic disable
set multicast-traffic disable
set sniffer-traffic disable
set ztna-traffic disable
set anomaly disable
set voip disable
set gtp disable
config free-style
edit 1
set category event
set filter "((logid 0101039947) or (logid 0101039948) or (logid 0101039949))"
next
end
end
These log IDs contain the necessary information to create the FSSO entry:
Log ID
Log Description
Log Meaning
0101039947
LOG_ID_EVENT_SSL_VPN_SESSION_TUNNEL_UP
SSL VPN tunnel up
0101039948
LOG_ID_EVENT_SSL_VPN_SESSION_TUNNEL_DOWN
SSL VPN tunnel down
0101039949
LOG_ID_EVENT_SSL_VPN_SESSION_TUNNEL_STATS
SSL VPN statistics
Results:
get vpn ssl monitor
SSL-VPN Login Users:
Index User Group Auth Type Timeout Auth-Timeout From HTTP in/out HTTPS in/out Two-factor Auth
0 jsmith sslvpn_users 16(1) 28750 28750 192.168.180.99 0/0 0/0 0
SSL-VPN sessions:
Index User Group Source IP Duration I/O Bytes Tunnel/Dest IP
0 jsmith sslvpn_users 192.168.180.99 50 10819/0 10.212.134.200
diag firewall auth list
10.212.134.200, JSMITH
type: fsso, id: 0, duration: 12, idled: 12
server: FSSO_CA
packets: in 0 out 0, bytes: in 0 out 0
group_id: 3 33554433
group_name: sslvpn-users-fsso CN=fsso_group1,CN=Users,DC=TEST,DC=LAB
10.212.134.200, jsmith
type: fw, id: 0, duration: 13, idled: 13
expire: 28786, allow-idle: 28799
flag(80): sslvpn
server: AD
packets: in 0 out 0, bytes: in 0 out 0
group_id: 2
group_name: sslvpn_users
The first entry is the entry that came from the collector agent as an FSSO logon (type: fsso).
The second entry is the user authentication for the SSL VPN connection (type: fw, flag(80): sslvpn).
