RADIUS authentication for SSL VPN with FortiAuthenticator

This recipe describes how to set up FortiAuthenticator to function as a RADIUS server for FortiGate SSL VPN authentication. It involves adding users to FortiAuthenticator, setting up the RADIUS client on the FortiAuthenticator, and then configuring the FortiGate to use the FortiAuthenticator as a RADIUS server.

1. Creating the User(s) on FortiAuthenticator

From the FortiAuthenticator GUI, go to Authentication > User Management > Local Users, and select Create New.

Enter a name for the user (in the example, ckent), enter and confirm a password, and select OK. Select OK again to bypass optional settings.

Next, go to Authentication > User Management > User Groups, and add a user group for the FortiGate users. Add the desired users to the group.

2. Creating the RADIUS Client on FortiAuthenticator

Go to Authentication > RADIUS Service > Clients, and select Create New.

Enter a name for the RADIUS Client, set Client name/IP to the IP of the FortiGate, and set a Secret. The Secret is a pre-shared, secure password that the FortiGate will use to authenticate to the FortiAuthenticator.

Be sure to set Authentication method to Password-only authentication (exclude users without a password), and set Realms to local | Local users.

3. Connecting the FortiGate to the RADIUS Server

From the FortiGate GUI, go to User & Device > Authentication > RADIUS Servers, and select Create New.

Enter a name for the RADIUS server, enter the IP address of the FortiAuthenticator, and enter the Secret created before.

Test the connectivity and enter the credentials for ‘ckent’. The test should come back with a successful connection.

4. Creating the RADIUS User Group on the FortiGate

Go to User & Device > User > User Groups, and select Create New.

Enter a name for the user group, and under Remote Groups, select Create New.

Select FAC-RADIUS under the Remote Server dropdown.

FAC-RADIUS has been added to the RADIUS group.

5. Configuring the SSL VPN

From the FortiGate GUI, go to VPN > SSL > Portals, and edit the full-access portal.

Disable Split Tunneling.

Go to VPN > SSL > Settings.

Under Connection Settings set Listen on Port to 10443.

Under Tunnel Mode Client Settings, select Specify custom IP ranges and set it to SSLVPN_TUNNEL_ADDR1.

Under Authentication/Portal Mapping, select Create New.

Assign the RADIUSgroup user group to the full-access portal, and assign All Other Users/Groups to the desired portal.

Select the prompt at the top of the screen to create a new SSL-VPN policy.

Set Source User(s) to the RADIUSgroup user group.

Set Outgoing Interface to wan1 and Destination Address to all.

Set Service to ALL and ensure that you enable NAT.

 

6. Results

From a remote device, access the SSL VPN Web Portal.

Enter valid RADIUS credentials (in the example, ckent).

‘ckent’ is now successfully logged into the SSL VPN Portal.

From the FortiGate GUI, go to VPN > Monitor > SSL-VPN Monitor to confirm the connection.

 

Adam Bristow

Adam Bristow

Technical Writer at Fortinet
Adam Bristow is a Technical Writer working for the FortiOS technical documentation team. He has a Honours Bachelor of Arts in English and Minor in Film Studies and a graduate certificate in Technical Writing from Algonquin College. Stay tuned for more FortiOS Cookbook videos!
Adam Bristow

Latest posts by Adam Bristow (see all)

Share this recipe:

Facebooktwittergoogle_pluslinkedin

Leave a comment:

Before commenting, please read the site's comment policy. Only questions related to documentation will be answered. For other concerns, please contact Fortinet support.