VPN authentication
All VPN configurations require users to authenticate. Authentication based on user groups applies to: l SSL VPNs l PPTP and L2TP VPNs
l an IPsec VPN that authenticates users using dialup groups l a dialup IPsec VPN that uses XAUTH authentication (Phase 1)
You must create user accounts and user groups before performing the procedures in this section. If you create a user group for dialup IPsec clients or peers that have unique peer IDs, their user accounts must be stored locally on the FortiGate unit. You cannot authenticate these types of users using a RADIUS or LDAP server.
Configuring authentication of SSL VPN users
The general procedure for authenticating SSL VPN users is:
- Configure user accounts.
- Create one or more user groups for SSL VPN users.
- Enable SSL VPN.
- Optionally, set inactivity and authentication timeouts.
- Configure a security policy with the user groups you created for SSL VPN users.
See FortiOS Handbook SSL VPN guide.
Configuring authentication timeout
By default, the SSL VPN authentication expires after 8 hours (28 800 seconds). You can change it only in the CLI, and the time entered must be in seconds. The maximum time is 72 hours (259 200 seconds). For example, to change this timeout to one hour, you would enter:
config vpn ssl settings set auth-timeout 3600
end
If you set the authentication timeout (auth-timeout) to 0 when you configure the timeout settings, the remote client does not have to re-authenticate unless they log out of the system. To fully take advantage of this setting, VPN authentication
the value for idle-timeout has to be set to 0 also, so that the client does not time out if the maximum idle time is reached. If the idle-timeout is not set to the infinite value, the system will log out if it reaches the limit set, regardless of the auth-timeout setting.
Configuring authentication of remote IPsec VPN users
An IPsec VPN on a FortiGate unit can authenticate remote users through a dialup group. The user account name is the peer ID and the password is the pre-shared key.
Authentication through user groups is supported for groups containing only local users. To authenticate users using a RADIUS or LDAP server, you must configure XAUTH settings. See Configuring XAuth authentication.
To configure user group authentication for dialup IPsec – web-based manager:
- Configure the dialup users who are permitted to use this VPN. Create a user group with Type set to Firewall and add them to it.
For more information, see Users and user groups on page 49
- Go to VPN > IPsec Wizard, select Remote Access, choose a name for the VPN, and enter the following information.
Incoming Interface | Select the incoming interface name. |
Authentication Method | List of authentication methods available for users. Select Pre-shared Key and enter the pre-shared key. |
User Group | Select the user group that is to be allowed access to the VPN. The listed user groups contain only users with passwords on the FortiGate unit. |
- Select Next and continue configure other VPN parameters as needed.
- Select OK.
To configure user group authentication for dialup IPsec – CLI example:
The peertype and usrgrp options configure user group-based authentication.
config vpn ipsec phase1 edit office_vpn set interface port1 set type dynamic set psksecret yORRAzltNGhzgtV32jend set proposal 3des-sha1 aes128-sha1 set peertype dialup set usrgrp Group1
end
Configuring XAuth authentication
Extended Authentication (XAuth) increases security by requiring additional user authentication information in a separate exchange at the end of the VPN Phase 1 negotiation. The FortiGate unit asks the user for a username and password. It then forwards the user’s credentials (the password is encrypted) to an external RADIUS or LDAP server for verification.
XAuth can be used in addition to or in place of IPsec phase 1 peer options to provide access security through an LDAP or RADIUS authentication server. You must configure a dialup user group whose members are all externally authenticated.
To configure authentication for a dialup IPsec VPN – web-based manager:
- Configure the users who are permitted to use this VPN. Create a user group and add the users to the group. For more information, see “Users and user groups” on page 49.
- Go to VPN > IPsec Wizard, select Remote Access, choose a name for the VPN, and enter the following information.
Incoming Interface | Select the incoming interface name. |
Authentication Method | List of authentication methods available for users. Select Pre-shared Key and enter the pre-shared key. |
User Group | Select the user group that is to be allowed access to the VPN. The listed user groups contain only users with passwords on the FortiGate unit. |
- Select Next and continue configure other VPN parameters as needed.
- Select OK.
- Go to VPN > IPsec Tunnels, edit the Tunnel just created, select Convert To Custom Tunnel, and edit XAUTH as following:
Type | Select PAP, CHAP, or AUTO. Use CHAP whenever possible. Use PAP with all implementations of LDAP and with other authentication servers that do not support CHAP, including some implementations of Microsoft RADIUS. Use AUTO with the Fortinet Remote VPN Client and where the authentication server supports CHAP but the XAuth client does not. |
User Group | Select the user group that is to have access to the VPN. The list of user groups does not include any group that has members whose password is stored on the FortiGate unit. |
- Select OK.
For more information about XAUTH configuration, see the IPsec VPN chapter of the FortiOS Handbook.
To configure authentication for a dialup IPsec VPN – CLI example:
The xauthtype and authusrgrp fields configure XAuth authentication.
config vpn ipsec phase1 edit office_vpn set interface port1 set type dynamic set psksecret yORRAzltNGhzgtV32jend set proposal 3des-sha1 aes128-sha1 set peertype dialup set xauthtype pap set usrgrp Group1 end
VPN authentication
Some parameters specific to setting up the VPN itself are not shown here. For detailed information about configuring IPsec VPNs, see the FortiOS Handbook IPsec VPN guide.
Configuring authentication of PPTP VPN users and user groups
Configuration of a PPTP VPN is possible only through the CLI. You can configure user groups and security policies using either CLI or web-based manager.
LDAP user authentication is supported for PPTP, L2TP, IPsec VPN, and firewall authentication.
However, with PPTP, L2TP, and IPsec VPN, PAP (Packet Authentication Protocol) is supported, while CHAP (Challenge Handshake Authentication Protocol) is not.
To configure authentication for a PPTP VPN
- Configure the users who are permitted to use this VPN. Create a security user group and add them to it. For more information, see Users and user groups on page 49.
- Configure the PPTP VPN in the CLI as in this example.
config vpn pptp set status enable set sip 192.168.0.100 set eip 192.168.0.110 set usrgrp PPTP_Group
end
The sip and eip fields define a range of virtual IP addresses assigned to PPTP clients.
Configure a security policy. The source interface is the one through which the clients will connect. The source address is the PPTP virtual IP address range. The destination interface and address depend on the network to which the clients will connect. The policy action is ACCEPT.
Configuring authentication of L2TP VPN users/user groups
Configuration of a L2TP VPN is possible only through the CLI. You can configure user groups and security policies using either CLI or web-based manager.
LDAP user authentication is supported for PPTP, L2TP, IPsec VPN, and firewall authentication.
However, with PPTP, L2TP, and IPsec VPN, PAP (Packet Authentication Protocol) is supported, while CHAP (Challenge Handshake Authentication Protocol) is not.
To configure authentication for a L2TP VPN
- Configure the users who are permitted to use this VPN. Create a user group and add them to it. For more information, see Users and user groups on page 49.
- Configure the L2TP VPN in the CLI as in this example.
config vpn l2tp set status enable set sip 192.168.0.100 set eip 192.168.0.110 set usrgrp L2TP_Group end
The sip and eip fields define a range of virtual IP addresses assigned to L2TP clients.
- Configure a security policy. The source interface is the one through which the clients will connect. The source address is the L2TP virtual IP address range. The destination interface and address depend on the network to which the clients will connect. The policy action is ACCEPT.
Hi Mike,
Thank you for your informative videos. I wanted to ask you about two-factor authentication for Fortinet SSL-VPN.
What is the best way to implement this in an organization?
Thank you for your time.