Fortinet black logo

RADIUS Interoperability Guide

Home FortiAuthenticator 6.3.0 RADIUS Interoperability Guide

Configuring authentication for SSL-VPN users

6.3.0
6.4.0
6.3.0
6.2.0
6.1.0
Copy Link
Copy Doc ID 4dfdb77b-9972-11eb-b70b-00505692583a:504751
Download PDF

Configuring authentication for SSL-VPN users

The process described in this guide is for enabling secure authentication through FortiAuthenticator. It does not include full configuration instructions for enabling SSL-VPN. For more information on configuring SSL-VPN, please see the FortiGate Cookbook on the Fortinet Documentation Library.

In order to set up authentication for SSL-VPN users, you must first create a new user group.

To create a user group:
  1. Go to User & Authentication > User Groups, and select Create New.
  2. Enter a name for the user group, for example: SSL-VPN Group.
  3. Select Firewall as the type.
  4. Under Remote Groups, click Add, and select the FortiAuthenticator RADIUS server from the dropdown menu. Click OK.

You can now create a firewall policy which enables SSL-VPN access into your chosen network.

To configure the SSL-VPN settings:
  1. Configure the SSL VPN web portal.
    1. Go to VPN > SSL-VPN Portals to edit the full-access portal.
    2. Disable Enable Split Tunneling so that all SSL VPN traffic goes through the FortiGate.
  2. Configure the SSL VPN settings.
    1. Go to VPN > SSL-VPN Settings.
    2. Select the Listen on Interface(s).
    3. Set Listen on Port to 10443.
    4. Set Service Certificate to the authentication certificate.
    5. Under Authentication/Portal Mapping, select the full-access portal for the SSL-VPN group, and choose a portal for All Other Users/Groups.
  3. Configure the SSL VPN Firewall policy.
    1. Go to Policy & Objects > Firewall Policy, select IPv4 from the dropdown on the right, and select Create New.
    2. Fill in the firewall policy name.
    3. Set the Incoming Interface to the SSL-VPN tunnel interface(ssl.root).
    4. Set the Source to all and Source User to the SSL-VPN group.
    5. Set the Outgoing Interface to the local network interface so that the remote user can access the internal network.
    6. Set the Destination to the internal protected subnet.
    7. Set the Schedule to always, Service to ALL, and Action to ACCEPT.
    8. Enable NAT.
    9. Configure any remaining firewall and security options as desired.
    10. Click OK.

Open a new browser and navigate to the SSL VPN web portal identified when you set up the SSL-VPN settings (example: 172.27.2.247:10443). Enter a valid username and password, and select Login, and you will be prompted to enter a FortiToken PIN. Once entered, you will have access to the SSL VPN tunnel.

Previous
Next

Configuring authentication for SSL-VPN users

The process described in this guide is for enabling secure authentication through FortiAuthenticator. It does not include full configuration instructions for enabling SSL-VPN. For more information on configuring SSL-VPN, please see the FortiGate Cookbook on the Fortinet Documentation Library.

In order to set up authentication for SSL-VPN users, you must first create a new user group.

To create a user group:
  1. Go to User & Authentication > User Groups, and select Create New.
  2. Enter a name for the user group, for example: SSL-VPN Group.
  3. Select Firewall as the type.
  4. Under Remote Groups, click Add, and select the FortiAuthenticator RADIUS server from the dropdown menu. Click OK.

You can now create a firewall policy which enables SSL-VPN access into your chosen network.

To configure the SSL-VPN settings:
  1. Configure the SSL VPN web portal.
    1. Go to VPN > SSL-VPN Portals to edit the full-access portal.
    2. Disable Enable Split Tunneling so that all SSL VPN traffic goes through the FortiGate.
  2. Configure the SSL VPN settings.
    1. Go to VPN > SSL-VPN Settings.
    2. Select the Listen on Interface(s).
    3. Set Listen on Port to 10443.
    4. Set Service Certificate to the authentication certificate.
    5. Under Authentication/Portal Mapping, select the full-access portal for the SSL-VPN group, and choose a portal for All Other Users/Groups.
  3. Configure the SSL VPN Firewall policy.
    1. Go to Policy & Objects > Firewall Policy, select IPv4 from the dropdown on the right, and select Create New.
    2. Fill in the firewall policy name.
    3. Set the Incoming Interface to the SSL-VPN tunnel interface(ssl.root).
    4. Set the Source to all and Source User to the SSL-VPN group.
    5. Set the Outgoing Interface to the local network interface so that the remote user can access the internal network.
    6. Set the Destination to the internal protected subnet.
    7. Set the Schedule to always, Service to ALL, and Action to ACCEPT.
    8. Enable NAT.
    9. Configure any remaining firewall and security options as desired.
    10. Click OK.

Open a new browser and navigate to the SSL VPN web portal identified when you set up the SSL-VPN settings (example: 172.27.2.247:10443). Enter a valid username and password, and select Login, and you will be prompted to enter a FortiToken PIN. Once entered, you will have access to the SSL VPN tunnel.

Previous
Next