FortiOS 5.2 Authentication: SSL VPN with RADIUS authenticationmode

This recipe provides remote FortiClient users with access to the corporate network using SSL VPN and Internet browsing through the corporate FortiGate unit. Remote users are authenticated using RADIUS (configured in Microsoft’s Network Policy Server).

FortiClient is available here.

The recipe includes a brief explanation of the RADIUS server configuration we utilized. It was tested on a FortiGate 60D. Microsoft Network Policy Server was configured on Windows Server 2008.

1. Configuring Microsoft’s Network Policy Server

In RADIUS Client properties, enable the client and set Vendor name to RADIUS Standard.

Uncheck both Access-Request message must contain the Message-Authenticator attributeand RADIUS client is NAP-capable.

In Connection Request Properties > Overview, create a policy, name it and enable it.

Set Type of network access server to Unspecified.

In Connection Request Properties > Conditions, set the Condition to either NAS Identifier (the FortiGate Name) or NAS IPv4 Address (the FortiGate IP).

You can also configure both. Just be aware that if there is more than one condition configured, they must all pass to allow the connection.

In Connection Request Properties > Settings > Authentication, make sure Authenticate requests on this server is enabled.

In Connection Request Properties > Vendor Specific, add a new Vendor-Specific attribute with Vendor set to RADIUS Standard and the Vendor Code 12356.

In Network Policies > Overview, create a policy, name it and enable it.

Set Type of network access server to Unspecified.

In Network Policies > Conditions, add a User Group that contains the users you want to allow connection to the VPNand apply the necessary conditions.

In Network Policies > Constraints > Authentication Methods, enable MS-CHAP-v2.

You do not need to modify any of the remaining network policy settings.

2. Configuring the FortiGate to connect to the RADIUS server

On your FortiGate, go to User & Device > Authentication > RADIUS Servers.

Enter a Name for the RADIUS server, and enter its Primary Server IP/Name.

Carefully and correctly enter the Primary Server Secret, and specify the authentication method MS-CHAP-v2.

Perform a RADIUS connectivity test by clicking Test Connectivity.

Enter valid RADIUS credentials and click Test.

If there is an error in the configuration, or the credentials were entered incorrectly, the RADIUS connectivity test returns with a Server is unreachable error. If this occurs, double-check the configuration for errors and try again.

If everything is configured and entered correctly, the RADIUS connectivity test returns with a Successfulconfirmation message.

Click OK.

3. Adding the SSL VPN remote user group

Go to User & Device > User > User Groups.

Create an SSL VPN remote user group and add the RADIUS server as a Remote group.

You can choose to specify a group name that matches a group in the RADIUS configuration, or leave it set to Any (the default setting), which permits any user configured on the RADIUS server.

4. Configuring the SSL VPN tunnel

Go to VPN > SSL > Portals.

Edit the full-accessportal.

Enable Split Tunneling is not enabled so that all SSL VPN traffic will go through the FortiGate unit.

Go to VPN > SSL > Settings and set Listen on Interface(s) to wan1.

Set Listen on Port to 10443.

Disable Require Client Certificate.

5. Adding security policies for access to the Internet and internal network

Go to Policy & Objects > Policy > IPv4. Create a security policy allowing SSL VPN user to access the internal network.

Set Incoming Interfaceto ssl.root. Set Source Address to all and Source User to the remote user group. Set Outgoing Interface to the local network interface so that the remote user(s) can access the internal network.

Set Destination Addressto all, enable NAT, and configure any remaining firewall and security options as desired.

Add a second security policy allowing SSL VPN users to access the Internet.

For this policy, Incoming Interface is set to ssl.root and Outgoing Interface is set to wan1.

Set Source User to the remote user group.

6. Configuring FortiClient

Open FortiClient, go to Remote Access, and add a new SSL VPN connection.

Provide a Connection Name and set the Type to SSL VPN.

Set Remote Gateway to the FortiGate IP address.

Set Customize Portto 10443.

Select the new connection, enter a valid username and password, and click Connect.

If prompted with a server authentication warning, select Yes.

7. Results

From FortiClient start an SSL VPN session. As the connection is being established, the FortiGate authenticates the user against the RADIUS server and, if successful, assigns the user an IP address.

FortiClient then displays the status of the connection, including the IP address, connection duration, and bytes sent and received.