User accounts and groups
The first step for an SSL VPN tunnel is to add the users and user groups that will access the tunnel. You may already have users defined for other authentication-based security policies.
The user group is associated with the web portal that the user sees after logging in. You can use one policy for multiple groups, or multiple policies to handle differences between the groups such as access to different services, or different schedules.
To create a user account:
- In the web-based manager, go to User & Device > User > User Definition, and select Create New.
- In the CLI, use the commands in
config user local
.
All users accessing the SSL tunnel must be in a firewall user group. User names can be up to 64 characters long.
To create user groups:
- In the web-based manager, go to User & Device > User > User Groups and select Create New.
- In the CLI, use the commands in
config user group
.
Authentication
Remote users must be authenticated before they can request services and/or access network resources through the web portal. The authentication process can use a password defined on the FortiGate unit or optionally use established external authentication mechanisms such as RADIUS or LDAP.
To authenticate users, you can use a plain text password on the local FortiGate unit, forward authentication requests to an external RADIUS, LDAP or TACACS+ server, or utilize PKI certificates.
For information about how to create RADIUS, LDAP, TACACS+ or PKI user accounts and certificates, see the Authentication Guide.
FortiOS supports LDAP password renewal notification and updates through SSL VPN. Configuration is enabled using the CLI commands:
For more information, see the Authentication Guide. |
MAC host check
When a remote client attempts to log in to the portal, you can have the FortiGate unit check against the client’s MAC address to ensure that only a specific computer or device is connecting to the tunnel. This can ensure better security should a password be compromised.
MAC addresses can be tied to specific portals and can be either the entire MAC address or a subset of the address. MAC host checking is configured in the CLI using the folowing commands:
conf vpn ssl web portal
edit portal
set mac-addr-check enable
set mac-addr-action allow
config mac-addr-check-rule
edit "rule1"
set mac-addr-list 01:01:01:01:01:01 08:00:27:d4:06:5d
set mac-addr-mask 48
end
end
IP addresses for users
After the FortiGate unit authenticates a request for a tunnel-mode connection, the FortiGate unit assigns the SSL VPN client an IP address for the session. The address is assigned from an IP Pool, which is a firewall address defining an IP address range.
Take care to prevent overlapping IP addresses. Do not assign to clients any IP addresses that are already in use on the private network. As a precaution, consider assigning IP addresses from a network that is not commonly used (for example, 10.254.254.0/24). |
To set tunnel-mode client IP address range - web-based manager:
- Go to Policy & Objects > Objects > Addresses and select Create New.
- Enter a Name, for example,
SSL_VPN_tunnel_range
. - Select a Type of IP Range.
- In the Subnet/IP Range field, enter the starting and ending IP addresses that you want to assign to SSL VPN clients, for example
10.254.254.[80-100]
. - In Interface, select Any.
- Select OK.
To set tunnel-mode client IP address range - CLI:
If your SSL VPN tunnel range is for example 10.254.254.80 - 10.254.254.100, you could enter
config firewall address
edit SSL_tunnel_users
set type iprange
set end-ip 10.254.254.100
set start-ip 10.254.254.80
end
DHCP relay of IP address
The FortiGate can get an IP address via DHCP server for SSL VPN services, however it is only configurable in the CLI Console by editing the ssl.root interface.
To enable DHCP relay service and relay IP address - CLI:
config system interface
edit ssl.root
set dhcp-relay-service [enable|disable]
set dhcp-relay-ip
next
end
Authentication of remote users
When remote users connect to the SSL VPN tunnel, they must perform authentication before being able to use the internal network resources. This can be as simple as assigning users with their own passwords, connecting to an LDAP server or using more secure options. FortiOS provides a number of options for authentication as well as security option for those connected users.
The web portal can include bookmarks to connect to internal network resources. A web (HTTP/HTTPS) bookmark can include login credentials so that the FortiGate unit automatically logs the user into the website. This means that the user logs into the SSL VPN and then does not have to enter any more credentials to visit preconfigured web sites.
Both the administrator and the end user can configure bookmarks, including SSO bookmarks. To add bookmarks as a web portal user, see The SSL VPN web portal.
Setting the client authentication timeout
The client authentication timeout controls how long an authenticated user will remain connected. When this time expires, the system forces the remote client to authenticate again. As with the idle timeout, a shorter period of time is more secure. The default value is 28800 seconds (8 hours). You can only modify this timeout value in the CLI.
For example, to change the authentication timeout to 18 000 seconds, enter the following commands in the CLI:
config vpn ssl settings
set auth-timeout 18000
end
You can also set the idle timeout for the client, to define how long the user does not access the remote resources before they are logged out. For information see User accounts and groups.
Allow one-time login per user
You can set the SSL VPN tunnel such that each user can only log into the tunnel one time concurrently per user per login. That is, once logged into the portal, they cannot go to another system and log in with the same credentials again.
To allow one-time login per user - web-based manager:
Go to VPN > SSL > Portals, select a portal, and enable Limit Users to One SSL-VPN Connection at a Time. It is disabled by default.
To allow one-time login per user - CLI:
config vpn ssl web portal
edit <portal_name>
set limit-user-logins enable
end
Strong authentication with security certificates
The FortiGate unit supports strong (two-factor) authentication through X.509 security certificates (version 1 or 3). The FortiGate unit can require clients to authenticate using a certificate, and the client can require the FortiGate unit to authenticate using a certificate.
For information about obtaining and installing certificates, see the Authentication Guide.
You can select the Require Client Certificate option so that clients must authenticate using certificates. The client browser must have a local certificate installed, and the FortiGate unit must have the corresponding CA certificate installed.
When the remote client initiates a connection, the FortiGate unit prompts the client browser for its client-side certificate as part of the authentication process.
To require client authentication by security certificates - web-based manager:
- Go to VPN > SSL > Settings.
- Select Require Client Certificate.
- Select Apply.
To require client authentication by security certificates - CLI:
config vpn ssl settings
set reqclientcert enable
end
If your SSL VPN clients require strong authentication, the FortiGate unit must offer a CA certificate that the client browser has installed.
In the FortiGate unit SSL VPN settings, you can select which certificate the FortiGate offers to authenticate itself. By default, the FortiGate unit offers its factory installed (Fortinet_CA_SSLProxy) certificate from Fortinet to remote clients when they connect. If you leave the default setting, a warning appears that recommends you purchase a certificate for your domain and upload it for use.
To enable FortiGate unit authentication by certificate - web-based manager:
- Go to VPN > SSL > Settings.
- From the Server Certificate list, select the certificate that the FortiGate unit uses to identify itself to SSL VPN clients.
- Select Apply.
To enable FortiGate unit authentication by certificate - CLI:
For example, to use the example_cert
certificate
config vpn ssl settings
set servercert example_cert
end
FortiOS will check the server certificate to verify that the certificate is valid. Only valid server certificates should be used. |
NSA Suite B cryptography support
FortiOS supports the use of ECDSA Local Certificates for SSL VPN Suite B. The National Security Agency (NSA) developed Suite B algorithms in 2005 to serve as a cryptographic base for both classified and unclassified information at an interoperable level.
FortiOS allows you to import, generate, and use ECDSA certificates defined by the Suite B cryptography set. To generate ECDSA certificates, use the following command in the CLI:
exec vpn certificate local generate ec <certificate‑name_str> <elliptic-curve-name> <subject_str> [<optional_information>]