• Tidak ada hasil yang ditemukan

SSL VPN with multiple RADIUS servers

Dalam dokumen FortiOS 7.4.1 Administration Guide (Halaman 136-144)

To check the login using the CLI:

# get vpn ssl monitor SSL VPN Login Users:

Index User Group Auth Type Timeout From HTTP in/out HTTPS in/out

0 radkeith rad-group 2(1) 295 192.168.2.202 0/0 0/0

SSL VPN sessions:

Index User Group Source IP Duration I/O Bytes Tunnel/Dest IP

0 radkeith rad-group 192.168.2.202 18 28502/4966

10.212.134.200

3. Edit theport2interface and setIP/Network Maskto192.168.20.5/24.

4. ClickOK.

To create a firewall address:

1. Go toPolicy & Objects > Addressesand clickCreate New > Address.

2. SetNameto192.168.20.0.

3. LeaveTypeasSubnet

4. Set IP/Netmaskto192.168.20.0/24.

5. ClickOK.

To add the RADIUS servers:

1. Go toUser & Authentication > RADIUS Serversand clickCreate New.

2. SetNametoPrimarySecondary.

3. LeaveAuthentication methodset toDefault. The PAP, MS-CHAPv2, and CHAP methods will be tried in order.

4. UnderPrimary Server, setIP/Nameto192.168.20.6andSecretto the shared secret configured on the RADIUS server.

5. ClickTest Connectivityto test the connection to the server, and ensure thatConnection statusisSuccessful.

6. UnderSecondary Server, setIP/Nameto192.168.2.71andSecretto the shared secret configured on the RADIUS server.

7. ClickTest Connectivityto test the connection to the server, and ensure thatConnection statusisSuccessful.

8. Click OK.

To configure the user group:

1. Go toUser & Authentication > User Groupsand clickCreate New.

2. In theNamefield, enterPrimarySecondaryGroup.

3. In theRemote Groupsarea, clickAdd, and from theRemote Serverdropdown, selectPrimarySecondary.

4. ClickOK, and then clickOKagain.

To configure the SSL VPN settings:

1. Go toVPN > SSL-VPN Settings.

2. From theListen on Interface(s)dropdown selectport1.

3. In theListen on Portfield enter10443.

4. Optionally, from theServer Certificatedropdown, select the authentication certificate if you have one for this SSL VPN portal.

5. UnderAuthentication/Portal Mapping, set the default portal web-access.

a. SelectAll Other Users/Groupsand clickEdit.

b. From thePortaldropdown, selectweb-access.

c. ClickOK.

6. Create a web portal forPrimarySecondaryGroup.

a. UnderAuthentication/Portal Mapping, clickCreate New.

b. ClickUsers/Groupsand selectPrimarySecondaryGroup.

c. From thePortaldropdown, selectfull-access.

d. ClickOK.

To configure SSL VPN firewall policy:

1. Go toPolicy & Objects > Firewall Policy.

2. ClickCreate Newto create a new policy, or double-click an existing policy to edit it and configure the following settings:

Name Enter a name for the policy.

Incoming Interface SSL-VPN tunnel interface (ssl.root)

Outgoing interface Set to the local network interface so that the remote user can access the internal network.

For this example, selectport3.

Source In theAddresstab, selectSSLVPN_TUNNEL_ADDR1 In theUsertab, selectPrimarySecondaryGroup Destination Select the internal protected subnet192.168.20.0.

Schedule always

Service All

Action Accept

NAT Enable

3. Configure any remaining firewall and security options as required.

4. ClickOK.

To configure SSL VPN using the CLI:

1. Configure the internal interface and firewall address:

config system interface edit "port3"

set vdom "root"

set ip 192.168.20.5 255.255.255.0 set alias "internal"

next end

config firewall address edit "192.168.20.0"

set uuid cc41eec2-9645-51ea-d481-5c5317f865d0 set subnet 192.168.20.0 255.255.255.0

next end

2. Configure the RADIUS server:

config user radius

edit "PrimarySecondary"

set server "192.168.20.6"

set secret <secret>

set secondary-server "192.168.2.71"

set secondary-secret <secret>

next end

3. Add the RADIUS user to the user group:

config user group

edit "PrimarySecondaryGroup"

set member "PrimarySecondary "

next end

4. Configure SSL VPN settings:

config vpn ssl settings

set servercert "server_certificate"

set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"

set source-interface "port1"

set source-address "all"

set default-portal "web-access"

config authentication-rule edit 1

set groups "PrimarySecondaryGroup "

set portal "full-access"

next end end

5. Configure one SSL VPN firewall policy to allow remote users to access the internal network:

config firewall policy edit 1

set name "sslvpn-radius"

set srcintf "ssl.root"

set dstintf "port3"

set srcaddr "all"

set dstaddr "192.168.20.0"

set groups “PrimarySecondaryGroup”

set action accept set schedule "always"

set service "ALL"

set nat enable next

end

To verify the connection:

Userradkeithis a member of both the NPS server and the FAC server.

When the Primary server is up, it will connect to the SSL VPN tunnel using FortiClient.

# diagnose sniffer packet any 'port 1812' 4 0 l interfaces=[any]

filters=[port 1812]

2020-05-15 16:26:50.838453 port3 out 192.168.20.5.2374 -> 192.168.20.6.1812: udp 118 2020-05-15 16:26:50.883166 port3 in 192.168.20.6.1812 -> 192.168.20.5.2374: udp 20 2020-05-15 16:26:50.883374 port3 out 192.168.20.5.2374 -> 192.168.20.6.1812: udp 182 2020-05-15 16:26:50.884683 port3 in 192.168.20.6.1812 -> 192.168.20.5.2374: udp 228 The access request is sent to the Primary NPS server 192.168.20.6, and the connection is successful.

# get vpn ssl monitor SSL VPN Login Users:

Index User Group Auth Type Timeout From HTTP

in/out HTTPS in/out

0 radkeith PrimarySecondaryGroup 2(1) 285 192.168.2.202

0/0 0/0

SSL VPN sessions:

Index User Group Source IP Duration I/O Bytes

Tunnel/Dest IP

0 radkeith PrimarySecondaryGroup 192.168.2.202 62 132477/4966 10.212.134.200

When the Primary server is down, and the Secondary server is up, the connection is made to the SSLVPN tunnel again:

# diagnose sniffer packet any 'port 1812' 4 0 l interfaces=[any]

filters=[port 1812]

2020-05-15 16:31:23.016875 port3 out 192.168.20.5.7989 -> 192.168.20.6.1812: udp 118 2020-05-15 16:31:28.019470 port3 out 192.168.20.5.7989 -> 192.168.20.6.1812: udp 118 2020-05-15 16:31:30.011874 port1 out 192.168.2.5.23848 -> 192.168.2.71.1812: udp 118 2020-05-15 16:31:30.087564 port1 in 192.168.2.71.1812 -> 192.168.2.5.23848: udp 20

Access request is sent to the Primary NPS server 192.168.20.6, but there was no response. RADIUS authentication falls through to the Secondary FortiAuthenticator 192.168.2.71, and the authentication was accepted. The VPN connection is established.

# get vpn ssl monitor SSL VPN Login Users:

Index User Group Auth Type Timeout From HTTP

in/out HTTPS in/out

0 radkeith PrimarySecondaryGroup 2(1) 287 192.168.2.202

0/0 0/0

SSL VPN sessions:

Index User Group Source IP Duration I/O Bytes

Tunnel/Dest IP

0 radkeith PrimarySecondaryGroup 192.168.2.202 48 53544/4966

10.212.134.200

Authenticating to two RADIUS servers concurrently

There are times where users are located on separate RADIUS servers. This may be the case when migrating from an old server to a new one for example. In this scenario, a Windows NPS server and a FortiAuthenticator are configured in the same User Group. The access-request is sent to both servers concurrently. If FortiGate receives an access-accept from either server, authentication is successful.

To configure the internal and external interfaces:

1. Go toNetwork > Interfaces.

2. Edit theport1interface and setIP/Network Maskto192.168.2.5/24.

3. Edit theport2interface and setIP/Network Maskto192.168.20.5/24.

4. ClickOK.

To create a firewall address:

1. Go toPolicy & Objects > Addressesand clickCreate New > Address.

2. SetNameto192.168.20.0.

3. LeaveTypeasSubnet

4. Set IP/Netmaskto192.168.20.0/24.

5. ClickOK.

To configure the first RADIUS server:

1. Go toUser & Authentication > RADIUS Serversand clickCreate New.

2. SetNametowin2k16.

3. LeaveAuthentication methodset toDefault. The PAP, MS-CHAPv2, and CHAP methods will be tried in order.

4. UnderPrimary Server, setIP/Nameto192.168.20.6andSecretto the shared secret configured on the RADIUS server.

5. ClickTest Connectivityto test the connection to the server, and ensure thatConnection statusisSuccessful.

6. Click OK.

To configure the second RADIUS server:

1. Go toUser & Authentication > RADIUS Serversand clickCreate New.

2. SetNametofac.

3. LeaveAuthentication methodset toDefault. The PAP, MS-CHAPv2, and CHAP methods will be tried in order.

4. UnderPrimary Server, setIP/Nameto192.168.2.71andSecretto the shared secret configured on the RADIUS server.

5. ClickTest Connectivityto test the connection to the server, and ensure thatConnection statusisSuccessful.

6. Click OK.

To configure the user group:

1. Go toUser & Authentication > User Groupsand clickCreate New.

2. In theNamefield, enterdualPrimaryGroup..

3. In theRemote Groupsarea, clickAdd, and from theRemote Serverdropdown, selectfac.

4. ClickAddagain. From theRemote Serverdropdown selectwin2k16and clickOK.

5. ClickOK, and then clickOKagain.

To configure the SSL VPN settings:

1. Go toVPN > SSL-VPN Settings.

2. From theListen on Interface(s)dropdown selectport1.

3. In theListen on Portfield enter10443.

4. Optionally, from theServer Certificatedropdown, select the authentication certificate if you have one for this SSL VPN portal.

5. UnderAuthentication/Portal Mapping, set the default portal web-access.

a. SelectAll Other Users/Groupsand click Edit.

b. From thePortaldropdown, selectweb-access.

c. ClickOK.

6. Create a web portal forPrimarySecondaryGroup.

a. UnderAuthentication/Portal Mapping, clickCreate New.

b. ClickUsers/Groupsand selectdualPrimaryGroup.

c. From thePortaldropdown, selectfull-access.

d. ClickOK.

To configure SSL VPN firewall policy:

1. Go toPolicy & Objects > Firewall Policy.

2. ClickCreate Newto create a new policy, or double-click an existing policy to edit it.

Name Enter a name for the policy.

Incoming Interface SSL-VPN tunnel interface (ssl.root)

Outgoing interface Set to the local network interface so that the remote user can access the internal network.

For this example, selectport3.

Source In theAddresstab, selectSSLVPN_TUNNEL_ADDR1 In theUsertab, selectdualPrimaryGroup

Destination Select the internal protected subnet192.168.20.0.

Schedule always

Service All

Action Accept

NAT Enable

3. Configure any remaining firewall and security options as required.

4. ClickOK.

To configure SSL VPN using the CLI:

1. Configure the internal interface and firewall address:

config system interface edit "port3"

set vdom "root"

set ip 192.168.20.5 255.255.255.0 set alias "internal"

next end

config firewall address edit "192.168.20.0"

set uuid cc41eec2-9645-51ea-d481-5c5317f865d0 set subnet 192.168.20.0 255.255.255.0

next end

2. Configure the RADIUS server:

config user radius edit "win2k16"

set server "192.168.20.6"

set secret <secret>

next edit "fac"

set server "192.168.2.71"

set secret <secret>

next end

3. Add the RADIUS user to the user group:

config user group

edit "dualPrimaryGroup"

set member "win2k16" “fac”

next end

4. Configure SSL VPN settings:

config vpn ssl settings

set servercert "server_certificate"

set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"

set source-interface "port1"

set source-address "all"

set default-portal "web-access"

config authentication-rule edit 1

set groups "dualPrimaryGroup"

set portal "full-access"

next end end

5. Configure one SSL VPN firewall policy to allow remote users to access the internal network:

config firewall policy edit 1

set name "sslvpn-radius"

set srcintf "ssl.root"

set dstintf "port3"

set srcaddr "all"

set dstaddr "192.168.20.0"

set groups “dualPrimaryGroup”

set action accept set schedule "always"

set service "ALL"

set nat enable next

end

To verify the connection:

Userfackeithis a member of the FortiAuthenticator server only.

Userradkeithis a member of both the NPS server and the FortiAuthenticator server, but has different passwords on each server.

Case 1: Connect to the SSLVPN tunnel using FortiClient with user FacAdmin:

# diagnose sniffer packet any 'port 1812' 4 0 l interfaces=[any]

filters=[port 1812]

2020-05-15 17:21:31.217985 port3 out 192.168.20.5.11490 -> 192.168.20.6.1812: udp 118 2020-05-15 17:21:31.218091 port1 out 192.168.2.5.11490 -> 192.168.2.71.1812: udp 118 2020-05-15 17:21:31.219314 port3 in 192.168.20.6.1812 -> 192.168.20.5.11490: udp 20 <--

access-reject

2020-05-15 17:21:31.219519 port3 out 192.168.20.5.11490 -> 192.168.20.6.1812: udp 182 2020-05-15 17:21:31.220219 port3 in 192.168.20.6.1812 -> 192.168.20.5.11490: udp 42 2020-05-15 17:21:31.220325 port3 out 192.168.20.5.11490 -> 192.168.20.6.1812: udp 119 2020-05-15 17:21:31.220801 port3 in 192.168.20.6.1812 -> 192.168.20.5.11490: udp 20

2020-05-15 17:21:31.236009 port1 in 192.168.2.71.1812 -> 192.168.2.5.11490: udp 20 <-- access-accept

Access is denied by the NPS server because the user does not exist. However, access is accepted by FortiAuthenticator. The end result is the authentication is successful.

# get vpn ssl monitor SSL VPN Login Users:

Index User Group Auth Type Timeout From HTTP

in/out HTTPS in/out

0 fackeith dualPrimaryGroup 2(1) 292 192.168.2.202 0/0

0/0

SSL VPN sessions:

Index User Group Source IP Duration I/O Bytes

Tunnel/Dest IP

0 fackeith dualPrimaryGroup 192.168.2.202 149 70236/4966

10.212.134.200

Case 2: Connect to the SSLVPN tunnel using FortiClient with user radkeith:

# diagnose sniffer packet any 'port 1812' 4 0 l interfaces=[any]

filters=[port 1812]

2020-05-15 17:26:07.335791 port1 out 192.168.2.5.17988 -> 192.168.2.71.1812: udp 118 2020-05-15 17:26:07.335911 port3 out 192.168.20.5.17988 -> 192.168.20.6.1812: udp 118 2020-05-15 17:26:07.337659 port3 in 192.168.20.6.1812 -> 192.168.20.5.17988: udp 20 <--

access-accept

2020-05-15 17:26:07.337914 port3 out 192.168.20.5.17988 -> 192.168.20.6.1812: udp 182 2020-05-15 17:26:07.339451 port3 in 192.168.20.6.1812 -> 192.168.20.5.17988: udp 228 2020-05-15 17:26:08.352597 port1 in 192.168.2.71.1812 -> 192.168.2.5.17988: udp 20 <--

access-reject

There is a password mismatch for this user on the Secondary RADIUS server. However, even though the authentication was rejected by FortiAuthenticator, it was accepted by Windows NPS. Therefore, the end result is authentication successful.

# get vpn ssl monitor SSL VPN Login Users:

Index User Group Auth Type Timeout From HTTP

in/out HTTPS in/out

0 radkeith dualPrimaryGroup 2(1) 290 192.168.2.202 0/0

0/0

SSL VPN sessions:

Index User Group Source IP Duration I/O Bytes

Tunnel/Dest IP

0 radkeith dualPrimaryGroup 192.168.2.202 142 64875/4966 10.212.134.200

Dalam dokumen FortiOS 7.4.1 Administration Guide (Halaman 136-144)
Unduh sekarang "FortiOS 7.4.1 Administ..."

Garis besar

Dokumen terkait