SSL VPN with RADIUS on Windows NPS
This is an example configuration of SSL VPN that uses Windows Network Policy Server (NPS) as a RADIUS authentication server.
The NPS must already be configured to accept the FortiGate as a RADIUS client and the choice of authentication method, such as MS-CHAPv2. A shared key must also have been created.
Example
The user is connecting from their PC to the FortiGate's port1 interface. RADIUS authentication occurs between the FortiGate and the Windows NPS, and the SSL-VPN connection is established once the authentication is successful.
Configure SSL-VPN with RADIUS on Windows NPS in the GUI
To configure the internal and external interfaces:
- Go to Network > Interfaces
- Edit the port1 interface and set IP/Network Mask to 192.168.2.5/24.
- Edit the port2 interface and set IP/Network Mask to 192.168.20.5/24.
- Click OK.
To create a firewall address:
- Go to Policy & Objects > Addresses and click Create New > Address.
- Set Name to 192.168.20.0.
- Leave Type as Subnet
- Set Subnet / IP Range to 192.168.20.0.
- Click OK.
To add the RADIUS server:
- Go to User & Device > RADIUS Servers and click Create New.
- Set Name to rad-server.
- Leave Authentication method set to Default. The PAP, MS-CHAPv2, and CHAP methods will be tried in order.
- Under Primary Server, set IP/Name to 192.168.20.6 and Secret to the shared secret configured on the RADIUS server.
- Click Test Connectivity to test the connection to the server, and ensure that Connection status is Successful.
- Optionally, click Test User Credentials to test user credentials. Testing from the GUI is limited to PAP.
- Click OK.
To configure a user group:
- Go to User & Device > User Groups and click Create New.
- Set Name to rad-group.
- Under Remote Groups, click Add and add the rad-server.
- Click OK.
To configure SSL VPN settings:
- Go to VPN > SSL-VPN Settings.
- Select the Listen on Interface(s), in this example, port1.
- Set Listen on Port to 10443.
- If you have a server certificate, set Server Certificate to the authentication certificate.
- Under Authentication/Portal Mapping:
- Edit All Other Users/Groups and set Portal to web-access.
- Click Create New and create a mapping for the rad-group user group with Portal set to full-access.
- Click OK.
- Configure other settings as required.
- Click Apply.
To configure an SSL VPN firewall policy:
- Go to Policy & Objects > IPv4 Policy and click Create New.
- Set the policy name, in this example, sslvpn-radius.
- Set Incoming Interface to SSL-VPN tunnel interface(ssl.root).
- Set Outgoing Interface to the local network interface so that the remote user can access the internal network. In this example, port2.
- Set the Source > Address to all and Source > User to rad-group.
- Set Destination > Address to the internal protected subnet 192.168.20.0.
- Set Schedule to always, Service to ALL, and Action to Accept.
- Enable NAT.
- Configure the remaining options as required.
- Click OK.
Configure SSL-VPN with RADIUS on Windows NPS in the CLI
To configure SSL VPN using the CLI:
- Configure the internal and external interfaces:
config system interface edit "port1" set vdom "root" set ip 192.168.2.5 255.255.255.0 set alias internal next edit "port2" set vdom "root" set ip 192.168.20.5 255.255.255.0 set alias external next end
- Configure the firewall address:
config firewall address edit "192.168.20.0" set subnet 192.168.20.0 255.255.255.0 next end
- Add the RADIUS server:
config user radius edit "rad-server" set server "192.168.20.6" set secret ********* next end
- Create a user group and add the RADIUS server to it:.
config user group edit "rad-group" set member "rad-server" next end
- Configure SSL VPN settings:
config vpn ssl settings set servercert "server_certificate" set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1" set source-interface "port1" set source-address "all" set default-portal "web-access" config authentication-rule edit 1 set groups "rad-group" set portal "full-access" next end end
- Configure an SSL VPN firewall policy to allow remote user to access the internal network.
config firewall policy edit 1 set name "sslvpn-radius" set srcintf "ssl.root" set dstintf "port2" set srcaddr "all" set dstaddr "192.168.20.0" set groups "rad-group" set action accept set schedule "always" set service "ALL" set nat enable next end
Results
To connect with FortiClient in tunnel mode:
- Download FortiClient from www.forticlient.com.
- Open the FortiClient Console and go to Remote Access > Configure VPN.
- Add a new connection:
- Set the connection name.
- Set Remote Gateway to 192.168.2.5.
- Select Customize Port and set it to 10443.
- Save your settings.
- Log in using the RADIUS user credentials.
To check the SSL VPN connection using the GUI:
- Go to Monitor > SSL-VPN to verify the user’s connection.
- Go to Log & Report > Events and select VPN Events from the event type drop-down list to view the details of the SSL VPN connection event log.
- Go to Log & Report > Forward Traffic to view the details of the SSL VPN traffic.
To check the login using the CLI:
# get vpn ssl monitor SSL VPN Login Users: Index User Group Auth Type Timeout From HTTP in/out HTTPS in/out 0 radkeith rad-group 2(1) 295 192.168.2.202 0/0 0/0 SSL VPN sessions: Index User Group Source IP Duration I/O Bytes Tunnel/Dest IP 0 radkeith rad-group 192.168.2.202 18 28502/4966 10.212.134.200