SSL VPN for remote users with MFA and user sensitivity
By default, remote LDAP and RADIUS user names are case sensitive. When a remote user object is applied to SSL VPN authentication, the user must type the exact case that is used in the user definition on the FortiGate.
Case sensitivity and accents can be ignored by disabling the username-sensitivity
CLI command, allowing the remote user object to match any case or accents that the end user types in.
In this example, a remote user is configured with multi-factor authentication (MFA). The user group includes the LDAP user and server, and is applied to SSL VPN authentication and the policy.
Topology
Example configuration
To configure the LDAP server:
- Generate and export a CA certificate from the AD server .
- Import the CA certificate into FortiGate:
- Go to System > Features Visibility and ensure Certificates is enabled.
- Go to System > Certificates and select Import > CA Certificate.
- Select Local PC and then select the certificate file.
The CA certificate now appears in the list of External CA Certificates. In this example, it is called CA_Cert_1.
- If you want, you can use CLI commands to rename the system-generated CA_Cert_1 to be more descriptive:
config vpn certificate ca rename CA_Cert_1 to LDAPS-CA end
- Configure the LDAP user:
- Go to User & Authentication > LDAP Servers and click Create New.
- Configure the following options for this example:
Name
WIN2K16-KLHOME
Server IP/Name
192.168.20.6
Server Port
636
Common Name Identifier
sAMAccountName
Distinguished Name
dc=KLHOME,dc=local
Bind Type
Regular
Username
KLHOME\\Administrator
Password
*********
Secure Connection
Enable
Protocol
LDAPS
Certificate
CA_Cert_1
This is the CA certificate that you imported in step 2.
- Click OK.
To configure an LDAP user with MFA:
- Go to User & Authentication > User Definition and click Create New.
- Select Remote LDAP User, then click Next.
- Select the just created LDAP server, then click Next.
- Right click to add the selected user, then click Submit.
- Edit the user that you just created.
The username will be pulled from the LDAP server with the same case as it has on the server.
- Set the Email Address to the address that FortiGate will send the FortiToken to.
- Enable Two-factor Authentication.
- Set Authentication Type to FortiToken.
- Set Token to a FortiToken device. See for more information.
- Click OK.
To disable case and accent sensitivity on the remote user:
This can only be configured in the CLI.
config user local edit "fgdocs" set type ldap set two-factor fortitoken set fortitoken "FTKMOBxxxxxxxxxx" set email-to "fgdocs@fortinet.com" set username-sensitivity disable set ldap-server "WIN2K16-KLHOME" next end
To configure a user group with the remote user and the LDAP server:
- Go to User & Authentication > User Groups and click Create New.
- Set the Name to LDAP-USERGRP.
- Set Members to the just created remote user.
- In the Remote Groups table, click Add:
- Set Remote Server to the LDAP server.
- Set the group or groups that apply, and right click to add them.
- Click OK.
- Click OK.
To apply the user group to the SSL VPN portal:
- Go to VPN > SSL-VPN Settings.
- In the Authentication/Portal Mapping table, click Create New.
- Set Users/Groups to the just created user group.
- Configure the remaining settings as required.
- Click OK.
- Click Apply.
To apply the user group to a firewall policy:
- Go to Policy & Objects > Firewall Policy and click Create New.
- Configure the following:
Name
SSLVPNtoInteral
Incoming Interface
SSL-VPN tunnel interface (ssl.root)
Outgoing Interface
port3
Source
Address - SSLVPN_TUNNEL_ADDR1
User - LDAP-USERGRP
Destination
The address of the internal network.
In this case: 192.168.20.0.
Schedule
always
Service
ALL
Action
ACCEPT
NAT
Enabled
- Configuring the remaining settings as required.
- Click OK.
To configure this example in the CLI:
- Configure the LDAP server:
config user ldap edit "WIN2K16-KLHOME" set server "192.168.20.6" set cnid "sAMAccountName" set dn "dc=KLHOME,dc=local" set type regular set username "KLHOME\\Administrator" set password ********* set secure ldaps set ca-cert "CA_Cert_1" set port 636 next end
- Configure an LDAP user with MFA:
config user local edit "fgdocs" set type ldap set two-factor fortitoken set fortitoken "FTKMOBxxxxxxxxxx" set email-to "fgdocs@fortinet.com" set username-sensitivity disable set ldap-server "WIN2K16-KLHOME" next end
- Disable case and accent sensitivity on the remote user:
config user local edit "fgdocs" set type ldap set two-factor fortitoken set fortitoken "FTKMOBxxxxxxxxxx" set email-to "fgdocs@fortinet.com" set username-sensitivity disable set ldap-server "WIN2K16-KLHOME" next end
- Configure a user group with the remote user and the LDAP server:
config user group edit "LDAP-USERGRP" set member "fgdocs" "WIN2K16-KLHOME" next end
- Apply the user group to the SSL VPN portal:
config vpn ssl settings set servercert <server certificate> set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1" set source-interface "port1" set source-address "all" set default-portal "web-access" config authentication-rule edit 1 set groups "LDAP-USERGRP" set portal "full-access" next end end
- Apply the user group to a firewall policy:
config firewall policy edit 5 set name "SSLVPNtoInternal" set srcintf "ssl.root" set dstintf "port3" set srcaddr "SSLVPN_TUNNEL_ADDR1" set dstaddr "192.168.20.0" set action accept set schedule "always" set service "ALL" set groups "LDAP-USERGRP" set nat enable next end
Verification
To setup the VPN connection:
- Download FortiClient from www.forticlient.com.
- Open the FortiClient Console and go to Remote Access.
- Add a new connection:
- Set the connection name.
- Set Remote Gateway to the IP of the listening FortiGate interface.
- If required, set the Customize Port.
- Save your settings.
To test the connection with case sensitivity disabled:
- Connect to the VPN:
- Log in to the tunnel with the username, using the same case that it is on the FortiGate.
- When prompted, enter your FortiToken code.
You should now be connected.
- Check the web portal log in using the CLI:
# get vpn ssl monitor SSL VPN Login Users: Index User Group Auth Type Timeout From HTTP in/out HTTPS in/out 0 fgdocs LDAP-USERGRP 16(1) 289 192.168.2.202 0/0 0/0 SSL VPN sessions: Index User Group Source IP Duration I/O Bytes Tunnel/Dest IP 0 fgdocs LDAP-USERGRP 192.168.2.202 45 99883/5572 10.212.134.200
- Disconnect from the VPN connection.
- Reconnect to the VPN:
- Log in to the tunnel with the username, using a different case than on the FortiGate.
- When prompted, enter your FortiToken code.
You should now be connected.
- Check the web portal log in using the CLI:
# get vpn ssl monitor SSL VPN Login Users: Index User Group Auth Type Timeout From HTTP in/out HTTPS in/out 0 FGDOCS LDAP-USERGRP 16(1) 289 192.168.2.202 0/0 0/0 SSL VPN sessions: Index User Group Source IP Duration I/O Bytes Tunnel/Dest IP 0 FGDOCS LDAP-USERGRP 192.168.2.202 45 99883/5572 10.212.134.200
In both cases, the remote user is matched against the remote LDAP user object and prompted for multi-factor authentication.
To test the connection with case and accent sensitivity enabled:
- Enable case and accent sensitivity for the user:
config user local edit "fgdocs" set username-sensitivity enable next end
- Connect to the VPN
- Log in to the tunnel with the username, using the same case that it is on the FortiGate.
- When prompted, enter your FortiToken code.
You should now be connected.
- Check the web portal log in using the CLI:
# get vpn ssl monitor SSL VPN Login Users: Index User Group Auth Type Timeout From HTTP in/out HTTPS in/out 0 fgdocs LDAP-USERGRP 16(1) 289 192.168.2.202 0/0 0/0 SSL VPN sessions: Index User Group Source IP Duration I/O Bytes Tunnel/Dest IP 0 fgdocs LDAP-USERGRP 192.168.2.202 45 99883/5572 10.212.134.200
- Disconnect from the VPN connection.
- Reconnect to the VPN:
- Log in to the tunnel with the username, using a different case than on the FortiGate.
You will not be prompted for your FortiToken code. You should now be connected.
- Log in to the tunnel with the username, using a different case than on the FortiGate.
- Check the web portal log in using the CLI:
# get vpn ssl monitor SSL VPN Login Users: Index User Group Auth Type Timeout From HTTP in/out HTTPS in/out 0 FGdocs LDAP-USERGRP 16(1) 289 192.168.2.202 0/0 0/0 SSL VPN sessions: Index User Group Source IP Duration I/O Bytes Tunnel/Dest IP 0 FGdocs LDAP-USERGRP 192.168.2.202 45 99883/5572 10.212.134.200
In this case, the user is allowed to log in without a FortiToken code because the entered user name did not match the name defined on the remote LDAP user object. Authentication continues to be evaluated against the LDAP server though, which is not case sensitive.