FortiGate Client VPN with static IP-Address (Framed-IP) and RADIUS

 Problem

Each user receives a fixed IP address for the VPN tunnel from the RADIUS server (in this case a FortiAuthenticator).

Solution

FortiAuthenticator / other RADIUS Server

For the RADIUS server, the RADIUS attribute "Framed-IP-Address" must be defined per user.

FortiAuthenticator



FortiGate

On FortiGate side we need the following configuration (expect the default Radius Configuration):
config vpn ssl web portal
    edit "tunnel-access"
        set ip-mode user-group
        set ip-pools "SSLVPN_TUNNEL_ADDR1"
    next
end
  • ip-mode:
    • user-group: Get IP-address from RADIUS Attribute (Framed-IP-Address)
    • range: The default option. Define to distribute IP-Addresses from the SSL-VPN IP Range
  • ip-pool: Which IP-Pool is used to distribute IP-address when ip-mode option is "range". If you choose "user-group" the static IP Address from the RADIUS Server has to be in that range.

Verify

diag debug enable
diag debug application fnbamd -1 <--- Responsible for authentication
diag debug application sslvpn -1
...
[1391] fnbamd_radius_auth_send-Compose RADIUS request
[1351] fnbamd_rad_dns_cb-172.16.51.12->172.16.51.12
[1329] __fnbamd_rad_send-Sent radius req to server 'radius_HQ-FAC': fd=14, IP=172.16.51.12(172.16.51.12:1812) code=1 id=11 len=119 user="john" using PAP
...
[1797] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2
[320] extract_success_vsas-FORTINET attr, type 1, val Users_VPN
1414] fnbamd_auth_handle_radius_result-->Result for radius svr 'radius_HQ-FAC' 172.16.51.12(1) is 0
[1338] fnbamd_radius_group_match-Passed group matching
[333] fnbamd_framed_ip_add_ip-Added IP 10.212.134.207
...
[1277:Internet:34a]Auth successful for user john in group FAC-VPN
[1277:Internet:34a]user john got framed IP 10.212.134.207
 

Troubleshooting

Framed IP-Address not assigned to Client

Description

The defined static IP address is defined as "Framed-IP-Address" and FortiGate ignore it.
diag debug enable
diag debug application fnbamd -1
diag debug application sslvpn -1

...
[320] extract_success_vsas-FORTINET attr, type 1, val Users_VPN
[1414] fnbamd_auth_handle_radius_result-->Result for radius svr 'radius_HQ-FAC' 172.16.51.12(1) is 0
[1338] fnbamd_radius_group_match-Passed group matching
[333] fnbamd_framed_ip_add_ip-Added IP 10.212.134.207
...
[1277:Internet:352]Provided framed IP 10.212.134.207 is ignored.
...
[384] fnbamd_framed_ip_delete_ip-Deleted IP 10.212.134.207 for vfid 2
[2451] handle_req-Rcvd 7 req
[308] fnbamd_acct_start_START-Error getting radius server
...
[1277:Internet:355]tun dev (ssl.Internet) opened (40)
[1277:Internet:355]Will add auth policy for policy 2 for user john:FAC-VPN
[1277:Internet:355]Add auth logon for user john:FAC-VPN, matched group number 1
[1277:Internet:355]tunnel2_enter:1108 Framed IP is set to 10.212.134.200
[1277:Internet:355]fsv_associate_fd_to_ipaddr:1664 associate 10.212.134.200 to tun (ssl.Internet:40)

Solution

In that case often the Portal configuration is wrong. Double check the config vpn ssl web portal attribute ip-mode is set to user-group.




Comments

Post a Comment

Popular posts from this blog

FortiGate BGP dual-home with multiple ISP

Image
Problem Design with two ISPs and an RIPE Routed public IP Ranges. How to solve, that the public Range is available over both ISPs but without asymetric Routing and ISP-1 is the primary. Solution FortiGate Basic BGP configuration First start with basic BGP configuration config router bgp set as 65301 set router-id 100.200.100.254 set keepalive-timer 45 set holdtime-timer 120 set bestpath-med-missing-as-worst enable set graceful-restart enable     config redistribution connected          set status enable     end end bestpath-med-missing-as-worst :  The route without MED is automaticly the worst destination. gracefule-restart :  Advertise reboots to neighbors so they don't see the router as offline, wait before declaring them offline, and how long to wait when they reboot before advertising updates. These commands apply to neighbors and are part of the BGP capabilities. This prevents unneeded routing updates. holdtime-timer: How long the router will wait for
Read more

FortiGate as DNS Server or DNS Proxy

Image
 Problem Especially in small networks, sometimes you do not have a dedicated DNS server available. For this purpose, the FortiGate can be used as DNS server. For larger installations, all DNS queries should be proxied for security reasons. The FortiGate can also help here. Solution A detail documentation about the DNS Server functionality is in the offical documentation:  Fortinet Doc In this post I would like to clearly present the most important functions and configuration types of the DNS function. DNS-Server In the following example the FortiGate act as DNS Server: Enable DNS Feature Enable the DNS Feature in the GUI: CLI command: config system settings     set gui-dns-database enable end Configure DNS Server Enable the DNS Feature on the interface on which DNS requests should be answered: Select Network Select DNS Servers Select the listen Interface Select the DNS Server Mode (see delecration below) The same on the CLI: config system dns-server     edit DMZ2          set mode recu
Read more

FortiGate and Windows L2TP / IPsec with Split Tunneling

 Problem In some scenarios, the user does not want to install an additional VPN client on their device, but use the already built-in one from Windows. Thus, the FortiGate SSL VPN solution cannot be used. So that only systems behind the FortiGate unit are accessible, a split tunnel connection must be established. Solution The L2TP over IPsec VPN solution is used for this purpose. First an IPsec connection is established between the client and FortiGate and then an L2TP connection is established. This is authenticated via a PSK and L2TP via username and password. The following steps are necessary to implement this solution. IPsec Connection config vpn ipsec phase1-interface edit "Dialup" set type dynamic set interface " wan " set peertype any set net-device disable set proposal aes256-md5 3des-sha1 aes192-sha1 set dhgrp 2 set wizard-type dialup-windows set psksecret **** next end config vpn ipsec pha
Read more