Tag: Single Sign-On

Authenticating SSL VPN users using LDAP

· Leave a comment ·

This example illustrates how to configure a FortiGate to use LDAP authentication to authenticate remote SSL VPN users. With a properly configured LDAP server, user and authentication data can be maintained independently of the FortiGate, accessed only when a remote user attempts to connect through the SSL VPN tunnel.

  1. Downloading and installing FSSO agent in the LDAP server
  2. Registering the LDAP server on the FortiGate
  3. Configuring Single Sign-On on the FortiGate
  4. Importing LDAP users
  5. Creating the SSL VPN user group
  6. Creating the SSL address range
  7. Configuring the SSL VPN tunnel
  8. Creating security policies
  9. Results

capture1

  1. Downloading and installing FSSO agent in the LDAP server

The current Forti OS version which we are using in our firewall is 5.2.5 build 701 (shown below)

Forti OS version.JPG

Download and install FSSO client on your Domain Controller, find a download link here:

https://support.fortinet.com/Download/FirmwareImages.aspx

fsso

Accept the license and follow the Wizard. Enter the Windows AD administrator password.

ca-step1

Click Next, select the Advanced Access method

ca-step2

In the Collector Agent IP address field, enter the IP address of the Windows AD server.

ca-step3

Select the domain you wish to monitor.

ca-step4

Next, select the users you do not wish to monitor.

ca-step5

Under Working Mode, select DC Agent mode.

ca-step6

Reboot the Domain Controller.

ca-step7

Upon reboot, the collector agent will start up.

You can choose to Require authenticated connection from FortiGate and set a Password.

ca-step8

2. Registering the LDAP server on the FortiGate

Go to User & Device > Authentication > LDAP Servers to configure the LDAP server.

ldap

3.  Configuring Single Sign-On on the FortiGate

Go to User & Device > Authentication > Single Sign-On and create a new SSO server.

Under Groups tab, select the user groups to be monitored. In this example, “FortiOS Writers” group is used.

sso_fgt

4.  Importing LDAP users

Go to User & Device > User > User Definition, and create a new user, selecting Remote LDAP User.

Choose your LDAP Server from the dropdown list.

You will be presented with a list of user accounts, filtered by the LDAP Filter to include only common user classes.

fsso-1

5.  Creating the SSL VPN user group

Go to User & Device > User > User Groups to create a new FSSO user group.

user-group

6.  Creating the SSL address range

Go to Policy & Objects > Objects > Addresses, and create a new address.

Set the Type to IP Range, and in the Subnet/IP Range field, enter the range of addresses you want to assign to SSL VPN clients. Select Any as the Interface.

Then create another Address for each Subnet or IP Range within your internal network to which remote users will connect.

capture-2

7.  Configuring the SSL VPN tunnel

Go to VPN > SSL > Portals and create the full-access portal or edit the full-access portal

capture-3

Source IP pools > select from the drop down menu > SSL address range created above (point#6)

Go to VPN > SSL > Settings.

Under Connection Settings set Listen on Port to 443.

ssl-settings1

Under Authentication/Portal Mapping, select Create New.

capture-4

Assign the LDAP group user group to the full-access portal

8.  Creating security policies

Go to Policy & Objects > Policy >  IPv4 and create an ssl.root – wan1 policy.

policyconfig1

9.  Results

Click on  VPN client > Select SSl-VPN > click on New VPN > Give Connection Name

Type the IP Address of Remote Gateway ( WAN IP Address)

Click customize the port( default port# 443)

Click on Do not Warn Invalid Server Certificate

Click > Apply and close

capture-5

Open the Forticlient >

capture-6

Type your LDAP credentials and click on Connect.

That’s it.

Happy Browsing!!

Check this video for detailed information about installation,

 source: FortiGate