• Tidak ada hasil yang ditemukan

SSL VPN with RADIUS on Windows NPS

Dalam dokumen FortiOS 7.4.1 Administration Guide (Halaman 131-136)

6. Log in using thetest1credentials.

You are prompted to enter a new password.

To check the SSL VPN connection using the GUI:

1. Go toDashboard > Networkand expand theSSL-VPNwidget to verify the user’s connection.

2. Go toLog & Report > System Eventsand select theVPN Eventscard to view the details of the SSL VPN connection event log.

3. Go toLog & Report > Forward Trafficto view the details of the SSL VPN traffic.

To check the web portal login using the CLI:

get vpn ssl monitor SSL VPN Login Users:

Index User Auth Type Timeout From HTTP in/out HTTPS in/out

0 test1 1(1) 229 10.1.100.254 0/0 0/0

SSL VPN sessions:

Index User Source IP Duration I/O Bytes Tunnel/Dest IP To check the tunnel login using the CLI:

get vpn ssl monitor SSL VPN Login Users:

Index User Auth Type Timeout From HTTP in/out HTTPS in/out

0 test1 1(1) 291 10.1.100.254 0/0 0/0

SSL VPN sessions:

Index User Source IP Duration I/O Bytes Tunnel/Dest IP

0 test1 10.1.100.254 9 22099/43228 10.212.134.200

Configure SSL-VPN with RADIUS on Windows NPS in the GUI To configure the internal and external interfaces:

1. Go toNetwork > Interfaces

2. Edit theport1interface and setIP/Network Maskto192.168.2.5/24.

3. Edit theport2interface and setIP/Network Maskto192.168.20.5/24.

4. ClickOK.

To create a firewall address:

1. Go toPolicy & Objects > Addressesand clickCreate New > Address.

2. SetNameto192.168.20.0.

3. LeaveTypeasSubnet

4. SetIP/Netmaskto192.168.20.0/24.

5. ClickOK.

To add the RADIUS server:

1. Go toUser & Authentication > RADIUS Serversand clickCreate New.

2. SetNametorad-server.

3. LeaveAuthentication methodset toDefault. The PAP, MS-CHAPv2, and CHAP methods will be tried in order.

4. UnderPrimary Server, setIP/Nameto192.168.20.6andSecretto the shared secret configured on the RADIUS server.

5. ClickTest Connectivityto test the connection to the server, and ensure thatConnection statusisSuccessful.

6. Optionally, clickTest User Credentialsto test user credentials. Testing from the GUI is limited to PAP.

7. ClickOK.

To configure a user group:

1. Go toUser & Authentication > User Groupsand clickCreate New.

2. SetNametorad-group.

3. UnderRemote Groups, clickAddand add therad-server.

4. ClickOK.

To configure SSL VPN settings:

1. Go toVPN > SSL-VPN Settings.

2. Select theListen on Interface(s), in this example,port1.

3. SetListen on Portto10443.

4. If you have a server certificate, setServer Certificateto the authentication certificate.

5. UnderAuthentication/Portal Mapping:

a. EditAll Other Users/Groupsand setPortaltoweb-access.

b. ClickCreate Newand create a mapping for therad-groupuser group withPortalset tofull-access.

c. ClickOK.

6. ClickApply.

To configure an SSL VPN firewall policy:

1. Go toPolicy & Objects > Firewall Policyand clickCreate New.

2. Set the policy name, in this example,sslvpn-radius.

3. SetIncoming InterfacetoSSL-VPN tunnel interface(ssl.root).

4. SetOutgoing Interfaceto the local network interface so that the remote user can access the internal network. In this example,port2.

5. Set theSource > AddresstoallandSource > Usertorad-group.

6. SetDestination > Addressto the internal protected subnet192.168.20.0.

7. SetScheduletoalways,ServicetoALL, andActiontoAccept.

8. EnableNAT.

9. Configure the remaining options as required.

10. ClickOK.

Configure SSL-VPN with RADIUS on Windows NPS in the CLI To configure SSL VPN using the CLI:

1. Configure the internal and external interfaces:

config system interface edit "port1"

set vdom "root"

set ip 192.168.2.5 255.255.255.0 set alias internal

next

edit "port2"

set vdom "root"

set ip 192.168.20.5 255.255.255.0 set alias external

next end

2. Configure the firewall address:

config firewall address edit "192.168.20.0"

set subnet 192.168.20.0 255.255.255.0 next

end

3. Add the RADIUS server:

config user radius edit "rad-server"

set server "192.168.20.6"

set secret *********

next end

4. Create a user group and add the RADIUS server to it:.

config user group edit "rad-group"

set member "rad-server"

next end

5. Configure SSL VPN settings:

config vpn ssl settings

set servercert "server_certificate"

set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"

set source-interface "port1"

set source-address "all"

set default-portal "web-access"

config authentication-rule edit 1

set groups "rad-group"

set portal "full-access"

next end end

6. Configure an SSL VPN firewall policy to allow remote user to access the internal network.

config firewall policy edit 1

set name "sslvpn-radius"

set srcintf "ssl.root"

set dstintf "port2"

set srcaddr "all"

set dstaddr "192.168.20.0"

set groups “rad-group”

set action accept set schedule "always"

set service "ALL"

set nat enable next

end Results

To connect with FortiClient in tunnel mode:

1. Download FortiClient fromwww.forticlient.com.

2. Open the FortiClient Console and go toRemote Access > Configure VPN.

3. Add a new connection:

a. Set the connection name.

b. SetRemote Gatewayto192.168.2.5.

c. SelectCustomize Portand set it to10443.

4. Save your settings.

5. Log in using the RADIUS user credentials.

To check the SSL VPN connection using the GUI:

1. Go toDashboard > Networkand expand theSSL-VPNwidget to verify the user’s connection.

2. Go toLog & Report > System Eventsand select theVPN Eventscard to view the details of the SSL VPN connection event log.

3. Go toLog & Report > Forward Trafficto view the details of the SSL VPN traffic.

To check the login using the CLI:

# get vpn ssl monitor SSL VPN Login Users:

Index User Group Auth Type Timeout From HTTP in/out HTTPS in/out

0 radkeith rad-group 2(1) 295 192.168.2.202 0/0 0/0

SSL VPN sessions:

Index User Group Source IP Duration I/O Bytes Tunnel/Dest IP

0 radkeith rad-group 192.168.2.202 18 28502/4966

10.212.134.200

Dalam dokumen FortiOS 7.4.1 Administration Guide (Halaman 131-136)
Unduh sekarang "FortiOS 7.4.1 Administ..."

Garis besar

Dokumen terkait