2020-05-15 17:21:31.236009 port1 in 192.168.2.71.1812 -> 192.168.2.5.11490: udp 20 <-- access-accept

Access is denied by the NPS server because the user does not exist. However, access is accepted by FortiAuthenticator. The end result is the authentication is successful.

# get vpn ssl monitor SSL VPN Login Users:

Index User Group Auth Type Timeout From HTTP

in/out HTTPS in/out

0 fackeith dualPrimaryGroup 2(1) 292 192.168.2.202 0/0

0/0

SSL VPN sessions:

Index User Group Source IP Duration I/O Bytes

Tunnel/Dest IP

0 fackeith dualPrimaryGroup 192.168.2.202 149 70236/4966

10.212.134.200

Case 2: Connect to the SSLVPN tunnel using FortiClient with user radkeith:

# diagnose sniffer packet any 'port 1812' 4 0 l interfaces=[any]

filters=[port 1812]

2020-05-15 17:26:07.335791 port1 out 192.168.2.5.17988 -> 192.168.2.71.1812: udp 118 2020-05-15 17:26:07.335911 port3 out 192.168.20.5.17988 -> 192.168.20.6.1812: udp 118 2020-05-15 17:26:07.337659 port3 in 192.168.20.6.1812 -> 192.168.20.5.17988: udp 20 <--

access-accept

2020-05-15 17:26:07.337914 port3 out 192.168.20.5.17988 -> 192.168.20.6.1812: udp 182 2020-05-15 17:26:07.339451 port3 in 192.168.20.6.1812 -> 192.168.20.5.17988: udp 228 2020-05-15 17:26:08.352597 port1 in 192.168.2.71.1812 -> 192.168.2.5.17988: udp 20 <--

access-reject

There is a password mismatch for this user on the Secondary RADIUS server. However, even though the authentication was rejected by FortiAuthenticator, it was accepted by Windows NPS. Therefore, the end result is authentication successful.

# get vpn ssl monitor SSL VPN Login Users:

Index User Group Auth Type Timeout From HTTP

in/out HTTPS in/out

0 radkeith dualPrimaryGroup 2(1) 290 192.168.2.202 0/0

0/0

SSL VPN sessions:

Index User Group Source IP Duration I/O Bytes

Tunnel/Dest IP

0 radkeith dualPrimaryGroup 192.168.2.202 142 64875/4966 10.212.134.200

policy cannot be applied to a user group or a local remote user such as LDAP/RADIUS/TACACS+.

In FortiOS 6.2, users are warned after one day about the password expiring and have one day to renew it. If the password expires, the user cannot renew the password and must contact the administrator for assistance.

In FortiOS 6.0/5.6, users are warned after one day about the password expiring and have to renew it. If the password expires, the user can still renew the password.

Sample topology

Sample configuration

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

To configure SSL VPN using the GUI:

1. Configure the interface and firewall address. The port1 interface connects to the internal network.

a. Go toNetwork > Interfacesand edit thewan1interface.

b. SetIP/Network Maskto172.20.120.123/255.255.255.0.

c. Editport1interface and setIP/Network Maskto192.168.1.99/255.255.255.0.

d. ClickOK.

e. Go toPolicy & Objects > Addressand create an address for internet subnet192.168.1.0.

2. Configure user and user group.

a. Go toUser & Authentication > User Definitionto create a local user.

b. Go toUser & Authentication > User Groupsto create a user group and add that local user to it.

3. Configure and assign the password policy using the CLI.

a. Configure a password policy that includes an expiry date and warning time. The default start time for the password is the time the user was created.

config user password-policy edit "pwpolicy1"

set expire-days 2 set warn-days 1 next

end

b. Assign the password policy to the user you just created.

config user local edit "sslvpnuser1"

set type password

set passwd-policy "pwpolicy1"

next end

4. Configure SSL VPN web portal.

a. Go toVPN > SSL-VPN Portalsto edit thefull-accessportal.

This portal supports both web and tunnel mode.

b. DisableEnable Split Tunnelingso that all SSL VPN traffic goes through the FortiGate.

5. Configure SSL VPN settings.

a. Go toVPN > SSL-VPN Settings.

b. Select theListen on Interface(s), in this example,wan1.

c. SetListen on Portto10443.

d. SetServer Certificateto the authentication certificate.

e. UnderAuthentication/Portal Mapping, set default Portalweb-accessforAll Other Users/Groups.

f. Create newAuthentication/Portal Mappingfor groupsslvpngroupmapping portalfull-access.

6. Configure SSL VPN firewall policy.

a. Go toPolicy & Objects > Firewall Policy.

b. Fill in the firewall policy name. In this example,sslvpn certificate auth.

c. Incoming interface must beSSL-VPN tunnel interface(ssl.root).

d. Set theSource AddresstoallandSource Usertosslvpngroup.

e. Set theOutgoing Interfaceto the local network interface so that the remote user can access the internal network. In this example,port1.

f. SetDestination Addressto the internal protected subnet192.168.1.0.

g. SetScheduletoalways,ServicetoALL, andActiontoAccept.

h. EnableNAT.

i. Configure any remaining firewall and security options as desired.

j. ClickOK.

To configure SSL VPN using the CLI:

1. Configure the interface and firewall address.

config system interface edit "wan1"

set vdom "root"

set ip 172.20.120.123 255.255.255.0 next

end

2. Configure internal interface and protected subnet, then connect the port1 interface to the internal network.

config system interface edit "port1"

set vdom "root"

set ip 192.168.1.99 255.255.255.0 next

end

config firewall address edit "192.168.1.0"

set subnet 192.168.1.0 255.255.255.0 next

end

3. Configure user and user group.

config user local edit "sslvpnuser1"

set type password

set passwd your-password next

end

config user group edit "sslvpngroup"

set member "vpnuser1"

next end

4. Configure and assign the password policy.

a. Configure a password policy that includes an expiry date and warning time. The default start time for the password is the time the user was created.

config user password-policy edit "pwpolicy1"

set expire-days 2 set warn-days 1 next

end

b. Assign the password policy to the user you just created.

config user local edit "sslvpnuser1"

set type password

set passwd-policy "pwpolicy1"

next end

5. Configure SSL VPN web portal.

config vpn ssl web portal edit "full-access"

set tunnel-mode enable set web-mode enable

set ip-pools "SSLVPN_TUNNEL_ADDR1"

set split-tunneling disable next

end

6. Configure SSL VPN settings.

config vpn ssl settings

set servercert "server_certificate"

set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"

set source-interface "wan1"

set source-address "all"

set default-portal "web-access"

config authentication-rule edit 1

set groups "sslvpngroup"

set portal "full-access"

next end end

7. Configure one SSL VPN firewall policy to allow remote user to access the internal network.

config firewall policy edit 1

set name "sslvpn web mode access"

set srcintf "ssl.root"

set dstintf "port1"

set srcaddr "all"

set dstaddr "192.168.1.0"

set groups “sslvpngroup”

set action accept set schedule "always"

set service "ALL"

set nat enable next

end

To see the results of web portal:

1. From a remote device, use a web browser to log into the SSL VPN web portalhttp://172.20.120.123:10443.

2. Log in using thesslvpnuser1credentials.

When the warning time is reached, the user is prompted to enter a new password.

In FortiOS 6.2, when the password expires, the user cannot renew the password and must contact the administrator.

In FortiOS 6.0/5.6, when the password expires, the user can still renew the password.

3. On the FortiGate, go toDashboard > Networkand expand theSSL-VPNwidget to verify the user’s connection.

To see the results of tunnel connection:

1. Download FortiClient fromwww.forticlient.com.

2. Open the FortiClient Console and go toRemote Access > Configure VPN.

3. Add a new connection.

l Set the connection name.

l SetRemote Gatewayto the IP of the listening FortiGate interface, in this example,172.20.120.123.

4. SelectCustomize Portand set it to10443.

5. Save your settings.

6. Log in using thesslvpnuser1credentials.

When the warning time is reached, the user is prompted to enter a new password.

To check the SSL VPN connection using the GUI:

1. Go toDashboard > Networkand expand theSSL-VPNwidget to verify the user’s connection.

2. Go toLog & Report > Forward Trafficto view the details of the SSL VPN traffic.

To check that login failed due to password expired on GUI:

1. Go toLog & Report > System Eventsand select theVPN Eventscard to see the SSL VPN alert labeledssl- login-fail.

2. ClickDetailsto see the log details about theReasonsslvpn_login_password_expired.

To check the web portal login using the CLI:

get vpn ssl monitor SSL VPN Login Users:

Index User Auth Type Timeout From HTTP in/out HTTPS in/out

0 sslvpnuser1 1(1) 229 10.1.100.254 0/0 0/0

SSL VPN sessions:

Index User Source IP Duration I/O Bytes Tunnel/Dest IP To check the tunnel login using the CLI:

get vpn ssl monitor SSL VPN Login Users:

Index User Auth Type Timeout From HTTP in/out HTTPS in/out

0 sslvpnuser1 1(1) 291 10.1.100.254 0/0 0/0

SSL VPN sessions:

Index User Source IP Duration I/O Bytes Tunnel/Dest IP 0 sslvpnuser1 10.1.100.254 9 22099/43228 10.212.134.200 To check the FortiOS 6.2 login password expired event log:

FG201E4Q17901354 # execute log filter category event FG201E4Q17901354 # execute log filter field subtype vpn

FG201E4Q17901354 # execute log filter field action ssl-login-fail FG201E4Q17901354 # execute log display

1: date=2019-02-15 time=10:57:56 logid="0101039426" type="event" subtype="vpn" level="alert"

vd="root" eventtime=1550257076 logdesc="SSL VPN login fail" action="ssl-login-fail"

tunneltype="ssl-web" tunnelid=0 remip=10.1.100.254 user="u1" group="g1" dst_host="N/A"

reason="sslvpn_login_password_expired" msg="SSL user failed to logged in"