Configuring authenticated access

Restricting number of concurrent user logons

Some users on your network may often have multiple account sessions open at one time either to the same network resource or accessing to the admin interface on the FortiGate unit.

While there are valid reasons for having multiple concurrent sessions open, hackers also do this to speed up their malicious work. Often a hacker is making multiple attempts to gain access to the internal network or the admin interface of the FortiGate unit, usually from different IP addresses to appear to the FortiGate unit as legitimate users. For this reason, the more concurrent sessions a hacker has open at once, the faster they will achieve their goal.

To help prevent this, you can disallow concurrent administrative access using the same administrator user name, but from a different IP address. This allows valid users to continue their legitimate work while limiting hackers’ activity.

 

To disable concurrent administrator sessions – CLI:

config system global

set admin-concurrent disable end

 

VPN authentication

All VPN configurations require users to authenticate. Authentication based on user groups applies to:

  • SSL VPNs
  • PPTP and L2TP VPNs
  • an IPsec VPN that authenticates users using dialup groups
  • a dialup IPsec VPN that uses XAUTH authentication (Phase 1)

You must create user accounts and user groups before performing the procedures in this section. If you create a user group for dialup IPsec clients or peers that have unique peer IDs, their user accounts must be stored locally on the FortiGate unit. You cannot authenticate these types of users using a RADIUS or LDAP server.

 

Configuring authentication of SSL VPN users

The general procedure for authenticating SSL VPN users is:

1. Configure user accounts.

2. Create one or more user groups for SSL VPN users.

3. Enable SSL VPN.

4. Optionally, set inactivity and authentication timeouts.

5. Configure a security policy with the user groups you created for SSL VPN users.

See FortiOS Handbook SSL VPN guide.

 

Configuring authentication timeout

By default, the SSL VPN authentication expires after 8 hours (28 800 seconds). You can change it only in the CLI, and the time entered must be in seconds. The maximum time is 72 hours (259 200 seconds). For example, to change this timeout to one hour, you would enter:

config vpn ssl settings set auth-timeout 3600

end

If you set the authentication timeout (auth-timeout) to 0 when you configure the timeout settings, the remote client does not have to re-authenticate unless they log out of the system. To fully take advantage of this setting, the value for idle-timeout has to be set to 0 also, so that the client does not time out if the maximum idle time is reached. If the  idle-timeout is not set to the infinite value, the system will log out if it reaches the limit set, regardless of the  auth-timeout setting.

 

Configuring authentication of remote IPsec VPN users

An IPsec VPN on a FortiGate unit can authenticate remote users through a dialup group. The user account name is the peer ID and the password is the pre-shared key.

Authentication through user groups is supported for groups containing only local users. To authenticate users using a RADIUS or LDAP server, you must configure XAUTH settings. See Configuring XAuth authentication.

 

To configure user group authentication for dialup IPsec – web-based manager:

1. Configure the dialup users who are permitted to use this VPN. Create a user group with Type:Firewall and add them to it.

For more information, see Users and user groups on page 474

2. Go to VPN > IPsec > Wizard, select Dialup, choose a name for the VPN, and enter the following information.

 

Incoming Interface                   Select the incoming interface name.

Authentication Method            List of authentication methods available for users. Select Preshared Key and enter the preshared key.

User Group                                Select the user group that is to be allowed access to the VPN. The listed user groups contain only users with passwords on the FortiGate unit.

3. Select Next and continue configure other VPN parameters as needed.

4. Select OK.

 

To configure user group authentication for dialup IPsec – CLI example:

The peertype and usrgrp options configure user group-based authentication.

config vpn ipsec phase1

edit office_vpn

set interface port1 set type dynamic

set psksecret yORRAzltNGhzgtV32jend set proposal 3des-sha1 aes128-sha1 set peertype dialup

set usrgrp Group1 end

 

Configuring XAuth authentication

Extended Authentication (XAuth) increases security by requiring additional user authentication information in a separate exchange at the end of the VPN Phase 1 negotiation. The FortiGate unit asks the user for a username and password. It then forwards the user’s credentials (the password is encrypted) to an external RADIUS or LDAP server for verification.

XAuth can be used in addition to or in place of IPsec phase 1 peer options to provide access security through an LDAP or RADIUS authentication server. You must configure a dialup user group whose members are all externally authenticated.

 

To configure authentication for a dialup IPsec VPN – web-based manager:

1. Configure the users who are permitted to use this VPN. Create a user group and add the users to the group.

For more information, see “Users and user groups” on page 474.

2. Go to VPN > IPsec > Wizard, select Dialup, choose a name for the VPN, and enter the following information.

Incoming Interface                   Select the incoming interface name.

Authentication Method            List of authentication methods available for users. Select Preshared Key

and enter the preshared key.

User Group                                Select the user group that is to be allowed access to the VPN. The listed user groups contain only users with passwords on the FortiGate unit.

3. Select Next and continue configure other VPN parameters as needed.

4. Select OK.

5. Go to VPN > IPsec > Tunnels, edit the Tunnel just created, select Convert To Custom Tunnel, and edit

XAUTH as following:

Type                                            Select PAP, CHAP, or AUTO. Use CHAP whenever possible. Use PAP with all implementations of LDAP and with other authentication servers that do not support CHAP, including some implementations of Microsoft RADIUS. Use AUTO with the Fortinet Remote VPN Client and where the authentication server supports CHAP but the XAuth client does not.

User Group                                Select the user group that is to have access to the VPN. The list of user groups does not include any group that has members whose password is stored on the FortiGate unit.

6. Select OK.

For more information about XAUTH configuration, see the IPsec VPN chapter of the FortiOS Handbook.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.