| Description |
This article describes how to implement Fortinet Single Sign On(FSSO) for IPsec IKEv1 VPN dial-up clients using Syslog. |
||||||||||||||||||||||||
| Scope |
FortiOS 7.0 and newer releases. |
||||||||||||||||||||||||
| Solution |
FSSO groups can be used to control access to resources depending on a user being logged in and their AD/LDAP group membership. In order for this to work with an IPsec dialup VPN client, the FSSO collector agent must be notified of the user’s LDAP user/group information, as well as the VPN user IP address.
This can be accomplished by using Syslog to deliver this information from the FortiGate to the collector agent. A remote LDAP user group still needs to be configured for XAUTH authentication to the IPsec tunnel, but once the users have been authenticated to the VPN, FSSO groups can used to control their access.
The authentication flow is as follows:
In this topology, the collector agent is installed directly on the domain controller. This is NOT required for this configuration to work: the Collector Agent can be installed on a dedicated machine for monitoring AD login events.
‘LVSLAB’ is the AD domain, ‘Yoshimitsu’ is the AD user connecting to the VPN, and ‘fsso-admin’ is the account used to authenticate to AD for verifying user credentials as well as in the Collector Agent configuration. The ‘IPsec-dialup’ group is also present in AD to authenticate users to the VPN, and the ‘FSSO-Users’ group exists in AD to control access for users once authenticated.
Configure the Fortinet Single Sign-On Collector Agent:
The LDAP server configuration is required for the FSSO collector agent to retrieve LDAP user/group information from the username information sent by FortiGate.
These define what fields in the log contain information needed for FSSO (username, VPN client IP address). The settings in these fields do not need to be changed for a specific deployment.
Note: In 'client IPv4 Field', after assignip={{:assignip}}, make sure there is a space. Otherwise, it will be unable to parse the IP address.
The Syslog source IP address is the IP address of the FortiGate.
Configure the FortiGate:
config user ldap edit "DC" set server "172.17.98.98" set cnid "sAMAccountName" set dn "dc=lvslab,dc=com" set type regular set username <user> set password <user-password> next end
config user fsso edit "FSSO-IPsec" set server "172.17.98.98" set password <password> set ldap-server "DC" next end
config user group edit "ipsec-auth" set member "DC" config match edit 1 set server-name "DC" set group-name "CN=ipsec-dialup,OU=FortiGate Users,DC=lvslab,DC=com" next end next end
config user group edit "FSSO-group" set group-type fsso-service set member "CN=FSSO-Users,OU=FortiGate Users,DC=lvslab,DC=com" next end
config vpn ipsec phase1-interface edit "FSSO-dialup" set type dynamic set interface "wan1" set mode aggressive set peertype any set net-device disable set mode-cfg enable set ipv4-dns-server1 1.1.1.1 set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set dpd on-idle set dhgrp 20 set xauthtype auto set authusrgrp "ipsec-auth" set ipv4-start-ip 192.168.70.1 set ipv4-end-ip 192.168.70.10 set ipv4-netmask 255.255.255.0 set psksecret <psksecret> set dpd-retryinterval 60 next end
config vpn ipsec phase2-interface edit "dialup" set phase1name "dialup" set proposal aes256-sha256 aes256gcm set dhgrp 19 next end
config firewall policy edit 9 set name "FSSO-IPsec-Internet-Access" set srcintf "FSSO-dialup" set dstintf "wan1" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set logtraffic all set nat enable set groups "FSSO-group" next end
config log syslogd setting set status enable set server "172.17.98.98" end config log syslogd filter set forward-traffic disable set local-traffic disable set multicast-traffic disable set sniffer-traffic disable set ztna-traffic disable set anomaly disable set voip disable config free-style edit 1 set category event set filter "((logid 0101037138) or (logid 0101037134) or (logid 0101037141))" next end end
The required IPsec log IDs are as follows:
The IP 192.168.70.1 IP is part of the configured VPN client IP range of 192.168.70.1-192.168.70.10, thus confirming this is a VPN connection.
Note: The FSSO collector agent must be of build 0291 or later and must be running in advanced mode. |
