Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
lvannstruth
Staff
Staff

Created on ‎06-30-2024 07:05 AM Edited on ‎07-04-2024 01:26 PM By Moderator

Article Id 323173

Technical Tip: How to configure Fortinet Single Sign-On (FSSO) for IPsec IKeV1 dial-up VPN clients using Syslog

Description

This article describes how to implement Fortinet Single Sign On(FSSO) for IPsec IKEv1 VPN dial-up clients using Syslog.
Scope

FortiOS 7.0 and newer releases.
Solution

FSSO groups can be used to control access to resources depending on a user being logged in and their AD/LDAP group membership. In order for this to work with an IPsec dialup VPN client, the FSSO collector agent must be notified of the user’s LDAP user/group information, as well as the VPN user IP address.

 

This can be accomplished by using Syslog to deliver this information from the FortiGate to the collector agent. A remote LDAP user group still needs to be configured for XAUTH authentication to the IPsec tunnel, but once the users have been authenticated to the VPN, FSSO groups can used to control their access.

 

The authentication flow is as follows:

 

auth-flow.png

 

In this topology, the collector agent is installed directly on the domain controller. This is NOT required for this configuration to work: the Collector Agent can be installed on a dedicated machine for monitoring AD login events. 

 

topology.png

 

‘LVSLAB’ is the AD domain, ‘Yoshimitsu’ is the AD user connecting to the VPN, and ‘fsso-admin’ is the account used to authenticate to AD for verifying user credentials as well as in the Collector Agent configuration. The ‘IPsec-dialup’ group is also present in AD to authenticate users to the VPN, and the ‘FSSO-Users’ group exists in AD for controlling access for users once authenticated.

 

Configure the Fortinet Single Sign On Collector Agent:

 

 

  1. Configure a password for the connection between the FortiGate and the FSSO collector agent:

 

collector agent password.png

 

 

  1. Enable the Syslog listener feature by navigating to Advanced Features -> Syslog Source List:

 

syslog listener.png

 

 

  1. Configure the LDAP Server using the ‘Manage LDAP Server’ button visible on the ‘Syslog Source List’ page:

 

 

ldap server config.png

 

The LDAP server configuration is required for the FSSO collector agent to retrieve LDAP user/group information from the username information sent by the FortiGate.

 

  1. Configure Syslog Rules:

syslog rules.png

 

These define what fields in the log contain information needed for FSSO (username, VPN client IP address). The settings in these fields do not need to be changed for a specific deployment.

 

  1. Configure the mapping between the syslog rule and the LDAP server.

syslog mapping.png

 

The Syslog source IP address is the IP address of the FortiGate.

 

Configure the FortiGate:

 

  1. Configure the LDAP server:

 

config user ldap

    edit "DC"

        set server "172.17.98.98"

        set cnid "sAMAccountName"

        set dn "dc=lvslab,dc=com"

        set type regular

        set username <user>

        set password <user-password>

    next

end

 

 

  1. Configure the FSSO Collector Agent connector:

 

config user fsso

    edit "FSSO-IPsec"

        set server "172.17.98.98"

        set password <password>

        set ldap-server "DC"

    next

end

 

 

  1. Create the user group used for authenticating users to the IPsec VPN:

 

config user group

    edit "ipsec-auth"

        set member "DC"

        config match

            edit 1

                set server-name "DC"

                set group-name "CN=ipsec-dialup,OU=FortiGate Users,DC=lvslab,DC=com"

            next

        end

    next

end

 

  1. Configure the FSSO group used to allow authentication:

config user group

    edit "FSSO-group"

        set group-type fsso-service

        set member "CN=FSSO-Users,OU=FortiGate Users,DC=lvslab,DC=com"

    next

end

 

 

  1. Configure the IPsec phase1 and phase2 settings.

    The IPsec configuration uses mode-config to distribute IP addresses to dialup VPN clients. XAUTH is required for the LDAP authentication for IKEv1. For the FSSO configuration, only the ‘authusrgrp’ setting is relevant as this must match an LDAP group used for authenticating to the VPN. While it is possible to use the ‘Inherit group from policy’ option for authenticating users to the VPN, it is suggested to have a single group for IPsec authentication and then use FSSO groups in your firewall policies controlling access.

 

 

config vpn ipsec phase1-interface

edit "FSSO-dialup"

set type dynamic

set interface "wan1"

set mode aggressive

set peertype any

set net-device disable

set mode-cfg enable

set ipv4-dns-server1 1.1.1.1

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

set dpd on-idle

set dhgrp 20

set xauthtype auto

set authusrgrp "ipsec-auth"

set ipv4-start-ip 192.168.70.1

set ipv4-end-ip 192.168.70.10

set ipv4-netmask 255.255.255.0

set psksecret <psksecret>

set dpd-retryinterval 60

next

end

 

config vpn ipsec phase2-interface

edit "dialup"

set phase1name "dialup"

set proposal aes256-sha256 aes256gcm

set dhgrp 19

next

end

 

 

  1. Create a firewall policy to allow access from the IPsec tunnel for internet access, and include the FSSO group for authentication:

 

 

config firewall policy

edit 9

set name "FSSO-IPsec-Internet-Access"

set srcintf "FSSO-dialup"

set dstintf "wan1"

set action accept

set srcaddr "all"

set dstaddr "all"

set schedule "always"

set service "ALL"

set logtraffic all

set nat enable

set groups "FSSO-group"

next

end

 

  1. Configure Syslog logging:

    Only the required syslog messages for the FSSO user/IP addressing information need to be sent to the FSSO collector agent.

 

config log syslogd setting

set status enable

set server "172.17.98.98"

end

config log syslogd filter

set forward-traffic disable

set local-traffic disable

set multicast-traffic disable

set sniffer-traffic disable

set ztna-traffic disable

set anomaly disable

set voip disable

config free-style

edit 1

set category event

set filter "((logid 0101037133) or (logid 0101037134) or (logid 0101037141))"

next

end

end

 

The required IPsec log IDs are as follows:

 

Log ID Log Description FSSO Utility
0101037138

MESGID_CONN_UPDOWN

Used for identifying logon events.
0101037134

MESGID_DELETE_P1_SA

Used for identifying logoff events.
0101037141

MESGID_CONN_STATS

Used for checking that tunnels are connected.

 

Verification

To verify whether or not a user’s IPsec client IP address is present on the FortiGate, the ‘diag firewall auth list’ command can be used:

 

yoshi.png

 

The IP 192.168.70.1 IP is part of the configured VPN client IP range of 192.168.70.1-192.168.70.10, thus confirming this is a VPN connection.

 

Note: 

The FSSO collector agent must be of build 0291 or later, and must be running in advanced mode. 

Related document: 
Labels:
282
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.