Fortinet black logo

RADIUS Interoperability Guide

Home FortiAuthenticator 6.2.0 RADIUS Interoperability Guide
6.2.0
6.4.0
6.3.0
6.2.0
6.1.0

Configuring authentication for SSL-VPN users

Configuring authentication for SSL-VPN users

The process described in this guide is for enabling secure authentication through FortiAuthenticator. It does not include full configuration instructions for enabling SSL-VPN. For more information on configuring SSL-VPN, please see the FortiGate Cookbook on the Fortinet Documentation Library.

In order to set up authentication for SSL-VPN users, you must first create a new user group.

To create a user group:
  1. Go to User & Device > User Groups, and select Create New.
  2. Enter a name for the user group, for example: SSL-VPN Group.
  3. Select Firewall as the type.
  4. Under Remote Groups, click Add, and select the FortiAuthenticator RADIUS server from the dropdown menu. Click OK.

You can now create a firewall policy which enables SSL-VPN access into your chosen network.

To configure the SSL-VPN settings:
  1. Configure the SSL VPN web portal.
    1. Go to VPN > SSL-VPN Portals to edit the full-access portal.
    2. Disable Enable Split Tunneling so that all SSL VPN traffic goes through the FortiGate.
  2. Configure the SSL VPN settings.
    1. Go to VPN > SSL-VPN Settings.
    2. Select the Listen on Interface(s).
    3. Set Listen on Port to 10443.
    4. Set Service Certificate to the authentication certificate.
    5. Under Authentication/Portal Mapping, select the full-access portal for the SSL-VPN group, and choose a portal for All Other Users/Groups.
  3. Configure the SSL VPN Firewall policy.
    1. Go to Policy & Objects > IPv4 Policy.
    2. Fill in the firewall policy name.
    3. Set the Incoming Interface to the SSL-VPN tunnel interface(ssl.root).
    4. Set the Source Address to all and Source User to the SSL-VPN group.
    5. Set the Outgoing Interface to the local network interface so that the remote user can access the internal network.
    6. Set the Destination to the internal protected subnet.
    7. Set the Schedule to always, Service to ALL, and Action to ACCEPT.
    8. Enable NAT.
    9. Configure any remaining firewall and security options as desired.
    10. Click OK.

Open a new browser and navigate to the SSL VPN web portal identified when you set up the SSL-VPN settings (example: 172.27.2.247:10443). Enter a valid username and password, and select Login, and you will be prompted to enter a FortiToken PIN. Once entered, you will have access to the SSL VPN tunnel.

Previous
Next

Configuring authentication for SSL-VPN users

The process described in this guide is for enabling secure authentication through FortiAuthenticator. It does not include full configuration instructions for enabling SSL-VPN. For more information on configuring SSL-VPN, please see the FortiGate Cookbook on the Fortinet Documentation Library.

In order to set up authentication for SSL-VPN users, you must first create a new user group.

To create a user group:
  1. Go to User & Device > User Groups, and select Create New.
  2. Enter a name for the user group, for example: SSL-VPN Group.
  3. Select Firewall as the type.
  4. Under Remote Groups, click Add, and select the FortiAuthenticator RADIUS server from the dropdown menu. Click OK.

You can now create a firewall policy which enables SSL-VPN access into your chosen network.

To configure the SSL-VPN settings:
  1. Configure the SSL VPN web portal.
    1. Go to VPN > SSL-VPN Portals to edit the full-access portal.
    2. Disable Enable Split Tunneling so that all SSL VPN traffic goes through the FortiGate.
  2. Configure the SSL VPN settings.
    1. Go to VPN > SSL-VPN Settings.
    2. Select the Listen on Interface(s).
    3. Set Listen on Port to 10443.
    4. Set Service Certificate to the authentication certificate.
    5. Under Authentication/Portal Mapping, select the full-access portal for the SSL-VPN group, and choose a portal for All Other Users/Groups.
  3. Configure the SSL VPN Firewall policy.
    1. Go to Policy & Objects > IPv4 Policy.
    2. Fill in the firewall policy name.
    3. Set the Incoming Interface to the SSL-VPN tunnel interface(ssl.root).
    4. Set the Source Address to all and Source User to the SSL-VPN group.
    5. Set the Outgoing Interface to the local network interface so that the remote user can access the internal network.
    6. Set the Destination to the internal protected subnet.
    7. Set the Schedule to always, Service to ALL, and Action to ACCEPT.
    8. Enable NAT.
    9. Configure any remaining firewall and security options as desired.
    10. Click OK.

Open a new browser and navigate to the SSL VPN web portal identified when you set up the SSL-VPN settings (example: 172.27.2.247:10443). Enter a valid username and password, and select Login, and you will be prompted to enter a FortiToken PIN. Once entered, you will have access to the SSL VPN tunnel.

Previous
Next