• Tidak ada hasil yang ditemukan

SSL VPN with certificate authentication

Dalam dokumen FortiOS 7.4.1 Administration Guide (Halaman 95-101)

3. Add a new connection:

a. Set the connection name.

b. SetRemote Gatewayto the IP of the listening FortiGate interface, in this example,172.20.120.123.

c. SelectCustomize Portand set it to10443.

4. Save your settings.

5. Log in using theldu1credentials.

You are prompted to enter a new password. The prompt will timeout after 90 seconds.

To check the SSL VPN connection using the GUI:

1. Go toDashboard > Networkand expand theSSL-VPNwidget to verify the user’s connection.

2. Go toLog & Report > System Eventsand select theVPN Eventscard to view the details of the SSL VPN connection event log.

3. Go toLog & Report > Forward Trafficto view the details of the SSL VPN traffic.

To check the web portal login using the CLI:

# get vpn ssl monitor SSL VPN Login Users:

Index User Auth Type Timeout From HTTP in/out HTTPS in/out

0 ldu1 1(1) 229 10.1.100.254 0/0 0/0

SSL VPN sessions:

Index User Source IP Duration I/O Bytes Tunnel/Dest IP To check the tunnel login using the CLI:

# get vpn ssl monitor SSL VPN Login Users:

Index User Auth Type Timeout From HTTP in/out HTTPS in/out

0 ldu1 1(1) 291 10.1.100.254 0/0 0/0

SSL VPN sessions:

Index User Source IP Duration I/O Bytes Tunnel/Dest IP

0 ldu1 10.1.100.254 9 22099/43228 10.212.134.200

Self-signed certificates are provided by default to simplify initial installation and testing. It is HIGHLYrecommended that you acquire a signed certificate for your installation.

Continuing to use these certificates can result in your connection being compromised, allowing attackers to steal your information, such as credit card details.

For more information, please review theUse a non-factory SSL certificate for the SSL VPN portal on page 2105and learn how toProcuring and importing a signed SSL certificate on page 2800.

Using PKI users

When using PKI users, the FortiGate authenticates the user based on there identity in the subject or the common name on the certificate. The certificate must be signed by a CA that is known by the FortiGate, either through the default CA certificates or through importing a CA certificate.

The user can either match a static subject or common name defined in the PKI user settings, or match an LDAP user in the LDAP server defined in the PKI user settings. Multi-factor authentication can also be enabled with the password as the second factor.

Configuring the SSL VPN settings to require a client certificate

Using this method, the user is authenticated based on their regular username and password, but SSL VPN will still require an additional certificate check. The client certificate only needs to be signed by a known CA in order to pass authentication.

This method can be configured by enablingRequire Client Certificate(reqclientcert) in the SSL-VPN settings.

Configuration

In the following example, SSL VPN users are authenticated using the first method. A PKI user is configured with multi- factor authentication

Pre-requisites:

l The CA has already issued a client certificate to the user.

l The CA has issued a server certificate for the FortiGate’s SSL VPN portal.

l The CA certificate is available to be imported on the FortiGate.

To configure SSL VPN in the GUI:

1. Install the server certificate. The server certificate allows the clients to authenticate the server and to encrypt the SSL VPN traffic.

a. Go toSystem > Feature Visibilityand ensureCertificatesis enabled.

b. Go toSystem > Certificatesand selectImport > Local Certificate.

l SetTypetoCertificate.

l Choose theCertificate fileand theKey filefor your certificate, and enter thePassword.

l If required, you can change theCertificate Name.

The server certificate now appears in the list ofCertificates.

2. Install the CA certificate.

The CA certificate is the certificate that signed both the server certificate and the user certificate. In this example, it is used to authenticate SSL VPN users.

a. Go toSystem > Certificatesand selectImport > CA Certificate.

b. SelectLocal PCand then select the certificate file.

The CA certificate now appears in the list ofExternal CA Certificates. In this example, it is calledCA_Cert_1.

3. Configure PKI users and a user group.

To use certificate authentication, use the CLI to create PKI users.

config user peer edit pki01

set ca CA_Cert_1

set subject "CN=User01"

next end

Ensure that the subject matches the name of the user certificate. In this example,User01.

4. After you have create a PKI user, a new menu is added to the GUI:

a. Go toUser & Authentication > PKIto see the new user.

b. Edit the user account.

c. EnableTwo-factor authenticationand set a password for the account.

d. Go toUser & Authentication > User Groupsand create a group calledsslvpngroup.

e. Add the PKI userpki01to the group.

5. Configure SSL VPN web portal.

a. Go toVPN > SSL-VPN Portalsto edit thefull-accessportal.

This portal supports both web and tunnel mode.

b. DisableEnable Split Tunnelingso that all SSL VPN traffic goes through the FortiGate.

6. Configure SSL VPN settings.

a. Go toVPN > SSL-VPN Settingsand enable SSL-VPN.

b. Set theListen on Interface(s)towan1.

c. SetListen on Portto10443.

d. SetServer Certificateto the local certificate that was imported.

e. UnderAuthentication/Portal Mapping, set default Portalweb-accessforAll Other Users/Groups.

f. Create newAuthentication/Portal Mappingfor groupsslvpngroupmapping portalfull-access.

7. Configure SSL VPN firewall policy.

a. Go toPolicy & Objects > Firewall Policy.

b. Fill in the firewall policy name. In this example,sslvpn certificate auth.

c. Incoming interface must beSSL-VPN tunnel interface(ssl.root).

d. Set theSource AddresstoallandSource Usertosslvpngroup.

e. Set theOutgoing Interfaceto the local network interface so that the remote user can access the internal network. In this example,port1.

f. SetDestination Addressto the internal protected subnet192.168.1.0.

g. SetScheduletoalways,ServicetoALL, andActiontoAccept.

h. EnableNAT.

i. Configure any remaining firewall and security options as needed.

j. ClickOK.

To configure SSL VPN in the CLI:

1. Configure the protected subnet:

config firewall address edit "192.168.1.0"

set subnet 192.168.1.0 255.255.255.0 next

end

2. Install the server certificate:

The server certificate allows the clients to authenticate the server and to encrypt the SSL VPN traffic. While it is easier to install the server certificate in the GUI, the CLI can be used to import a p12 certificate from a TFTP server.

To import a p12 certificate, put the certificateserver_certificate.p12on your TFTP server, then run following command on the FortiGate:

execute vpn certificate local import tftp server_certificate.p12 <your tftp_server> p12

<your password for PKCS12 file>

To check that the server certificate is installed:

show vpn certificate local server_certificate 3. Install the CA certificate:

The CA certificate is the certificate that signed both the server certificate and the user certificate. In this example, it is used to authenticate SSL VPN users. While it is easier to install the CA certificate from GUI, the CLI can be used to import a CA certificates from a TFTP server.

To import a CA certificate, put the CA certificate on your TFTP server, then run following command on the FortiGate:

execute vpn certificate ca import tftp <your CA certificate name> <your tftp server>

To check that a new CA certificate is installed:

show vpn certificate ca

4. Configure PKI users and a user group:

config user peer edit pki01

set ca CA_Cert_1

set subject "CN=User01"

set two-factor enable set passwd **********

next end

config user group edit "sslvpngroup"

set member "pki01"

next end

5. Configure SSL VPN web portal:

config vpn ssl web portal edit "full-access"

set tunnel-mode enable set web-mode enable

set ip-pools "SSLVPN_TUNNEL_ADDR1"

set split-tunneling disable next

end

6. Configure SSL VPN settings:

config vpn ssl settings

set servercert "server_certificate"

set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"

set source-interface "wan1"

set source-address "all"

set default-portal "web-access"

config authentication-rule edit 1

set groups "sslvpngroup"

set portal "full-access"

next end end

7. Configure one SSL VPN firewall policy to allow remote user to access the internal network:

config firewall policy edit 1

set name "sslvpn web mode access"

set srcintf "ssl.root"

set dstintf "port1"

set srcaddr "all"

set dstaddr "192.168.1.0"

set groups “sslvpngroup”

set action accept set schedule "always"

set service "ALL"

set nat enable next

end Installation

To use the user certificate, you must first install it on the user’s PC. When the user tries to authenticate, the user certificate is checked against the CA certificate to verify that they match.

Every user should have a unique user certificate. This allows you to distinguish each user and revoke a specific user’s certificate, such as if a user no longer has VPN access.

To install the user certificate on Windows 7, 8, and 10:

1. Double-click the certificate file to open theImport Wizard.

2. Use theImport Wizardto import the certificate into thePersonal storeof the current user.

To install the user certificate on Mac OS X:

1. Open the certificate file, to openKeychain Access.

2. Double-click the certificate.

3. ExpandTrustand selectAlways Trust.

To see the results of tunnel connection:

1. Download FortiClient fromwww.forticlient.com.

2. Open the FortiClient Console and go toRemote Access > Configure VPN.

3. Add a new connection.

l SetVPN TypetoSSL VPN.

l SetRemote Gatewayto the IP of the listening FortiGate interface, in this example,172.20.120.123.

4. SelectCustomize Portand set it to10443.

5. EnableClient Certificateand select the authentication certificate.

6. Save your settings.

7. Use the credentials you've set up to connect to the SSL VPN tunnel.

If the certificate is correct, you can connect.

To see the results of web portal:

1. In a web browser, log into the portalhttp://172.20.120.123:10443.

A message requests a certificate for authentication.

2. Select the user certificate.

3. Enter your user credentials.

If the certificate is correct, you can connect to the SSL VPN web portal.

To check the SSL VPN connection using the GUI:

1. Go toVPN > Monitor > SSL-VPN Monitorto verify the list of SSL users.

2. Go toLog & Report > System Eventsand select theVPN Eventscard to view the details for the SSL connection log.

To check the SSL VPN connection using the CLI:

get vpn ssl monitor SSL VPN Login Users:

Index User Auth Type Timeout From HTTP in/out HTTPS in/out

0 pki01,cn=User01 1(1) 229 10.1.100.254 0/0 0/0

1 pki01,cn=User01 1(1) 291 10.1.100.254 0/0 0/0

SSL VPN sessions:

Index User Source IP Duration I/O Bytes Tunnel/Dest IP

0 pki01,cn=User01 10.1.100.254 9 22099/43228 10.212.134.200

Dalam dokumen FortiOS 7.4.1 Administration Guide (Halaman 95-101)
Unduh sekarang "FortiOS 7.4.1 Administ..."

Garis besar

Dokumen terkait