| Description |
This article explains how to prevent malicious SSL VPN login attempts from locking out user accounts in LDAP or RADIUS by using a realm to only direct specific authentication requests to the authentication server. |
| Scope |
FortiOS. |
| Solution |
Malicious authentication attempts made to an SSL VPN using an external authentication server (LDAP, RADIUS) can result in legitimate users being locked out due to multiple failed attempts. While geoblocking and blocking malicious IP addresses using ISDB are both options that can reduce the attack surface, these cannot prevent all authentication attempts.
SSL VPN realms can be used to prevent these authentication attempts from being sent to the authentication server in the first place, preventing user accounts from being locked out. SSL VPN realms use an additional path under the URL that the SSL VPN is hosted on to differentiate between the different realms, and individual realms can have unique authentication settings. This implementation requires changes to both the FortiGate and FortiClient configurations.
FortiGate Configuration:
Note: SSL VPN is not visible in the GUI by default on FortiOS v7.4.1 and newer. Refer here for instructions on how to enable SSL VPN: Update SSL VPN default behavior and visibility in the GUI v7.4.1.
Starting from FortiOS v7.6.3, the SSL VPN tunnel mode feature is no longer available in the GUI and CLI. Settings will not be upgraded from previous FortiOS versions. This applies to all FortiGate models.
Note: For firewall policies, no configuration references to the dummy-group are required for this solution. The LDAP-Auth-Group or equivalent can be used as normal without consideration for the extra realm.
Note: If multiple SSL VPN authentication groups are configured referencing the remote server, all of these groups need to be referenced within the SSL VPN authentication rule for the realm. If any SSL VPN groups referencing the remote authentication server are not referenced in the LDAP-Auth-Group or equivalent, then authentication requests will still be sent to the authentication server.
FortiClient Configuration: For FortiClient to be able to authenticate to the correct SSL VPN realm, it is required that it has the remote gateway updated to include the realm.
Incorrect configuration:
Correct configuration:
Note: For FortiClient to apply the remote port correctly, it is necessary to change the port under ‘Remote Gateway’ as part of the URL, the ‘Customize Port’ option does not save properly for an SSL VPN realm.
Verification: To verify that the authentication requests are not being generated to the authentication server, both sslvpnd and fnbamd debugs can be used. The test user for the connections is ‘yoshimitsu’.
Debugs from a connection attempt to the default realm do not show any output related to the LDAP server receiving an authentication attempt:
A connection attempt to the authentication realm shows the FortiGate identifying that LDAP authentication should be used for the connection:
Related documents: |
