• Tidak ada hasil yang ditemukan

SSL VPN with RADIUS on FortiAuthenticator

Dalam dokumen FortiOS 7.4.1 Administration Guide (Halaman 118-127)

3. Add a new connection:

a. Set the connection name.

b. SetRemote Gatewayto the IP of the listening FortiGate interface, in this example,172.20.120.123.

c. SelectCustomize Portand set it to10443.

4. Save your settings.

5. Log in using thesslvpnuser1credentials and clickFTM Push.

The FortiGate pushes a login request notification through the FortiToken mobile application.

6. Check your mobile device and selectApprove.

When the authentication is approved,sslvpnuser1is logged into the SSL VPN tunnel.

To check the SSL VPN connection using the GUI:

1. Go toDashboard > Networkand expand theSSL-VPNwidget to verify the user’s connection.

2. Go toLog & Report > Forward Trafficto view the details of the SSL VPN traffic.

To check the web portal login using the CLI:

get vpn ssl monitor SSL VPN Login Users:

Index User Auth Type Timeout From HTTP in/out HTTPS in/out

0 sslvpnuser1 1(1) 229 10.1.100.254 0/0 0/0

SSL VPN sessions:

Index User Source IP Duration I/O Bytes Tunnel/Dest IP To check the tunnel login using the CLI:

get vpn ssl monitor SSL VPN Login Users:

Index User Auth Type Timeout From HTTP in/out HTTPS in/out

0 sslvpnuser1 1(1) 291 10.1.100.254 0/0 0/0

SSL VPN sessions:

Index User Source IP Duration I/O Bytes Tunnel/Dest IP 0 sslvpnuser1 10.1.100.254 9 22099/43228 10.212.134.200

Sample configuration

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

To configure FortiAuthenticator using the GUI:

1. Create a user on the FortiAuthenticator.

a. On the FortiAuthenticator, go toAuthentication > User Management > Local Usersto create a user sslvpnuser1.

b. EnableAllow RADIUS authenticationand clickOKto access additional settings.

c. Go toAuthentication > User Management > User Groupsto create a groupsslvpngroup.

d. Addsslvpnuser1to the group by moving the user fromAvailable userstoSelected users.

2. Create the RADIUS client (FortiGate) on the FortiAuthenticator.

a. On the FortiAuthenticator, go toAuthentication > RADIUS Service > Clientsto add the FortiGate as a RADIUS clientOfficeServer).

b. Enter the FortiGate IP address and set aSecret.

The secret is a pre-shared secure password that the FortiGate uses to authenticate to the FortiAuthenticator.

c. SetRealmstolocal | Local users.

To configure SSL VPN using the GUI:

1. Configure the interface and firewall address. The port1 interface connects to the internal network.

a. Go toNetwork > Interfacesand edit thewan1interface.

b. SetIP/Network Maskto172.20.120.123/255.255.255.0.

c. Editport1interface and setIP/Network Maskto192.168.1.99/255.255.255.0.

d. ClickOK.

e. Go toPolicy & Objects > Addressesand create an address for internal subnet192.168.1.0.

2. Create a RADIUS user and user group .

a. On the FortiGate, go toUser & Authentication > RADIUS Serversto create a user to connect to the RADIUS server (FortiAuthenticator).

b. ForName, useFAC-RADIUS.

c. Enter the IP address of the FortiAuthenticator, and enter theSecretcreated above.

d. ClickTest Connectivityto ensure you can connect to the RADIUS server.

e. SelectTest User Credentialsand enter the credentials forsslvpnuser1.

The FortiGate can now connect to the FortiAuthenticator as the RADIUS client.

f. Go toUser & Authentication > User Groupsand clickCreate Newto map authenticated remote users to a user group on the FortiGate.

g. ForName, useSSLVPNGroup.

h. InRemote Groups, clickAdd.

i. In theRemote Serverdropdown list, selectFAC-RADIUS.

j. Leave theGroupsfield blank.

3. Configure SSL VPN web portal.

a. Go toVPN > SSL-VPN Portalsto edit thefull-accessportal.

This portal supports both web and tunnel mode.

b. DisableEnable Split Tunnelingso that all SSL VPN traffic goes through the FortiGate.

4. Configure SSL VPN settings.

a. Go toVPN > SSL-VPN Settings.

b. Select theListen on Interface(s), in this example,wan1.

c. SetListen on Portto10443.

d. SetServer Certificateto the authentication certificate.

e. UnderAuthentication/Portal Mapping, set default Portalweb-accessforAll Other Users/Groups.

f. Create newAuthentication/Portal Mappingfor groupsslvpngroupmapping portalfull-access.

5. Configure SSL VPN firewall policy.

a. Go toPolicy & Objects > Firewall Policy.

b. Fill in the firewall policy name. In this example,sslvpn certificate auth.

c. Incoming Interfacemust beSSL-VPN tunnel interface(ssl.root).

d. Set theOutgoing Interfaceto the local network interface so that the remote user can access the internal network. In this example:port1.

e. Set theSource > Address toallandSource > Usertosslvpngroup.

f. SetDestination > Addressto the internal protected subnet192.168.1.0.

g. SetScheduletoalways,ServicetoALL, andActiontoAccept.

h. EnableNAT.

i. Configure the remaining options as required.

j. ClickOK.

To configure SSL VPN using the CLI:

1. Configure the interface and firewall address.

config system interface edit "wan1"

set vdom "root"

set ip 172.20.120.123 255.255.255.0 next

end

2. Configure internal interface and protected subnet, then connect the port1 interface to the internal network.

config system interface edit "port1"

set vdom "root"

set ip 192.168.1.99 255.255.255.0 next

end

config firewall address edit "192.168.1.0"

set subnet 192.168.1.0 255.255.255.0 next

end

3. Create a RADIUS user and user group.

config user radius edit "FAC-RADIUS"

set server "172.20.120.161"

set secret <FAC client secret>

next end

config user group edit "sslvpngroup"

set member "FAC-RADIUS"

next end

4. Configure SSL VPN web portal.

config vpn ssl web portal edit "full-access"

set tunnel-mode enable set web-mode enable

set ip-pools "SSLVPN_TUNNEL_ADDR1"

set split-tunneling disable next

end

5. Configure SSL VPN settings.

config vpn ssl settings

set servercert "server_certificate"

set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"

set source-interface "wan1"

set source-address "all"

set default-portal "web-access"

config authentication-rule edit 1

set groups "sslvpngroup"

set portal "full-access"

next end end

6. Configure one SSL VPN firewall policy to allow remote user to access the internal network.

config firewall policy edit 1

set name "sslvpn web mode access"

set srcintf "ssl.root"

set dstintf "port1"

set srcaddr "all"

set dstaddr "192.168.1.0"

set groups “sslvpngroup”

set action accept set schedule "always"

set service "ALL"

set nat enable next

end

To see the results of web portal:

1. From a remote device, use a web browser to log into the SSL VPN web portalhttp://172.20.120.123:10443.

2. Log in using thesslvpnuser1credentials.

3. On the FortiGate, go toDashboard > Networkand expand theSSL-VPNwidget to verify the user’s connection.

To see the results of tunnel connection:

1. Download FortiClient fromwww.forticlient.com.

2. Open the FortiClient Console and go toRemote Access > Configure VPN.

3. Add a new connection.

l Set the connection name.

l SetRemote Gatewayto172.20.120.123.

4. SelectCustomize Portand set it to10443.

5. Save your settings.

6. Log in using thesslvpnuser1credentials and check that you are logged into the SSL VPN tunnel.

To check the SSL VPN connection using the GUI:

1. Go toDashboard > Networkand expand theSSL-VPNwidget to verify the user’s connection.

2. Go toLog & Report > Forward Trafficto view the details of the SSL VPN traffic.

To check the web portal login using the CLI:

get vpn ssl monitor SSL VPN Login Users:

Index User Auth Type Timeout From HTTP in/out HTTPS in/out

0 sslvpnuser1 1(1) 229 10.1.100.254 0/0 0/0

SSL VPN sessions:

Index User Source IP Duration I/O Bytes Tunnel/Dest IP To check the tunnel login using the CLI:

get vpn ssl monitor SSL VPN Login Users:

Index User Auth Type Timeout From HTTP in/out HTTPS in/out

0 sslvpnuser1 1(1) 291 10.1.100.254 0/0 0/0

SSL VPN sessions:

Index User Source IP Duration I/O Bytes Tunnel/Dest IP

0 sslvpnuser1 10.1.100.254 9 22099/43228 10.212.134.200

SSL VPN with RADIUS and FortiToken mobile push on FortiAuthenticator

This is a sample configuration of SSL VPN that uses FortiAuthenticator as a RADIUS authentication server and FortiToken mobile push two-factor authentication. If you enable push notifications, users can accept or deny the authentication request.

Sample topology

Sample configuration

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

To configure FortiAuthenticator using the GUI:

1. On the FortiAuthenticator, go toSystem > Administration > System Accessand configure aPublic IP/FQDN for FortiToken Mobile. If the FortiAuthenticator is behind a firewall, the public IP/FQDN will be an IP/port forwarding rule directed to one of the FortiAuthenticator interfaces. The interface that receives the approve/deny FTM push

responses must have theFortiToken Mobile APIservice enabled.

2. Add a FortiToken mobile license on the FortiAuthenticator:

a. Go toAuthentication > User Management > FortiTokens.

b. ClickCreate New.

c. SetToken typetoFortiToken Mobileand enter theFortiToken Activation codes.

3. Create the RADIUS client (FortiGate) on the FortiAuthenticator:

a. Go toAuthentication > RADIUS Service > Clientsto add the FortiGate as a RADIUS clientOfficeServer).

b. Enter the FortiGate IP address and set aSecret.

The secret is a pre-shared secure password that the FortiGate uses to authenticate to the FortiAuthenticator.

c. SetAuthentication methodtoEnforce two-factor authentication.

d. SelectEnable FortiToken Mobile push notifications authentication.

e. SetRealmstolocal | Local users.

4. Create a user and assign FortiToken mobile to the user on the FortiAuthenticator:

a. Go toAuthentication > User Management > Local Usersto create a usersslvpnuser1.

b. EnableAllow RADIUS authenticationand clickOKto access additional settings.

c. EnableToken-based authenticationand select to deliver the token code byFortiToken.

d. Select the FortiToken added from the FortiToken Mobile dropdown menu.

e. SetDelivery methodtoEmailand fill in theUser Informationsection.

f. Go toAuthentication > User Management > User Groupsto create a groupsslvpngroup.

g. Addsslvpnuser1to the group by moving the user fromAvailable userstoSelected users.

5. Install the FortiToken mobile application on your Android or iOS smartphone.

The FortiAuthenticator sends the FortiToken mobile activation to the user’s email address.

6. Activate the FortiToken mobile through the FortiToken mobile application by entering the activation code or scanning the QR code.

To configure SSL VPN using the GUI:

1. Configure the interface and firewall address. The port1 interface connects to the internal network.

a. Go toNetwork > Interfacesand edit thewan1interface.

b. SetIP/Network Maskto172.20.120.123/255.255.255.0.

c. Editport1interface and setIP/Network Maskto192.168.1.99/255.255.255.0.

d. ClickOK.

e. Go toPolicy & Objects > Addressand create an address for internet subnet192.168.1.0.

2. Create a RADIUS user and user group:

a. On the FortiGate, go toUser & Authentication > RADIUS Serversto create a user to connect to the RADIUS server (FortiAuthenticator).

b. ForName, useFAC-RADIUS.

c. Enter the IP address of the FortiAuthenticator, and enter theSecretcreated above.

d. ClickTest Connectivityto ensure you can connect to the RADIUS server.

e. SelectTest User Credentialsand enter the credentials forsslvpnuser1.

The FortiGate can now connect to the FortiAuthenticator as the RADIUS client.

f. Go toUser & Authentication > User Groupsand clickCreate Newto map authenticated remote users to a user group on the FortiGate.

g. ForName, useSSLVPNGroup.

h. InRemote Groups, clickAdd.

i. In theRemote Serverdropdown list, selectFAC-RADIUS.

j. Leave theGroupsfield blank.

3. Configure SSL VPN web portal:

a. Go toVPN > SSL-VPN Portalsto edit thefull-accessportal.

This portal supports both web and tunnel mode.

b. DisableEnable Split Tunnelingso that all SSL VPN traffic goes through the FortiGate.

4. Configure SSL VPN settings:

a. Go toVPN > SSL-VPN Settings.

b. Select theListen on Interface(s), in this example,wan1.

c. SetListen on Portto10443.

d. SetServer Certificateto the authentication certificate.

e. UnderAuthentication/Portal Mapping, set default Portalweb-accessforAll Other Users/Groups.

f. Create newAuthentication/Portal Mappingfor groupsslvpngroupmapping portalfull-access.

5. Configure SSL VPN firewall policy:

a. Go toPolicy & Objects > Firewall Policy.

b. Fill in the firewall policy name. In this example,sslvpn certificate auth.

c. Incoming interface must beSSL-VPN tunnel interface(ssl.root).

d. Set theSource AddresstoallandSource Usertosslvpngroup.

e. Set theOutgoing Interfaceto the local network interface so that the remote user can access the internal network. In this example:port1.

f. SetDestination Addressto the internal protected subnet192.168.1.0.

g. SetScheduletoalways,ServicetoALL, andActiontoAccept.

h. EnableNAT.

i. Configure any remaining firewall and security options as desired.

j. ClickOK.

To configure SSL VPN using the CLI:

1. Configure the interface and firewall address:

config system interface edit "wan1"

set vdom "root"

set ip 172.20.120.123 255.255.255.0 next

end

2. Configure internal interface and protected subnet, then connect the port1 interface to the internal network:

config system interface edit "port1"

set vdom "root"

set ip 192.168.1.99 255.255.255.0 next

end

config firewall address edit "192.168.1.0"

set subnet 192.168.1.0 255.255.255.0 next

end

3. Create a RADIUS user and user group:

config user radius edit "FAC-RADIUS"

set server "172.20.120.161"

set secret <FAC client secret>

next end

config user group edit "sslvpngroup"

set member "FAC-RADIUS"

next end

4. Configure SSL VPN web portal:

config vpn ssl web portal edit "full-access"

set tunnel-mode enable set web-mode enable

set ip-pools "SSLVPN_TUNNEL_ADDR1"

set split-tunneling disable next

end

5. Configure SSL VPN settings:

config vpn ssl settings

set servercert "server_certificate"

set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"

set source-interface "wan1"

set source-address "all"

set default-portal "web-access"

config authentication-rule edit 1

set groups "sslvpngroup"

set portal "full-access"

next end end

6. Configure one SSL VPN firewall policy to allow remote user to access the internal network:

config firewall policy edit 1

set name "sslvpn web mode access"

set srcintf "ssl.root"

set dstintf "port1"

set srcaddr "all"

set dstaddr "192.168.1.0"

set groups “sslvpngroup”

set action accept set schedule "always"

set service "ALL"

set nat enable next

end

To see the results of web portal:

1. From a remote device, use a web browser to log into the SSL VPN web portalhttp://172.20.120.123:10443.

2. Log in using thesslvpnuser1credentials.

The FortiAuthenticator pushes a login request notification through the FortiToken Mobile application.

3. Check your mobile device and selectApprove.

When the authentication is approved,sslvpnuser1is logged into the SSL VPN portal.

4. On the FortiGate, go toDashboard > Networkand expand theSSL-VPNwidget to verify the user’s connection.

To see the results of tunnel connection:

1. Download FortiClient fromwww.forticlient.com.

2. Open the FortiClient Console and go toRemote Access > Configure VPN.

3. Add a new connection:

a. Set the connection name.

b. SetRemote Gatewayto the IP of the listening FortiGate interface, in this example:172.20.120.123.

c. SelectCustomize Portand set it to10443.

4. Save your settings.

5. Log in using thesslvpnuser1credentials and clickFTM Push.

The FortiAuthenticator pushes a login request notification through the FortiToken Mobile application.

6. Check your mobile device and selectApprove.

When the authentication is approved,sslvpnuser1is logged into the SSL VPN tunnel.

To check the SSL VPN connection using the GUI:

1. Go toDashboard > Networkand expand theSSL-VPNwidget to verify the user’s connection.

2. Go toLog & Report > Forward Trafficto view the details of the SSL VPN traffic.

To check the web portal login using the CLI:

get vpn ssl monitor SSL VPN Login Users:

Index User Auth Type Timeout From HTTP in/out HTTPS in/out

0 sslvpnuser1 1(1) 229 10.1.100.254 0/0 0/0

SSL VPN sessions:

Index User Source IP Duration I/O Bytes Tunnel/Dest IP To check the tunnel login on CLI:

get vpn ssl monitor SSL VPN Login Users:

Index User Auth Type Timeout From HTTP in/out HTTPS in/out

0 sslvpnuser1 1(1) 291 10.1.100.254 0/0 0/0

SSL VPN sessions:

Index User Source IP Duration I/O Bytes Tunnel/Dest IP

0 sslvpnuser1 10.1.100.254 9 22099/43228 10.212.134.200

Dalam dokumen FortiOS 7.4.1 Administration Guide (Halaman 118-127)
Unduh sekarang "FortiOS 7.4.1 Administ..."

Garis besar

Dokumen terkait