FortiAP Management – Discovering a FortiAP unit

Discovering a FortiAP unit

For a FortiGate acting as an AP controller (AC) to discover a FortiAP unit, the FortiAP must be able to reach the AC. A FortiAP with the factory default configuration has various ways of acquiring an AC’s IP address to reach it.

AC discovery type Description
Auto The FortiAP attempts to be discovered in the below ways sequentially within an endless loop.
Static The FortiAP sends discover requests to a preconfigured IP address that an AC owns.
DHCP The FortiAP acquires the IP address of an AC in DHCP option 138 (the factory default) of a DHCP offer, which the FortiAP acquires its own IP address from.
DNS The FortiAP acquires the AC’s IP address by resolving a preconfigured FQDN.
FortiCloud FortiCloud discovers the FortiAP.
Broadcast FortiAP is discovered by sending broadcasts in its local subnet.
Multicast FortiAP is discovered by sending discovery requests to a multicast address of 224.0.1.140, which is the factory default.

FortiAP Management – Configuring the FortiGate interface to manage FortiAP units

Configuring the FortiGate interface to manage FortiAP units

This guide describes how to configure a FortiGate interface to manage FortiAPs.

Based on the above topology, this example uses port16 as the interface used to manage connection to FortiAPs.

  1. You must enable a DHCP server on port16:
    1. In FortiOS, go to Network > Interfaces.
    2. Double-click port16.
    3. In the IP/Network Mask field, enter an IP address for port16.
    4. Enable DHCP Server, keeping the default settings.
  2. If desired, you can enable the VCI-match feature using the CLI. When VCI-match is enabled, only devices with a VCI name that matches the preconfigured string can acquire an IP address from the DHCP server. To configure VCI-match, run the following commands:

config system dhcp server edit 1 set interface port16 set vci-match enable set vci-string “FortiAP”

next

end

  1. As it is a minimum management requirement that FortiAP establish a CAPWAP tunnel with the FortiGate, you must enable CAPWAP access on port16 to allow it to manage FortiAPs: Go to Network > Interfaces.
    1. Double-click port16.
    2. Under Administrative Access, select CAPWAP.
    3. Click OK.
  2. To create a new FortiAP entry automatically when a new FortiAP unit is discovered, run the following command. By default, this option is enabled. config system interface edit port16 set allow-access capwap set ap-discover enable|disable

next

end

  1. To allow FortiGate to authorize a newly discovered FortiAP to be controlled by the FortiGate, run the following command. By default, this option is disabled.

config system interface edit port16 set allow-access capwap

set auto-auth-extension-device enable|disable

next

end

FortiGate multiple connector support

FortiGate multiple connector support

This guide shows how to configure Fabric connectors and resolve dynamic firewall addresses through the configured Fabric connector in FortiOS.

FortiOS supports multiple Fabric connectors including public connectors (AWS, Azure, GCP, OCI, AliCloud) and private connectors (Kubernetes, VMware ESXi, VMware NSX, OpenStack, Cisco ACI, Nuage). FortiOS also supports multiple instances for each type of Fabric connector.

This guide uses an Azure Fabric connector as an example. The configuration procedure for all supported Fabric connectors is the same. In the following topology, the FortiGate accesses the Azure public cloud through the Internet:

This process consists of the following:

  1. Configure the interface.
  2. Configure a static route to connect to the Internet.
  3. Configure two Azure Fabric connectors with different client IDs.
  4. Check the configured Fabric connectors.
  5. Create two firewall addresses.
  6. Check the resolved firewall addresses afterthe update interval.
  7. Run diagnose commands.

To configure the interface:

  1. In FortiOS, go to Network > Interfaces.
  2. Edit port1:
    1. From the Role dropdown list, select WAN.
    2. In the IP/Network Mask field, enter 10.6.30.4/255.255.255.0 for the interface connected to the Internet.

To configure a static route to connect to the Internet:

  1. Go to Network > Static Routes. Click Create New.
  2. In the Destination field, enter 0.0.0.0/0.0.0.0.
  3. From the Interface dropdown list, select port1.
  4. In the Gateway Address field, enter 10.60.30.254.

To configure two Azure Fabric connectors with different client IDs:

  1. Go to Security Fabric > Fabric Connectors.
  2. Click Create New. Configure the first Fabric connector:
    1. Select Microsoft Azure.
    2. In the Name field, enter azure1.
    3. In the Status field, select Enabled.
    4. From the Server region dropdown list, select Global.
    5. In the Tenant ID field, enter the tenant ID. In this example, it is 942b80cd-1b14-42a1-8dcf-4b21dece61ba.
    6. In the Client ID field, enter the client ID. In this example, it is 14dbd5c5-307e-4ea4-8133-68738141feb1.
    7. In the Client secret field, enter the client secret.
    8. Leave the Resource path
    9. Click OK.
  3. Click Create New. Configure the second Fabric connector:
    1. Select Microsoft Azure.
    2. In the Name field, enter azure2.
    3. In the Status field, select Enabled.
    4. From the Server region dropdown list, select Global.
    5. In the Tenant ID field, enter the tenant ID. In this example, it is 942b80cd-1b14-42a1-8dcf-4b21dece61ba.
    6. In the Client ID field, enter the client ID. In this example, it is 3baf0a6c-44ff-4f94-b292-07f7a2c36be6.
    7. In the Client secret field, enter the client secret.
    8. Leave the Resource path
    9. Click OK.

To check the configured Fabric connectors:

  1. Go to Security Fabric > Fabric Connectors.
  2. Click the Refresh icon in the upper right corner of each configured Fabric connector. A green up arrow appears in the lower right corner, meaning that both Fabric connectors are connected to the Azure cloud using different client IDs.

To create two firewall addresses:

This process creates two Fabric connector firewall addresses to associate with the configured Fabric connectors.

  1. Go to Policy & Objects > Addresses.
  2. Click Create New > Address. Configure the first Fabric connector firewall address:
    1. In the Name field, enter azure-address-1.
    2. From the Type dropdown list, select Fabric Connectoraddress.
    3. From the SDN Connector dropdown list, select azure1.
    4. For SDN address type, select Private.
    5. From the Filter dropdown list, select the desired filter.
    6. For Interface, select any.
    7. Click OK.
  3. Click Create New > Address. Configure the second Fabric connector firewall address:
    1. In the Name field, enter azure-address-1.
    2. From the Type dropdown list, select Fabric Connectoraddress.
    3. From the SDN Connector dropdown list, select azure2.
    4. For SDN address type, select Private.
    5. From the Filter dropdown list, select the desired filter.
    6. For Interface, select any.
    7. Click OK.

To check the resolved firewall addresses after the update interval:

By default, the update interval is 60 seconds.

  1. Go to Policy & Objects > Addresses.
  2. Hover over the created addresses. The firewall address that the configured Fabric connectors resolved display.

To run diagnose commands:

Run the show sdn connector status command. Both Fabric connectors should appear with a status of connected.

Run the diagnose debug application azd -1 command. The output should look like the following:

Level2-downstream-D # diagnose debug application azd -1 …

azd sdn connector azure1 start updating IP addresses azd checking firewall address object azure-address-1, vd 0 IP address change, new list: 10.18.0.4 …

To restart the Azure Fabric connector daemon, run the diagnose test application azd 99 command.

Access a cloud server using an AWS SDN connector via SSL VPN

Access a cloud server using an AWS SDN connector via SSL VPN

This example provides a sample configuration so that a local client PC can access an FTP server deployed inside an AWS cloud using an AWS SDN connector via SSL VPN.

The FortiGate VM64-AWS is deployed inside an AWS Cloud, and can dynamically resolve the private IP address of the FTP server in the cloud with an AWS SDN connector. The local client PC, with FortiClient installed, can establish an SSL-VPN tunnel to the FortiGate, and then access the FTP server through the tunnel.

To configure the FortiGate VM64-AWS:

  1. Configure an AWS SDN connector:
    1. Go to Security Fabric > Fabric Connectors.
    2. Click Create New.
    3. Click Amazon Web Services (AWS).
    4. Configure the following:
Name aws1
Status Enabled
Update Interval Use Default
Access key ID <AWS access key ID>
Secret access key <AWS secret access key>
Region name us-east-1
VPC ID disabled
  1. Click OK.
  1. Check the connector status:
    1. Go to Security Fabric > Fabric Connectors.
    2. Click the refresh icon on the configured SDN connector.

A green arrow in the bottom right corner of the connector means that it is connected.

  1. Create a firewall address:
    1. Go to Policy & Objects > Addresses and click Create New > Address.
    2. Configure the following:
Name dynamic-aws
Type Fabric Connector Address
SDN Connector aws1
SDN address type Private
Filter Tag.Name=publicftp

(the name of the FTP server in the AWS cloud)

Interface any
  1. Click OK.
  1. Check the resolved firewall address after the update interval (60 seconds, by default):
    1. Go to Policy & Objects > Addresses.
    2. Hover the cursor over the dynamic-aws

The firewall address resolved by the configured SDN connector is shown (172.331.31.101).

  1. Configure SSL VPN to access the FTP server:
    1. Configure a user and user group:
      1. Go to User& Device > UserDefinition and create a new local user named usera.
      2. Go to User& Device > UserGroups, create a group named sslvpngroup, and add usera to it. Configure SSL VPN:
      3. Go to VPN > SSL-VPN Settings.
      4. Set the Listen on Interface(s) to port1 and the Listen on Port to 10443. Set ServerCertificate to your own certificate, or Fortinet_Factory.
      5. In the Authentication/Portal Mapping section, set the default All OtherUsers/Groups to full-access, and create a new Authentication/Portal Mapping for the sslvpngroup also with full-access. v. Click Apply.
      6. Configure an SSL VPN firewall policy:
    2. Go to Policy & Objects > IPv4 Policy and click Create New.
    3. Configure the following:
Name sslvpn-aws
Incoming interface ssl.root

(the SSL VPN tunnel interface)

Outgoing Interface port1
Source all

sslvpngroup

Destination dynamic-aws
Schedule always
Service ALL
Action Accept
  • Click OK.

To connect an SSL VPN tunnel from the local client PC:

  1. Download FortiClient from forticlient.com and install it.
  2. Open the FortiClient console and go to Remote Access.
  3. Add a new connection
  4. Set VPN to SSL-VPN, and enter a Connection Name and Description.
  5. Set the Remote Gateway to 26.32.219, which is the FortiGate’s port1 public IP address that is configured as the listening interface.
  6. Enable Customize port, and set the port number to 10443.
  7. Click Save.
  8. Use the credentials configured for usera to connect to the tunnel.

Traffic to the SDN connector’s resolved IP address (dynamic-aws, 172.31.31.101) will go through the tunnel, and other traffic will go through the local gateway.

The client PC shows the routing entry for the tunnel:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

0.0.0.0         172.16.200.1    0.0.0.0         UG    0      0        0 eth1

172.31.31.101 10.212.134.200 255.255.255.255 UGH 0        0        0 ppp0

The FortiGate shows the logged in user and the assigned SSL VPN tunnel virtual IP address :

execute vpn sslvpn list

SSL VPN Login Users:

Index User      Auth Type Timeout         From      HTTP in/out    HTTPS in/out

0        usera 1(1)           284      208.91.115.10     0/0            0/0

SSL VPN sessions:

Index User     Source IP     Duration I/O Bytes     Tunnel/Dest IP

0         usera 208.91.115.10 76        1883/1728     10.212.134.200

Diagnose commands

Show SDN connector status:

FGT-AWS# diagnose sys sdn status

SDN Connector                       Type        Status

————————————————————aws1      aws    connected

Debug the AWS SDN connector to resolve the firewall address:

FGT-AWS-3 # diagnose debug application awsd -1 …

awsd checking firewall address object dynamic-aws, vd 0

address change, new ip list:

172.31.31.101 awsd sdn connector aws1 finish updating IP addresses …

Restart the AWS SDN connector daemon:

FGT-AWS-3 # diagnose test application awsd 99

Common SSLVPN issues

Common issues

To troubleshoot getting no response from the SSL VPN URL:

  1. Go to VPN > SSL-VPN Settings.
    1. Check the SSL VPN port
    2. Check the Restrict Access settings to ensure the host you are connecting from is allowed.
  2. Go to Policy > IPv4 Policy or Policy > IPv6 policy.
    1. Check that the policy for SSL VPN traffic is configured correctly.
    2. Check the URL you are attempting to connect to. It should follow this pattern:

https://<FortiGate IP>:<Port>

  1. Check that you are using the correct port number in the URL. Ensure FortiGate is reachable from the computer.

ping <FortiGate IP>

  1. Check the browser has TLS 1.1, TLS 1.2, and TLS 1.3

To troubleshoot FortiGate connection issues:

  1. Check the Release Notes to ensure that the FortiClient version is compatible with your version of FortiOS.
  2. FortiClient uses IE security setting, In IE Internet Option > Advanced > Security, check that Use TLS 1.1 and Use TLS 1.2 are enabled.
  3. Check that SSL VPN ip-pools has free IPs to sign out. The default ip-pools SSLVPN_TUNNEL_ADDR1 has 10 IP addresses.
  4. Export and check FortiClient debug logs.
  5. Go to File > Settings.
  6. In the Logging section, enable Export logs.
  7. Set the Log Level to Debug and select Clearlogs.
  8. Try to connect to the VPN.
  9. When you get a connection error, select Export logs.

To troubleshoot SSL VPN hanging or disconnecting at 98%:

  1. A new SSL VPN driver was added to FortiClient 5.6.0 and later to resolve SSL VPN connection issues. If your FortiOS version is compatible, upgrade to use one of these versions.
  2. Latency or poor network connectivity can cause the default login timeout limit to be reached on the FortiGate. In

FortiOS 5.6.0 and later, use the following commands to allow a user to increase timers related to SSL VPN login.

config vpn ssl settings

set login-timeout 180 (default is 30) set dtls-hello-timeout 60 (default is 10)

end

To troubleshoot tunnel mode connections shutting down after a few seconds:

This might occur if there are multiple interfaces connected to the Internet, for example, SD-WAN. This can cause the session to become “dirty”. To allow multiple interfaces to connect, use the following CLI commands.

If you are using a FortiOS 6.0.1 or later:

config system interface

edit <name>

set preserve-session-route enable

next

end

If you are using a FortiOS 6.0.0 or earlier:

config vpn ssl settings set route-source-interface enable

end

To troubleshoot users being assigned to the wrong IP range:

  1. Go to VPN > SSL-VPN Portals and VPN > SSL-VPN Settings and ensure the same IP Pool is used in both places.

Using the same IP Pool prevents conflicts. If there is a conflict, the portal settings are used.

To troubleshoot slow SSL VPN throughput:

Many factors can contribute to slow throughput.

This recommendation is try improving throughput by using the FortiOS Datagram Transport Layer Security (DTLS) tunnel option, available in FortiOS 5.4 and above.

DTLS allows the SSL VPN to encrypt the traffic using TLS and uses UDP as the transport layer instead of TCP. This avoids retransmission problems that can occur with TCP-in-TCP.

FortiClient 5.4.0 to 5.4.3 uses DTLS by default. FortiClient 5.4.4 and later uses normal TLS, regardless of the DTLS setting on the FortiGate.

To use DTLS with FortiClient:

  1. Go to File > Settings and enable Preferred DTLS Tunnel.

To enable DTLS tunnel on FortiGate, use the following CLI commands:

config vpn ssl settings

set dtls-tunnel enable end

SSL VPN troubleshooting

SSL VPN troubleshooting

This topic provides a tips for SSL VPN troubleshooting.

Diagnose commands

SSL VPN debug command

Use the following diagnose commands to identify SSL VPN issues. These commands enable debugging of SSL VPN with a debug level of -1. The -1 debug level produces detailed results.

diagnose debug application sslvpn -1 diagnose debug enable

The CLI displays debug output similar to the following:

FGT60C3G10002814 # [282:root]SSL state:before/accept initialization (172.20.120.12)

[282:root]SSL state:SSLv3 read client hello A (172.20.120.12)

[282:root]SSL state:SSLv3 write server hello A (172.20.120.12)

[282:root]SSL state:SSLv3 write change cipher spec A (172.20.120.12)

[282:root]SSL state:SSLv3 write finished B (172.20.120.12)

[282:root]SSL state:SSLv3 flush data (172.20.120.12)

[282:root]SSL state:SSLv3 read finished A:system lib(172.20.120.12)

[282:root]SSL state:SSLv3 read finished A (172.20.120.12)

[282:root]SSL state:SSL negotiation finished successfully (172.20.120.12)

[282:root]SSL established: DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1

To disable the debug:

diagnose debug disable diagnose debug reset

Remote user authentication debug command

Use the following diagnose commands to identify remote user authentication issues.

diagnose debug application fnbamd -1 diagnose debug reset

SSL VPN with LDAP user password renew

SSL VPN with LDAP user password renew

This topic provides a sample configuration of SSL VPN for LDAP users with Force Password Change on next logon. In this example, the LDAP server is a Windows 2012 AD server. A user ldu1 is configured on Windows 2012 AD server with Force password change on next logon.

You must have generated and exported a CA certificate from the AD server and then have imported it as an external CA certificate into the FortiGate.

Sample network topology

Sample configuration

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

To configure SSL VPN using the GUI:

  1. Configure the interface and firewall address. Port1 interface connects to the internal network.
    1. Go to Network > Interface and edit the wan1
    2. Set IP/Network Mask to 20.120.123/255.255.255.0.
    3. Edit port1 interface and set IP/Network Mask to 168.1.99/255.255.255.0.
    4. Click OK.
    5. Go to Firewall & Objects > Address and create an address for internet subnet 168.1.0.
  2. Import CA certificate into FortiGate.
    1. Go to System > Features Visibility and enable Certificates.
    2. Go to System > Certificates and select Import > CA Certificate.
    3. Select Local PC and then select the certificate file.

The CA certificate now appears in the list of External CA Certificates. In the example, it is called CA_Cert_1.

  1. If you want, you can use CLI commands to rename the system-generated CA_Cert_1 to be more descriptive:

config vpn certificate ca rename CA_Cert_1 to LDAPS-CA

end

  1. Configure the LDAP user.
    1. Go to User& Device > LDAP Servers > Create New.
      • Specify Name and ServerIP/Name.
      • Specify Common Name Identifier, Distinguished Name. l Set Bind Type to Regular. l Specify Username and Password. l Enable Secure Connection and set Protocol to LDAPS. l For Certificate, select LDAP serverCA LDAPS-CA from the list.
    2. To enable the password-renew option, use these CLI commands.

config user ldap edit “ldaps-server” set password-expiry-warning enable set password-renewal enable

next

end

  1. Configure user group.
    1. Go to User& Device > UserGroups to create a user group.
    2. Enter a Name.
    3. In Remote Groups, click Add to add ldaps-server.
  2. Configure SSL VPN web portal.
    1. Go to VPN > SSL-VPN Portals to edit the full-access

This portal supports both web and tunnel mode.

  1. Disable Enable Split Tunneling so that all SSL VPN traffic goes through the FortiGate.
  1. Configure SSL VPN settings.
    1. Go to VPN > SSL-VPN Settings.
    2. Choose proper Listen on Interface, in this example, wan1.
    3. Listen on Port 10443.
    4. Set ServerCertificate to the authentication certificate.
    5. Under Authentication/Portal Mapping, set default Portal web-access for All OtherUsers/Groups.
    6. Create new Authentication/Portal Mapping for group ldaps-group mapping portal full-access.
  2. Configure SSL VPN firewall policy.
    1. Go to Policy & Objects > IPv4 Policy.
    2. Fill in the firewall policy name, in this example, sslvpn certificate auth.
    3. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
    4. Set the Source Address to all and Source User to ldaps-group.
    5. Set the Outgoing Interface to the local network interface so that the remote user can access the internal network, in this example, port1.
    6. Set Destination Address to the internal protected subnet 168.1.0.
    7. Set schedule to always, service to ALL, and Action to Accept.
    8. Enable NAT.
    9. Configure any remaining firewall and security options as desired.
    10. Click OK.

To configure SSL VPN using the CLI:

  1. Configure the interface and firewall address.

config system interface edit “wan1” set vdom “root”

set ip 172.20.120.123 255.255.255.0

next

end

Configure internal interface and protected subnet.

Connect Port1 interface to internal network.

config system interface edit “port1” set vdom “root”

set ip 192.168.1.99 255.255.255.0

next

end

config firewall address edit “192.168.1.0” set subnet192.168.1.0 255.255.255.0

next

end

  1. Import CA certificate into FortiGate.
    1. Go to System > Features Visibility and enable Certificates.
    2. Go to System > Certificates and select Import > CA Certificate.
    3. Select Local PC and then select the certificate file.

The CA certificate now appears in the list of External CA Certificates. In the example, it is called CA_Cert_1.

  1. If you want, you can use CLI commands to rename the system-generated CA_Cert_1 to be more descriptive:

config vpn certificate ca rename CA_Cert_1 to LDAPS-CA

end

  1. Configure the LDAP server.

config user ldap edit “ldaps-server” set server “172.20.120.161”

set cnid “cn”

set dn “cn=Users,dc=qa,dc=fortinet,dc=com”

set type regular

set username “CN=Administrator,cn=users,DC=qa,DC=fortinet,DC=com” set password ENC

Uf/OvqAbjSpeZz4wv9Tapl3xyMn1DGSTSxb2ZAB5dA5kVd0wVsGaeAhuX1Hl7mRtJQdRL8L2mzSfV6NTyQsdJ8E+rZy mImS2rfQg0OZ0IRRYKp0v3qFXgsmW9x9xRP2u79OcpUR5JmnnW8DFnK9jSUGix+DvYpbBn8EwweoDQq55Ej9FLwKSBY iYZs18V9ktSxT49w== set group-member-check group-object

set secure ldaps set ca-cert “LDAPS-CA” set port 636

set password-expiry-warning enable set password-renewal enable

next

end

  1. Configure user group.

config user group edit “ldaps-group” set member “ldaps-server”

next end

  1. Configure SSL VPN web portal.

config vpn ssl web portal edit “full-access” set tunnel-mode enable set web-mode enable set ip-pools “SSLVPN_TUNNEL_ADDR1” set split-tunneling disable

next

end

  1. Configure SSL VPN settings.

config vpn ssl settings set servercert “server_certificate” set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1” set source-interface “wan1” set source-address “all” set default-portal “web-access” config authentication-rule edit 1 set groups “ldaps-group” set portal “full-access”

next

end

  1. Configure SSL VPN firewall policy.

Configure one firewall policy to allow remote user to access the internal network.

config firewall policy edit 1 set name “sslvpn web mode access”

set srcintf “ssl.root” set dstintf “port1” set srcaddr “all” set dstaddr “192.168.1.0” set groups “ldaps-group” set action accept set schedule “always” set service “ALL” set nat enable

next

end

To see the results of the SSL VPN web connection:

  1. From a remote device, open a web browser and log into the SSL VPN web portal http://172.20.120.123:10443.
  2. Log in using the ldu1

Use a user which is configured on FortiAuthenticator with Force password change on next logon.

  1. Click Login. You are prompted to enter a new password.
  2. Go to VPN > Monitor> SSL-VPN Monitor to verify the user’s connection.

To see the results of the SSL VPN tunnel connection:

  1. Download FortiClient from forticlient.com.
  2. Open the FortiClient Console and go to Remote Access > Configure VPN.
  3. Add a new connection.
    • Set the connection name.
    • Set Remote Gateway to the IP of the listening FortiGate interface, in this example, 20.120.123.
  4. Select Customize Port and set it to 10443.
  5. Save your settings.
  6. Log in using the ldu1

You are prompted to enter a new password.

To check the SSL VPN connection using the GUI:

  1. Go to VPN > Monitor> SSL-VPN Monitor to verify the user’s connection.
  2. Go to Log & Report > VPN Events to view the details of the SSL VPN connection event log.
  3. Go to Log & Report > Forward Traffic to view the details of the SSL VPN traffic.

To check the web portal login using the CLI:

get vpn ssl monitor SSL VPN Login Users:  
Index User       Auth Type      Timeout From      HTTP in/out   HTTPS in/out
0        ldu1          1(1)            229

SSL VPN sessions:

10.1.100.254 0/0       0/0
Index User       Source IP      Duration

To check the tunnel login using the CLI:

get vpn ssl monitor

SSL VPN Login Users:

I/O Bytes        Tunnel/Dest IP
Index User       Auth Type      Timeout From      HTTP in/out   HTTPS in/out
0        ldu1          1(1)            291

SSL VPN sessions:

10.1.100.254 0/0       0/0
Index User       Source IP      Duration I/O Bytes        Tunnel/Dest IP
0        ldu1          10.1.100.254    9 22099/43228    10.212.134.200

SSL VPN with RADIUS password renew on FortiAuthenticator

SSL VPN with RADIUS password renew on FortiAuthenticator

This topic provides a sample configuration of SSL VPN for RADIUS users with Force Password Change on next logon. In this example, the RADIUS server is a FortiAuthenticator. A user test1 is configured on FortiAuthenticator with Force password change on next logon.

Sample network topology

Sample configuration

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

To configure SSL VPN using the GUI:

  1. Configure the interface and firewall address. Port1 interface connects to the internal network.
    1. Go to Network > Interface and edit the wan1
    2. Set IP/Network Mask to 20.120.123/255.255.255.0.
    3. Edit port1 interface and set IP/Network Mask to 168.1.99/255.255.255.0.
    4. Click OK.
    5. Go to Firewall & Objects > Address and create an address for internet subnet 168.1.0.
  2. Create a RADIUS user.
    1. Go to User& Device > RADIUS Servers to create a user.
    2. Set Authentication method to MS-CHAP-v2.
    3. Enter the IP/Name and Secret.
    4. Click Create.

Password renewal only works with the MS-CHAP-v2 authentication method.

  1. To enable the password-renew option, use these CLI commands.

config user radius edit “fac” set server “172.20.120.161” set secret <fac radius password> set auth-type ms_chap_v2 set password-renewal enable

next

end

  1. Configure user group.
    1. Go to User& Device > UserGroups to create a user group.
    2. For the Name, enter fac-group.
    3. In Remote Groups, click Add to add Remote Server you just created.
  2. Configure SSL VPN web portal.
    1. Go to VPN > SSL-VPN Portals to edit the full-access

This portal supports both web and tunnel mode.

  1. Disable Enable Split Tunneling so that all SSL VPN traffic goes through the FortiGate.
  1. Configure SSL VPN settings.
    1. Go to VPN > SSL-VPN Settings.
    2. Choose proper Listen on Interface, in this example, wan1.
    3. Listen on Port 10443.
    4. Set ServerCertificate to the authentication certificate.
    5. Under Authentication/Portal Mapping, set default Portal web-access for All OtherUsers/Groups.
    6. Create new Authentication/Portal Mapping for group fac-group mapping portal full-access.
  2. Configure SSL VPN firewall policy.
    1. Go to Policy & Objects > IPv4 Policy.
    2. Fill in the firewall policy name, in this example, sslvpn certificate auth.
    3. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
    4. Set the Source Address to all and Source User to fac-group.
    5. Set the Outgoing Interface to the local network interface so that the remote user can access the internal network, in this example, port1.
    6. Set Destination Address to the internal protected subnet 168.1.0.
    7. Set schedule to always, service to ALL, and Action to Accept.
    8. Enable NAT.
    9. Configure any remaining firewall and security options as desired.
    10. Click OK.

To configure SSL VPN using the CLI:

  1. Configure the interface and firewall address.

config system interface edit “wan1” set vdom “root”

set ip 172.20.120.123 255.255.255.0

next

end

Configure internal interface and protected subnet. Connect Port1 interface to internal network.

config system interface edit “port1” set vdom “root”

set ip 192.168.1.99 255.255.255.0

next

end

config firewall address edit “192.168.1.0” set subnet192.168.1.0 255.255.255.0

next end

  1. Configure the RADIUS server.

config user radius edit “fac” set server “172.18.58.107” set secret <fac radius password> set auth-type ms_chap_v2 set password-renewal enable

next

end

  1. Configure user group.

config user group edit “fac-group” set member “fac”

next

end

  1. Configure SSL VPN web portal.

config vpn ssl web portal edit “full-access” set tunnel-mode enable set web-mode enable set ip-pools “SSLVPN_TUNNEL_ADDR1” set split-tunneling disable

next

end

  1. Configure SSL VPN settings.

config vpn ssl settings set servercert “server_certificate” set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1” set source-interface “wan1” set source-address “all” set default-portal “web-access” config authentication-rule edit 1 set groups “fac-group” set portal “full-access”

next

end

  1. Configure SSL VPN firewall policy.

Configure one firewall policy to allow remote user to access the internal network.

config firewall policy edit 1 set name “sslvpn web mode access” set srcintf “ssl.root” set dstintf “port1” set srcaddr “all” set dstaddr “192.168.1.0” set groups “fac-group” set action accept set schedule “always” set service “ALL”

set nat enable

next

end

To configure SSL VPN using the CLI:

  1. Configure the interface and firewall address.

config system interface edit “wan1” set vdom “root”

set ip 172.20.120.123 255.255.255.0

next

end

Configure internal interface and protected subnet. Connect Port1 interface to internal network.

config system interface edit “port1” set vdom “root”

set ip 192.168.1.99 255.255.255.0

next

end

config firewall address edit “192.168.1.0” set subnet192.168.1.0 255.255.255.0

next

end

  1. Configure user and user group.

config user local edit “sslvpnuser1” set type password set passwd your-password

next

end config user group edit “sslvpngroup” set member”vpnuser1″

next

end

  1. Configure and assign the password policy.
    1. Configure a password policy that includes an expiration date and warning time. The default start time for the password is the time the user was created.

config user password-policy

edit “pwpolicy1” set expire-days 2 set warn-days 1

next

end

  1. Assign the password policy to the user you just created.

config user local

edit “sslvpnuser1”

set type password set passwd-policy “pwpolicy1”

next

end

  1. Configure SSL VPN web portal.

config vpn ssl web portal edit “full-access” set tunnel-mode enable set web-mode enable set ip-pools “SSLVPN_TUNNEL_ADDR1” set split-tunneling disable

next

end

  1. Configure SSL VPN settings.

config vpn ssl settings set servercert “server_certificate” set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1” set source-interface “wan1” set source-address “all” set default-portal “web-access” config authentication-rule edit 1 set groups “sslvpngroup” set portal “full-access”

next

end

  1. Configure SSL VPN firewall policy.

Configure one firewall policy to allow remote user to access the internal network.

config firewall policy edit 1 set name “sslvpn web mode access”

set srcintf “ssl.root” set dstintf “port1” set srcaddr “all” set dstaddr “192.168.1.0” set groups “sslvpngroup” set action accept set schedule “always” set service “ALL” set nat enable

next

end

To see the results of the SSL VPN web connection:

  1. From a remote device, open a web browser and log into the SSL VPN web portal http://172.20.120.123:10443.
  2. Log in using the test1

Use a user which is configured on FortiAuthenticator with Force password change on next logon.

  1. Click Login. You are prompted to enter a new password.
  2. Go to VPN > Monitor> SSL-VPN Monitor to verify the user’s connection.

To see the results of the SSL VPN tunnel connection:

  1. Download FortiClient from forticlient.com.
  2. Open the FortiClient Console and go to Remote Access > Configure VPN.
  3. Add a new connection.
    • Set the connection name.
    • Set Remote Gateway to the IP of the listening FortiGate interface, in this example, 20.120.123.
  4. Select Customize Port and set it to 10443.
  5. Save your settings.
  6. Log in using the test1

You are prompted to enter a new password.

To check the SSL VPN connection using the GUI:

  1. Go to VPN > Monitor> SSL-VPN Monitor to verify the user’s connection.
  2. Go to Log & Report > VPN Events to view the details of the SSL VPN connection event log.
  3. Go to Log & Report > Forward Traffic to view the details of the SSL VPN traffic.

To check the web portal login using the CLI:

get vpn ssl monitor SSL VPN Login Users:  
Index User       Auth Type      Timeout From     HTTP in/out   HTTPS in/out
0        test1          1(1)            229

SSL VPN sessions:

10.1.100.254 0/0       0/0
Index User       Source IP      Duration

To check the tunnel login using the CLI:

get vpn ssl monitor

SSL VPN Login Users:

I/O Bytes       Tunnel/Dest IP
Index User       Auth Type      Timeout From     HTTP in/out   HTTPS in/out
0        test1          1(1)            291

SSL VPN sessions:

10.1.100.254 0/0       0/0
Index User       Source IP      Duration I/O Bytes       Tunnel/Dest IP
0        test1          10.1.100.254    9 22099/43228    10.212.134.200