SSL VPN with local user password policy
This topic provides a sample configuration of SSL VPN for users with passwords that expire after two days. Users are warned after one day about the password expiring. The password policy can be applied to any local user password. The password policy cannot be applied to a user group or a local remote user such as LDAP/RADIUS/TACACS+.
In FortiOS 6.2, users are warned after one day about the password expiring and have one day to renew it. When the expiration time is reached, the user cannot renew the password and must contact the administrator for assistance.
In FortiOS 6.0/5.6, users are warned after one day about the password expiring and have to renew it. When the expiration time is reached, the user can still renew the password.
Sample network topology
Sample configuration
WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.
To configure SSL VPN using the GUI:
- Configure the interface and firewall address. Port1 interface connects to the internal network.
- Go to Network > Interface and edit the wan1
- Set IP/Network Mask to 20.120.123/255.255.255.0.
- Edit port1 interface and set IP/Network Mask to 168.1.99/255.255.255.0.
- Click OK.
- Go to Firewall & Objects > Address and create an address for internet subnet 168.1.0.
- Configure user and user group.
- Go to User& Device > UserDefinition to create a local user.
- Enter the user’s Email Address.
- If you want, enable Two-factorAuthentication,
- Click Next and click Submit.
- Go to User& Device > UserGroups to create a user group and add that local user to it.
- Configure and assign the password policy using the CLI.
- Configure a password policy that includes an expiration date and warning time. The default start time for the password is the time the user was created.
config user password-policy
edit “pwpolicy1” set expire-days 2 set warn-days 1
next end
- Assign the password policy to the user you just created.
config user local
edit “sslvpnuser1”
set type password set passwd-policy “pwpolicy1”
next
end
- Configure SSL VPN web portal.
- Go to VPN > SSL-VPN Portals to edit the full-access
This portal supports both web and tunnel mode.
- Disable Enable Split Tunneling so that all SSL VPN traffic goes through the FortiGate.
- Configure SSL VPN settings.
- Go to VPN > SSL-VPN Settings.
- Choose proper Listen on Interface, in this example, wan1.
- Listen on Port 10443.
- Set ServerCertificate to the authentication certificate.
- Under Authentication/Portal Mapping, set default Portal web-access for All OtherUsers/Groups.
- Create new Authentication/Portal Mapping for group sslvpngroup mapping portal full-access.
- Configure SSL VPN firewall policy.
- Go to Policy & Objects > IPv4 Policy.
- Fill in the firewall policy name. In this example: sslvpn certificate auth.
- Incoming interface must be SSL-VPN tunnel interface(ssl.root).
- Set the Source Address to all and Source User to sslvpngroup.
- Set the Outgoing Interface to the local network interface so that the remote user can access the internal network. In this example: port1.
- Set Destination Address to the internal protected subnet 168.1.0.
- Set schedule to always, service to ALL, and Action to Accept.
- Enable NAT.
- Configure any remaining firewall and security options as desired.
- Click OK.
To configure SSL VPN using the CLI:
- Configure the interface and firewall address.
config system interface edit “wan1” set vdom “root”
set ip 172.20.120.123 255.255.255.0
next
end
Configure internal interface and protected subnet. Connect Port1 interface to internal network.
config system interface edit “port1” set vdom “root”
set ip 192.168.1.99 255.255.255.0
next
end
config firewall address edit “192.168.1.0” set subnet192.168.1.0 255.255.255.0
next
end
- Configure user and user group.
config user local edit “sslvpnuser1” set type password set passwd your-password
next
end config user group edit “sslvpngroup” set member”vpnuser1″
next
end
- Configure and assign the password policy.
- Configure a password policy that includes an expiration date and warning time. The default start time for the password is the time the user was created.
config user password-policy
edit “pwpolicy1” set expire-days 2 set warn-days 1
next
end
- Assign the password policy to the user you just created.
config user local
edit “sslvpnuser1”
set type password set passwd-policy “pwpolicy1”
next
end
- Configure SSL VPN web portal.
config vpn ssl web portal edit “full-access” set tunnel-mode enable set web-mode enable set ip-pools “SSLVPN_TUNNEL_ADDR1” set split-tunneling disable
next
end
- Configure SSL VPN settings.
config vpn ssl settings set servercert “server_certificate” set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1”
set source-interface “wan1” set source-address “all” set default-portal “web-access” config authentication-rule edit 1 set groups “sslvpngroup” set portal “full-access”
next
end
- Configure SSL VPN firewall policy.
Configure one firewall policy to allow remote user to access the internal network.
config firewall policy edit 1 set name “sslvpn web mode access”
set srcintf “ssl.root” set dstintf “port1” set srcaddr “all” set dstaddr “192.168.1.0” set groups “sslvpngroup” set action accept set schedule “always” set service “ALL” set nat enable
next
end
To see the results of the SSL VPN web connection:
- From a remote device, open a web browser and log into the SSL VPN web portal http://172.20.120.123:10443.
- Log in using the sslvpnuser1
When the warning time is reached , the user is prompted to enter a new password.
In FortiOS 6.2, when the expiration time is reached, the user cannot renew the password and must contact the administrator.
In FortiOS 6.0/5.6, when the expiration time is reached, the user can still renew the password.
- On the FortiGate, go to Monitor> SSL-VPN Monitor to confirm the user connection.
To see the results of the SSL VPN tunnel connection:
- Download FortiClient from forticlient.com.
- Open the FortiClient Console and go to Remote Access > Configure VPN.
- Add a new connection.
- Set the connection name.
- Set Remote Gateway to the IP of the listening FortiGate interface, in this example: 20.120.123.
- Select Customize Port and set it to 10443.
- Save your settings.
- Log in using the sslvpnuser1
When the warning time is reached , the user is prompted to enter a new password.
To check the SSL VPN connection using the GUI:
- Go to VPN > Monitor> SSL-VPN Monitor to verify the user’s connection.
- Go to Log & Report > Forward Traffic to view the details of the SSL VPN traffic.
To check that login failed due to password expired on GUI:
- Go to Log & Report > VPN Events to see the SSL VPN alert labeled ssl-login-fail.
- Click Details to see the log details about the Reason sslvpn_login_password_expired.
To check the web portal login using the CLI:
get vpn ssl monitor SSL VPN Login Users: | |
Index User Auth Type Timeout | From HTTP in/out HTTPS in/out |
0 sslvpnuser1 1(1)
SSL VPN sessions: |
229 10.1.100.254 0/0 0/0 |
Index User Source IP Duration
To check the tunnel login using the CLI: get vpn ssl monitor SSL VPN Login Users: |
I/O Bytes Tunnel/Dest IP |
Index User Auth Type Timeout | From HTTP in/out HTTPS in/out |
0 sslvpnuser1 1(1)
SSL VPN sessions: |
291 10.1.100.254 0/0 0/0 |
Index User Source IP Duration | I/O Bytes Tunnel/Dest IP |
0 sslvpnuser1 10.1.100.254 | 9 22099/43228 10.212.134.200 |
To check the FortiOS 6.2 login password expired event log:
FG201E4Q17901354 # execute log | filter category event |
FG201E4Q17901354 # execute log | filter field subtype vpn |
FG201E4Q17901354 # execute log | filter field action ssl-login-fail |
FG201E4Q17901354 # execute log | display |
1: date=2019-02-15 time=10:57:56 logid=”0101039426″ type=”event” subtype=”vpn” level=”alert” |
vd=”root” eventtime=1550257076 logdesc=”SSL VPN login fail” action=”ssl-login-fail” tunneltype=”ssl-web” tunnelid=0 remip=10.1.100.254 user=”u1″ group=”g1″ dst_host=”N/A” reason=”sslvpn_login_password_expired” msg=”SSL user failed to logged in”
SSL VPN with local user password policy
Hi
Our provider tells us we can only have notification by email if we use 2 factor authentication, the document you have put together doesn’t exactly say this, is it so
Hi Mike
can’t we use guest type user group to authenticate ssl vpn?
hi steve,
saw ur question unanswered so thought it might help u.
btw you can have 2factor over sms but by having an email2sms provider, that too works through email only.
in this case you need to define your custom sms gateway
1. config system sms-server
2. edit “cust-smsg” #(e.g. any name)
set mail-server “email.smsglobal.com” #(in my example i have used the sms global service)
end
now you can find this in local user definition sms under custom drop down list.
when you use the sms token, the token is sent through email to the sms server and then gets routed to the mobile by sms service provider.
hope it answers ur question.