SSL VPN with RADIUS password renew on FortiAuthenticator

SSL VPN with RADIUS password renew on FortiAuthenticator

This topic provides a sample configuration of SSL VPN for RADIUS users with Force Password Change on next logon. In this example, the RADIUS server is a FortiAuthenticator. A user test1 is configured on FortiAuthenticator with Force password change on next logon.

Sample network topology

Sample configuration

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

To configure SSL VPN using the GUI:

  1. Configure the interface and firewall address. Port1 interface connects to the internal network.
    1. Go to Network > Interface and edit the wan1
    2. Set IP/Network Mask to 20.120.123/255.255.255.0.
    3. Edit port1 interface and set IP/Network Mask to 168.1.99/255.255.255.0.
    4. Click OK.
    5. Go to Firewall & Objects > Address and create an address for internet subnet 168.1.0.
  2. Create a RADIUS user.
    1. Go to User& Device > RADIUS Servers to create a user.
    2. Set Authentication method to MS-CHAP-v2.
    3. Enter the IP/Name and Secret.
    4. Click Create.

Password renewal only works with the MS-CHAP-v2 authentication method.

  1. To enable the password-renew option, use these CLI commands.

config user radius edit “fac” set server “172.20.120.161” set secret <fac radius password> set auth-type ms_chap_v2 set password-renewal enable

next

end

  1. Configure user group.
    1. Go to User& Device > UserGroups to create a user group.
    2. For the Name, enter fac-group.
    3. In Remote Groups, click Add to add Remote Server you just created.
  2. Configure SSL VPN web portal.
    1. Go to VPN > SSL-VPN Portals to edit the full-access

This portal supports both web and tunnel mode.

  1. Disable Enable Split Tunneling so that all SSL VPN traffic goes through the FortiGate.
  1. Configure SSL VPN settings.
    1. Go to VPN > SSL-VPN Settings.
    2. Choose proper Listen on Interface, in this example, wan1.
    3. Listen on Port 10443.
    4. Set ServerCertificate to the authentication certificate.
    5. Under Authentication/Portal Mapping, set default Portal web-access for All OtherUsers/Groups.
    6. Create new Authentication/Portal Mapping for group fac-group mapping portal full-access.
  2. Configure SSL VPN firewall policy.
    1. Go to Policy & Objects > IPv4 Policy.
    2. Fill in the firewall policy name, in this example, sslvpn certificate auth.
    3. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
    4. Set the Source Address to all and Source User to fac-group.
    5. Set the Outgoing Interface to the local network interface so that the remote user can access the internal network, in this example, port1.
    6. Set Destination Address to the internal protected subnet 168.1.0.
    7. Set schedule to always, service to ALL, and Action to Accept.
    8. Enable NAT.
    9. Configure any remaining firewall and security options as desired.
    10. Click OK.

To configure SSL VPN using the CLI:

  1. Configure the interface and firewall address.

config system interface edit “wan1” set vdom “root”

set ip 172.20.120.123 255.255.255.0

next

end

Configure internal interface and protected subnet. Connect Port1 interface to internal network.

config system interface edit “port1” set vdom “root”

set ip 192.168.1.99 255.255.255.0

next

end

config firewall address edit “192.168.1.0” set subnet192.168.1.0 255.255.255.0

next end

  1. Configure the RADIUS server.

config user radius edit “fac” set server “172.18.58.107” set secret <fac radius password> set auth-type ms_chap_v2 set password-renewal enable

next

end

  1. Configure user group.

config user group edit “fac-group” set member “fac”

next

end

  1. Configure SSL VPN web portal.

config vpn ssl web portal edit “full-access” set tunnel-mode enable set web-mode enable set ip-pools “SSLVPN_TUNNEL_ADDR1” set split-tunneling disable

next

end

  1. Configure SSL VPN settings.

config vpn ssl settings set servercert “server_certificate” set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1” set source-interface “wan1” set source-address “all” set default-portal “web-access” config authentication-rule edit 1 set groups “fac-group” set portal “full-access”

next

end

  1. Configure SSL VPN firewall policy.

Configure one firewall policy to allow remote user to access the internal network.

config firewall policy edit 1 set name “sslvpn web mode access” set srcintf “ssl.root” set dstintf “port1” set srcaddr “all” set dstaddr “192.168.1.0” set groups “fac-group” set action accept set schedule “always” set service “ALL”

set nat enable

next

end

To configure SSL VPN using the CLI:

  1. Configure the interface and firewall address.

config system interface edit “wan1” set vdom “root”

set ip 172.20.120.123 255.255.255.0

next

end

Configure internal interface and protected subnet. Connect Port1 interface to internal network.

config system interface edit “port1” set vdom “root”

set ip 192.168.1.99 255.255.255.0

next

end

config firewall address edit “192.168.1.0” set subnet192.168.1.0 255.255.255.0

next

end

  1. Configure user and user group.

config user local edit “sslvpnuser1” set type password set passwd your-password

next

end config user group edit “sslvpngroup” set member”vpnuser1″

next

end

  1. Configure and assign the password policy.
    1. Configure a password policy that includes an expiration date and warning time. The default start time for the password is the time the user was created.

config user password-policy

edit “pwpolicy1” set expire-days 2 set warn-days 1

next

end

  1. Assign the password policy to the user you just created.

config user local

edit “sslvpnuser1”

set type password set passwd-policy “pwpolicy1”

next

end

  1. Configure SSL VPN web portal.

config vpn ssl web portal edit “full-access” set tunnel-mode enable set web-mode enable set ip-pools “SSLVPN_TUNNEL_ADDR1” set split-tunneling disable

next

end

  1. Configure SSL VPN settings.

config vpn ssl settings set servercert “server_certificate” set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1” set source-interface “wan1” set source-address “all” set default-portal “web-access” config authentication-rule edit 1 set groups “sslvpngroup” set portal “full-access”

next

end

  1. Configure SSL VPN firewall policy.

Configure one firewall policy to allow remote user to access the internal network.

config firewall policy edit 1 set name “sslvpn web mode access”

set srcintf “ssl.root” set dstintf “port1” set srcaddr “all” set dstaddr “192.168.1.0” set groups “sslvpngroup” set action accept set schedule “always” set service “ALL” set nat enable

next

end

To see the results of the SSL VPN web connection:

  1. From a remote device, open a web browser and log into the SSL VPN web portal http://172.20.120.123:10443.
  2. Log in using the test1

Use a user which is configured on FortiAuthenticator with Force password change on next logon.

  1. Click Login. You are prompted to enter a new password.
  2. Go to VPN > Monitor> SSL-VPN Monitor to verify the user’s connection.

To see the results of the SSL VPN tunnel connection:

  1. Download FortiClient from forticlient.com.
  2. Open the FortiClient Console and go to Remote Access > Configure VPN.
  3. Add a new connection.
    • Set the connection name.
    • Set Remote Gateway to the IP of the listening FortiGate interface, in this example, 20.120.123.
  4. Select Customize Port and set it to 10443.
  5. Save your settings.
  6. Log in using the test1

You are prompted to enter a new password.

To check the SSL VPN connection using the GUI:

  1. Go to VPN > Monitor> SSL-VPN Monitor to verify the user’s connection.
  2. Go to Log & Report > VPN Events to view the details of the SSL VPN connection event log.
  3. Go to Log & Report > Forward Traffic to view the details of the SSL VPN traffic.

To check the web portal login using the CLI:

get vpn ssl monitor SSL VPN Login Users:  
Index User       Auth Type      Timeout From     HTTP in/out   HTTPS in/out
0        test1          1(1)            229

SSL VPN sessions:

10.1.100.254 0/0       0/0
Index User       Source IP      Duration

To check the tunnel login using the CLI:

get vpn ssl monitor

SSL VPN Login Users:

I/O Bytes       Tunnel/Dest IP
Index User       Auth Type      Timeout From     HTTP in/out   HTTPS in/out
0        test1          1(1)            291

SSL VPN sessions:

10.1.100.254 0/0       0/0
Index User       Source IP      Duration I/O Bytes       Tunnel/Dest IP
0        test1          10.1.100.254    9 22099/43228    10.212.134.200
This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.