SSL VPN with Fortigate firewalls - Part I (LDAP authentication)

Today we will look at how to configure and troubleshoot SSL VPN in Fortigate firewalls with LDAP authentication. In another blog post we will implement the same thing with but with certificate authentication.

Our topology looks like below - 01 - Network Topology
01 - Network Topology

The topology is very simple as our goal is to look at the SSL VPN implementation in Fortigate firewalls. The firewall has one internal network (10.10.1.0/24) where we have one windows server (Srv-Win-Ad-01 - 10.10.1.25/24) which is running AD domain and certification services and one linux server (Srv-Lin-01 - 10.10.1.26/24). Also the external network (192.168.199.0/24) which provides internet connectivity. And a domain joined client (Clt-Win-01) which will run the VPN client to get access to the internal network.

Basic IP connectivity setup

The basic IP configuration of fortigate firewall is given below -

config system interface
    edit "port1"
        set vdom "root"
        !!! Configure IP adress for external (internet) interface
        set ip 192.168.199.121 255.255.255.0
        set description "External"
        set alias "External"
    next
    edit "port3"
        set vdom "root"
        !!! Configure IP adress for internal (LAN) interface
        set ip 10.10.1.1 255.255.255.0
        set description "Internal"
        set alias "Internal"
    next
end

config router static
    edit 1
        !!! Configure default gateway
        set status enable
        set dst 0.0.0.0 0.0.0.0
        set gateway 192.168.199.2
        set distance 10
        set device "port1"
    next
end

config system zone
    !!! Creating firewall zones which will be used in firewall policies
    edit "Zone-Internal"
        set interface "port3"
    next
    edit "Zone-External"
        set interface "port1"
    next
    edit "Zone-SSL-VPN"
        set interface "ssl.root"
    next
end

config firewall policy
    !!! Firewall policy to allow LAN network internet access
    edit 1
        set srcintf "Zone-Internal"
        set dstintf "Zone-External"
        set action accept
        set srcaddr "Net-10.10.1.0/24"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end

LDAP Server Configuration

The definition of LDAP server in fortigate firewall looks as below -

02 - LDAP Server Configuration
02 - LDAP Server Configuration

The equivalent configuration from the CLI - 
 
config user ldap
    edit "Srv-Win-Ad-01"
        !!! AD-DC server IP address
        set server "10.10.1.25"
        set cnid "SAMAccountName"
        !!! Our domain name is - testlab.local
        set dn "dc=testlab,dc=local"
        set type regular
        !!! A service user account which can run query against AD-Domain
        set username "svcldap01"
        set password test123
    next
end

LDAP SSL VPN User Group Configuration

In the AD-Domain; we have a user group named "SSL VPN Users". A user must belong to this group to be able to connect via SSL VPN. We will add this user group in the firewall.

03 - LDAP User-Group Configuration.png
03 - LDAP User-Group Configuration

The CLI commands to configure the equivalent is -

config user group
   edit "SSL-LDAP-Pwd-Group"
        set member "Srv-Win-Ad-01"
        config match
            edit 1
                !!! Selecting the AD/LDAP server 
                set server-name "Srv-Win-Ad-01"
                !!! Selecting the group from AD/LDAP Server
                set group-name "CN=SSL VPN Users,CN=Users,DC=testlab,DC=local"
            next
        end
    next
end

SSL VPN Configuration

Fortigate firewall provides a lot of options to configure SSL VPN. For my setup I will use the following parameters -

  • Web-mode/Tunnel-mode - We will not configure SSL VPN in web-mode. Only tunnel-mode will be configured.
  • SSL-VPN Realms - We will configure realms which in our setup is used to separate  username/password and certificate authentication mechanism.
  • Split-tunneling - We will be using split-tunneling based on Policy Destination which means only networks that is used in firewall policy as destination will be pushed towards VPN clients.
  • SSL-VPN client IP addressing - VPN clients will be assigned IP adress from network 10.10.3.0/24.

Let's dive into the configuration part -

We need to enable SSL-VPN Realms which is disabled by default.

04 - Enable SSL-VPN Realms

04 - Enable SSL-VPN Realms

config system settings
    !!! Enable SSL-VPN realm feature
    set gui-sslvpn-realms enable
end

Now we will configure a realm named - sslpwd ;

05 - Configure SSL-VPN LDAP Realms

05 - Configure SSL-VPN LDAP Realms

config vpn ssl web realm
    !!! A realm named sslpwd is created
    edit "sslpwd"
    next
end

Now we will create two portal named - Portal-LDAP-Pwd (used for username/password authentication with LDAP) and No-Access (used for deny default access with SSL-VPN).

06 - SSL-VPN Portal for LDAP Authentication
06 - SSL-VPN Portal for LDAP Authentication
 
config vpn ssl web portal
edit "Portal-LDAP-Pwd"
        !!! Only tunnel-mode is allowed
        set tunnel-mode enable
        !!! SSL-Client IP addressing
        set ip-pools "Net-10.10.3.0/24"
        !!! DNS server and suffix settings for clients
        !!! Must be setup from CLI
        set dns-server1 10.10.1.25
        set dns-suffix "testlab.local"
    next
    edit "No-Access"
        !!! Both tunnel and web mode is disabled to prevent default access to VPN
        set forticlient-download disable
    next
end     

Now we will bind everything together under SSL-VPN settings -

07 - SSL-VPN Settings
07 - SSL-VPN Settings

config vpn ssl settings
    set servercert "self-sign"
    !!! Which Zone/Interface will listen for incoming SSL-VPN client requests
    set source-interface "Zone-External"
    !!! SSL-VPN will listen on port 10443
    set port 10443
    !!! Deny default access
    set default-portal "No-Access"
    config authentication-rule
        edit 1
            !!! user-group, portal and realm binding
            set groups "SSL-LDAP-Pwd-Group"
            set portal "Portal-LDAP-Pwd"
            set realm "sslpwd"
        next
    end
end

Last but not least we must have firewall policy which allows traffic from SSL-VPN client network to LAN (internal) network.

08 - Firewall Policy for VPN traffic
08 - Firewall Policy for VPN traffic

config firewall policy
      edit 2
           set srcintf "Zone-SSL-VPN"
           set dstintf "Zone-Internal"
           set action accept
           set srcaddr "Net-10.10.3.0/24"
           set dstaddr "Net-10.10.1.0/24"
           set schedule "always"
           set service "ALL"
           set groups "SSL-LDAP-Pwd-Group"
      next
end

Now we have all the pieces in place for SSL-VPN configuration in a fortigate firewall.

FortiClient Configuration (SSL-VPN Client)

Now will install FortiClient in our client PC named Clt-Win-01 and configure it as below -

09 - FortiClient Settings for LDAP Authentication
09 - FortiClient Settings for LDAP Authentication

SSL-VPN Verification 

Now we will connect to the VPN and do some verification.

Let's do it from the client side first -

After successfully connecting to the VPN; the status window of FortiClient looks like below - 

10 - FortiClient VPN Status
10 - FortiClient VPN Status

11 - VPN Client Interface Status
11 - VPN Client Interface Status

12 - VPN Client Routing Status
12 - VPN Client Routing Status

From above screenshots we can see that our client received IP address 10.10.3.1, DNS-suffix - testlab.local and DNS-server 10.10.1.25 after connecting to the VPN. And a routing table entry for 10.10.1.0/24 (internal network) is also created in the routing table.

Now we will do the verification from the firewall side -

Fw-FGT-01 # get vpn ssl monitor 
SSL-VPN Login Users:
 Index   User    Group   Auth Type      Timeout         Auth-Timeout    From     HTTP in/out    HTTPS in/out    Two-factor Auth
 0       duser01         SSL-LDAP-Pwd-Group     16(1)            299    28787    192.168.199.199        0/0     0/0     0

SSL-VPN sessions:
 Index   User    Group   Source IP      Duration        I/O Bytes       Tunnel/Dest IP 
 0       duser01         SSL-LDAP-Pwd-Group     192.168.199.199          13      22190/9807     10.10.3.1

From above we can see that from external IP address 192.168.199.199, a user named duser01 from group SSL-LDAP-PWD-Group has connected to the VPN and  assigned an IP adress 10.10.3.1 from the VPN subnet.

We can also do SSL-VPN debugging - 

Fw-FGT-01 # diagnose debug application sslvpn -1
Debug messages will be on for 30 minutes.

Fw-FGT-01 # diagnose debug enable (output truncated)
[135:root:14]sconn 0x7f47f5990100 (0:root) vfid=0 local=[192.168.199.121] remote=[192.168.199.199] dynamicip=[10.10.3.1]
[135:root:14]Prepare to launch ppp service...
[135:root:14]tun: ppp 0x7f47f5a71000 dev (ssl.root) opened fd 37
[135:root:14]Will add auth policy for policy 2 for user duser01:SSL-LDAP-Pwd-Group
[135:root:14]Add auth logon for user duser01:SSL-LDAP-Pwd-Group, matched group number 1
[135:root:0]RCV: LCP Configure_Request id(1) len(14) [Maximum_Received_Unit 1354] [Magic_Number A41FBF78] 
[135:root:0]SND: LCP Configure_Request id(1) len(10) [Magic_Number C63E2896] 
[135:root:0]lcp_reqci: returning CONFACK.
[135:root:0]SND: IPCP Configure_Nak id(0) [IP_Address 10.10.3.1] [Primary_DNS_IP_Address 10.10.1.25] [Secondary_DNS_IP_Address 10.10.1.25] 
[135:root:0]RCV: IPCP Configure_Ack id(1) [IP_Address 192.168.199.121] 
[135:root:0]RCV: IPCP Configure_Request id(1) [IP_Address 10.10.3.1] [Primary_DNS_IP_Address 10.10.1.25] [Secondary_DNS_IP_Address 10.10.1.25] 
[135:root:0]ipcp: returning Configure-ACK
[135:root:0]SND: IPCP Configure_Ack id(1) [IP_Address 10.10.3.1] [Primary_DNS_IP_Address 10.10.1.25] [Secondary_DNS_IP_Address 10.10.1.25] 
[135:root:0]ipcp: up ppp:0x7f47f5a71000 caller:0x7f47f5990100 tun:37
[135:root:0]Cannot determine ethernet address for proxy ARP
[135:root:0]local  IP address 192.168.199.121
[135:root:0]remote IP address 10.10.3.1
[135:root:14]sslvpn_ppp_associate_fd_to_ipaddr:281 associate 10.10.3.1 to tun (ssl.root:37)

We can also debug fortigate authentication daemon to observe how LDAP authentication is working -

Fw-FGT-01 # diagnose debug application fnbamd -1
Debug messages will be on for 30 minutes.

Fw-FGT-01 # diagnose debug enable (output truncated)
[2679] fnbamd_ldap_result-Result for ldap svr 10.10.1.25(Srv-Win-Ad-01) is SUCCESS
[401] ldap_copy_grp_list-copied CN=SSL VPN Users,CN=Users,DC=testlab,DC=local
[401] ldap_copy_grp_list-copied CN=Domain Users,CN=Users,DC=testlab,DC=local
[1636] fnbam_user_auth_group_match-req id: 1745543979, server: Srv-Win-Ad-01, local auth: 0, dn match: 1
[1603] __group_match-Group 'SSL-LDAP-Pwd-Group' passed group matching
[1606] __group_match-Add matched group 'SSL-LDAP-Pwd-Group'(2)
[2690] fnbamd_ldap_result-Passed group matching
[217] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 1745543979, len=2176
[789] destroy_auth_session-delete session 1745543979
[755] __ldap_destroy-
[1764] fnbamd_ldap_auth_ctx_free-Freeing 'Srv-Win-Ad-01' ctx

To see the list of currently authenticated users in the firewall - 

Fw-FGT-01 # diagnose firewall auth list 

10.10.3.1, duser01
        type: fw, id: 0, duration: 135, idled: 51
        expire: 28747, allow-idle: 28799
        flag(80): sslvpn
        server: Srv-Win-Ad-01
        packets: in 52 out 71, bytes: in 8023 out 14660
        group_id: 2
        group_name: SSL-LDAP-Pwd-Group

----- 1 listed, 0 filtered ------

We can also test our LDAP connection using command below - 

!!! diagnose test authserver ldap server_name username userpassword
Fw-FGT-01 # diagnose test authserver ldap Srv-Win-Ad-01 duser01 test123
authenticate 'duser01' against 'Srv-Win-Ad-01' succeeded!
Group membership(s) - CN=SSL VPN Users,CN=Users,DC=testlab,DC=local
                      CN=Domain Users,CN=Users,DC=testlab,DC=local

In above I have shown how to configure SSL-VPN with fortigate firewall and LDAP username/password as authentication mechanism. In the next blog I will show how to configure SSL-VPN with certificate authentication.
Location: Sundsvall, Sweden

Comments

Post a Comment

Popular posts from this blog

Fortigate firewall AAA Configuration for management with TACACS+ protocol and Cisco ISE

Image
In this blog I will write about how to implement AAA services in Fortigate firewalls using Cisco ISE as an authentication server with TACACS+ protocol. First good to know our limitations. AAA means - Authentication (supported by ISE TACACS+), Authorization (partially supported by ISE TACACS+; Fortigate implements Admin-Profiles; so what a user can/cannot do is defined locally in the firewall with "Admin Profiles"; ISE just instructs the firewall to allocate one of those profiles), Accounting (not supported; instead configure syslog to get accounting data, Fortigate firewalls generate syslog messages for configuration changes made by a user). Let's jump to our configuration. Our topology is very simple; one Fortigate firewall and Cisco ISE server connected with the same management network which looks like below -  01 - Network Topology We have a management network 192.168.199.0/24. The firewall is at  .230  and Cisco ISE is at  .49  IP address. We are running the lates
Read more

Stacking switches Part - VI (Dell OS10 VLT - Virtual Link Trunking)

Image
In this blog I will configure MLAG (multi chassis link aggregation) for Dell OS10 switches. As every other vendor choses a fancy name of their implementation of MLAG; Dell is no exception to this. Dell calls their implementation VLT - Virtual Link Trunking . Let's look at our network topology - Two Dell OS10 switches will run peering between them and will run VLT/MLAG between them. Two Debian 10 linux machine will be connected with LACP bonding with both switches. They will simulate the client connection. Our topology looks like below - 01 - Dell OS10 VLT Topology Let's look at some terminology before configuration - VLT peer – The two switches participating in VLT are peer to each other. In a VLT domain a maximum of two switches are allowed. VLT interconnect (VLTi) – VLTi synchronizes state information between VLT peers. It synchronizes layer 2 and layer 3 control-plane information. These state/control-plane information includes MAC table, ARP table, IPv6 neighbors etc. VLT
Read more

Arista EOS AAA configuration for management with TACACS+ protocol and Cisco ISE (Part I)

Image
Today I will write about AAA configuration (SSH authentication, authorization and accounting) for Arista EOS switches with Cisco ISE as authentication server and AAA protocol will be TACACS . Our topology is very simple. One Arista switch and One Cisco ISE server is running on the same network. Our topology looks like below - 01 - Network Topology We have a management network 192.168.199.0/24. The switch is at .134 and Cisco ISE is at .49 IP address. We are running the latest version of ISE - version 3.0. Let's define our AAA requirements - Arista switches comes with two pre defined user roles - "network-admin" and "network-operator" . We will use those two roles. Every user after successful authentication from tacacs server (ISE), will be authorized as either "network-admin" or "network-operator" role. In turn these two roles will determine read-write or read-only access to the switch. N ote: With TACACS, we can also do individual cl
Read more