Created on 09-15-2024 10:19 PM Edited on 09-25-2024 11:38 PM By Jean-Philippe_P
Description | This article describes how to configure Dialup IPsec VPN with SAML authentication. |
Scope |
FortiGate v7.2 and above, FortiClient 7.2.4 as minimum version or above |
Solution |
SAML-based Authentication with Dialup IPsecv VPN is available for FortiGate v7.2 and above. This requires FortiClient v7.2.4 and above.
Configuration on Azure: On the Azure site, Follow the link Configuring Microsoft Entra ID as SAML IdP and FortiGate as SAML SP to configure on Azure, and the below are SAML details that will be used:
Note: Replace the above IP with https://<WAN interface IP>: <port configure at step1>. This interface has to be Public accessible. There are related settings that need to be done on the FortiGate site with the above documentation.
On FortiGate configuration:
config system global set auth-ike-saml-port <0-65535, default = 1001> end
Port 1111 is used. The port can be any custom port that is currently non-used:
User Group:
Single Sign-On in GUI:
CLI configuration of Single-Sing-On:
Output form CLI:
For Dialup Ipsec with SAML configuration, there are extra commands that need to be enabled under Ipsec Phase 1 setting:
HUB # config vpn ipsec phase1-interface HUB (phase1-interface) # edit FCT_SAML HUB (FCT_SAML) # set eap enable HUB (FCT_SAML) # set eap-identity send-request HUB (FCT_SAML) # set authusrgrp SAML_Dial <----- This is a Firewall group associate with SAML. HUB (FCT_SAML) # end
Firewall policy:
Note: Unlike the SSL VPN Firewall policy, there is no need to add a source user group as Dialup VPN authentication done via VPN connected. In the case the Firewall policy has a source user group for DialUP VPN, the user may not be able to access the internal network In the case the user group has been added as a source in the VPN connection policy, VPN is still able to connect however data traffic might interrupted, in the flow debug logs will show traffic not matching the policy.
Configuration on FortiClient site:
Basic setting
Phase 1, local ID needs to be specified and can be custom any:
Phase 2:
The connection should be established as below after authentication with Microsoft successfully:
On the FortiGate site, the command 'diagnose vpn ike gateway list' should be able to output the remote auth user:
On the FortiGate GUI, go under Dashboard -> Network. The IPsec can also monitor the VPN connection user:
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.